BREAD FINANCIAL HOLDINGS, INC. (BFH) Business

Item 1.    Business.

We are a tech-forward financial services company that provides simple, personalized payment, lending, and saving solutions to millions of U.S. consumers. Our payment solutions, including Bread Financial general purpose credit cards and savings products, empower our customers and their passions for a better life. Additionally, we deliver growth for some of the most recognized brands in travel and entertainment, health and beauty, jewelry and specialty apparel through our private label and co-brand credit cards and pay-over-time products providing choice and value to our shared customers.

We have continued to diversify our product mix with our brand partners through growth of our co-brand credit card programs, which, relative to our private label credit card programs, have higher credit sales per account and an improved credit risk mix that generally results in higher transactor balances, lower delinquencies and late fees, as well as lower losses. We also offer our proprietary credit cards along with the expansion of our Bread Pay products, which are our installment loans and “split-pay” offerings.

Our partner base consists of large consumer-based businesses, including well-known brands such as (alphabetically) AAA, Academy Sports + Outdoors, Caesars, Dell Technologies, Hard Rock International, the NFL, Raymour & Flanigan, Saks Fifth Avenue, Signet, Ulta and Victoria’s Secret, as well as small- and medium-sized businesses (SMBs). Our partner base is well diversified across a broad range of industries and retail verticals, including travel and entertainment, specialty apparel, health and beauty, jewelry, sporting goods, technology and electronics, as well as home and furniture. We believe our comprehensive suite of payment, lending and saving solutions, along with our related marketing and data and analytics, offers us a significant competitive advantage with products relevant across all customer segments (Gen Z, Millennial, Gen X and Baby Boomers). The breadth and quality of our product and service offerings, coupled with our customer-centric approach, have enabled us to establish and maintain long-standing partner relationships. We operate our business through a single reportable segment, with our primary source of revenue being from Interest and fees on loans from our various credit card and other loan products, and to a lesser extent from contractual relationships with our brand partners.

With our range of offerings, we provide relevant products across consumer segments, including Gen Z and Millennials who are more likely to be drawn to cash flow management products such as our pay-over-time installment loans and “split-pay” offerings as compared to Gen X and Baby Boomers, while Gen X and Baby Boomers generally gravitate more toward rewards and the convenience of a co-brand or private label credit card. In addition, we continue to scale and optimize our direct-to-consumer lending, payment and saving products for new and existing customers, including through our proprietary credit cards and Bread Savings products. We also continue to diversify and optimize our loan portfolio, prioritizing our investment in strong and profitable partners, industries and affinity brands, while continuing to develop our Bread Pay products, which are our installment loans and “split-pay” offerings, and exploring various strategic business opportunities adjacent to our core co-brand and private label credit card business (business adjacencies) in an evolving payments, macroeconomic and regulatory environment. As of December 31, 2025, we had $18.8 billion in Credit card and other loans from approximately 34 million open and outstanding accounts, with an average balance for the year ended December 31, 2025 of $1,047 for accounts with outstanding balances.

Our Primary Product Offerings

Our primary product offerings consist of our: (i) co-brand and private label credit card programs with retailers and other brand partners; (ii) direct-to-consumer (DTC), proprietary general purpose credit cards; (iii) Bread Pay products; and (iv) Bread Savings products. These product offerings are not exclusive, and, where appropriate, we seek to introduce partners and customers to our other product offerings.

Co-Brand and Private Label Credit Card Lending

Our core business is working with many of the country’s best-known brands and retailers (who we call our partners or brand partners) to drive sales and loyalty through their co-brand and private label credit card programs. In these programs, we (through our Banks) are the credit card issuer and lender to our partners’ customers, and we also service the loans and provide a variety of other related services, which are described in more detail below. Our co-brand and private label partner base, with nearly 100 brands and numerous online merchants, consists of many large consumer-based businesses, including well-known brands such as (alphabetically) AAA, Academy Sports + Outdoors, Caesars, Dell Technologies, Hard Rock International, the NFL, Raymour & Flanigan, Saks Fifth Avenue, Signet, Ulta and Victoria’s Secret. Our partners benefit from our customer insights and analytics, with each of our branded credit card programs tailored to our partner’s brand and

3

Table of Contents

their unique customers. Our co-brand and private label program agreements with our brand partners are generally long-term, exclusive contracts, with terms typically ranging from 5 to 10 years.

Our co-brand credit cards are general purpose credit cards that can be used to purchase goods and services from the applicable partner, as well as any other retailers wherever cards from the named card network (American Express, MasterCard or Visa) are accepted. Credit extended under our co-brand credit cards is typically on standard terms only. Charges made using a co-brand credit card, particularly charges made outside of the co-brand partner, generate interchange revenue for us. Relative to our private label loan portfolio, our co-brand loan portfolio generally has lower revenue yields. In addition, our co-brand customers generally have higher credit scores and therefore higher credit lines, with the majority of our co-brand customers having a Vantage score in excess of 660. Our average outstanding co-brand credit card account balance for the year ended December 31, 2025 was $1,821. For the year ended December 31, 2025, customer spending on our co-brand credit cards comprised approximately 52% of our credit sales, which we believe enables us to capture incremental and non-discretionary purchases as consumer spending patterns shift in response to evolving economic conditions.

Private label credit cards are partner-branded credit cards used by consumers exclusively for the purchase of goods and services from that particular partner. Credit under a private label credit card typically is extended either on standard terms, which means accounts are assessed periodic interest charges using an agreed non-promotional fixed and/or variable interest rate, or pursuant to a promotional financing offer, involving deferred interest, reduced interest or no interest during a set promotional period (typically between six and 60 months). We typically do not charge interchange or other fees to our partners when customers use our private label credit cards to purchase our partners’ goods and services. For the year ended December 31, 2025, customer spending on our private label credit cards comprised approximately 43% of our credit sales. Private label credit card loan balances are typically smaller, with an average outstanding account balance for the year ended December 31, 2025 of $775; although, we do offer “big ticket” purchase financing and financing for medical and dental procedures with certain private label brand partners, which often involve larger amounts. Relative to our co-brand loan portfolio, our private label loan portfolio generally has higher revenue yields. In addition, our private label customers generally have lower credit scores and therefore lower credit lines, and are generally more likely to be delinquent in their payments, have accounts with higher annual percentage rates (APRs) and have more late fees assessed.

We offer deferred interest rate, as well as low or no interest rate promotional financing to customers in certain of our brand partner programs; in some of these programs, we charge an initial fee to customers entering into promotional plan financing arrangements. In both our co-brand and private label partner relationships, we receive a merchant discount fee from our partners to compensate us for all or part of the forgone interest income associated with promotional financing. The terms of these promotions vary by partner, but generally the longer the deferred interest, reduced interest or interest-free period, the greater the partner’s merchant discount fee. Some offers permit customers to pay for a purchase in equal monthly payments with no interest or at a reduced interest rate over a specified period of time, rather than deferring or delaying interest charges. Our credit card program agreements may also provide for royalty payments, or retailer share arrangements, to our brand partners based on purchase volume or if certain contractual incentives are met, such as if the economic performance of the program exceeds a contractually defined threshold, or for new accounts acquired. These amounts are recorded as a reduction of revenue in the period incurred.

In addition to the retailer share arrangements, our program agreements typically provide that the parties will develop a marketing plan to support the program, along with the terms by which a joint marketing budget is funded. Marketing costs for which we are responsible under the plan are expensed as incurred. Our program agreements also typically provide that the parties will develop the terms of the rewards program linked to the use of our product, such as opportunities to receive double rewards points for purchases made on a product, along with the allocation of costs between the parties related to the rewards program. The credit card programs we operate typically provide rewards points, which are redeemable for a variety of products or awards, or merchandise discounts earned by the customer having achieved a preset spending level. Other programs may include cash back rewards or statement credits. The rewards can be mailed to the cardholder, accessed digitally, or may be immediately redeemable at the partner’s retail location. Costs of cardholder rewards arrangements are recognized when the rewards are earned by the cardholders and are generally recorded as a reduction of revenue.

As a general matter, the financial terms and conditions governing our co-brand and private label credit card products vary by program and product type and may change over time; although, we seek to standardize the non-financial provisions consistently across all products to the extent possible. The terms and conditions of all of our credit card products are governed by a cardholder agreement and applicable laws and regulations. We assign each credit card account a credit limit when the account is initially opened by the customer. Thereafter, we may increase or decrease individual credit limits from time to time, at our sole discretion, based primarily on our evaluation of the customer’s creditworthiness and ability to pay.

4

Table of Contents

For the vast majority of accounts, periodic interest charges are calculated using the daily balance method, which results in daily compounding of periodic interest charges. Cash advances are not subject to an interest grace period, and for some credit card programs we do not provide an interest grace period for promotional purchases. In addition to periodic interest charges, we may impose other charges and fees on credit card accounts, including, as applicable and provided in the cardholder agreement, late fees where a customer has not paid at least the minimum payment due by the required due date, as well as paper statement fees, which we charge on certain credit card accounts receiving monthly paper statements for certain of our brand partner programs. Typically, each customer with an outstanding amount due on his or her credit card account must make a minimum payment each month; a customer may pay the total amount due at any time without penalty. We also may enter into arrangements with delinquent customers to modify their payments and/or waive or reduce interest charges and/or fees; we do not offer programs involving the forgiveness of principal. We make it easier for customers to make payments by offering recurring automatic payment functionality, as well as other electronic payment methods on all cardholder accounts.

Our program agreements generally permit termination in various circumstances, including a breach of the agreement or in the event the brand partner becomes insolvent, files bankruptcy, undergoes a change in ownership or has a material adverse change in financial condition. Certain of our program agreements also provide that upon termination, the brand partner has either the option or the obligation to purchase the loans generated with respect to its program. Correspondingly, in certain cases when we acquire a new brand partner, we purchase its existing credit card loan portfolio, if any, from either the brand partner or the operator of its prior card program.

Direct-to-Consumer Credit Cards

Our DTC, proprietary general purpose credit cards consist of our Bread Cashback American Express Credit Card and our Bread Rewards American Express Credit Card. Our DTC credit cards are an important component of our overall product offerings and allow us to capture incremental, often non-discretionary spend and build and retain customer relationships. As a DTC product, our proprietary credit cards are not dependent upon the performance of our brand partners or impacted by any partner revenue-sharing obligations. We believe that our DTC credit cards will continue to increase our total addressable market, including within the Millennial and Gen Z customer segments. Our Bread Cashback American Express Credit Card offers unlimited 2% cashback, no annual fee, no foreign transaction fees, premium protection benefits, American Express lifestyle benefits, and instant mobile acquisition and web-to-wallet provisioning for use anywhere ApplePay is accepted. Our Bread Rewards American Express Credit Card offers 3% rewards points on gas station, grocery store, dining and utility purchases, among other benefits, as well as instant mobile acquisition and web-to-wallet provisioning for use anywhere ApplePay is accepted. We currently issue our DTC credit cards on the American Express network. Our average outstanding DTC credit card account balance for the year ended December 31, 2025 was $2,295.

Bread Pay

Bread Pay is our payment technology solution for our pay-over-time products, which includes both our installment loan and “split-pay” offerings, as described in more detail below. Through Bread Pay, we offer an omnichannel solution for more than 1,400 SMB retailers and merchants, and we continue to explore and pursue growth opportunities in various business adjacencies, including through the integration of our suite of Bread Pay products into third-party platforms to gain efficient distribution of our lending solutions.

Our Bread Pay offerings and on-boarding capabilities enhance our growth prospects across the industries in which we lend and increase the addressable market of our Bread Pay partners. Bread Pay also offers our existing co-brand and private label credit card partners a broader digital product suite and additional white-label product solutions for those customers preferring a non-revolving loan with fixed repayment terms such as our installment loan and “split-pay” offerings. We offer a flexible platform and robust suite of application programming interfaces (APIs) that allow merchants and partners to seamlessly integrate online point-of-sale financing and other digital payment products.

Our Bread Pay installment loans are fixed extensions of credit where the customer pays down the outstanding balance in monthly installments, primarily over a 3 to 84 month period. The terms and conditions of all of our installment loan products are governed by a customer agreement and applicable laws and regulations. Installment loans are generally assessed interest charges over the term of the loan using fixed interest rates. In addition to periodic interest charges, for certain of our installment loans, we may impose other charges and fees, including late fees, as set forth in the applicable customer agreement. Most of our installment loans are offered through contractual agreements with our Bread Pay partners and may include additional fees paid by the partner, particularly where the installment loan carries a below-market interest rate.

5

Table of Contents

Our Bread Pay “split-pay” loans are short-term, interest-free financing, to be repaid by the customer in four equal installments, with the first payment due at the time of purchase and the remaining three payments due in subsequent two-week intervals. The terms and conditions of all of our split-pay loan products are governed by a customer agreement and applicable laws and regulations. For certain of our “split pay” loans, we may impose other charges and fees, including late fees, as set forth in the applicable customer agreement.

Bread Savings

Bread Savings refers to our DTC, or retail, deposit products, primarily in the form of certificates of deposit and high-yield savings accounts, including traditional and Roth Individual Retirement Accounts. Our Bread Savings products support loan growth and improve our funding mix diversification. In recent years, retail deposits have become an increasingly important source of funds for us, growing 11% from $7.7 billion as of December 31, 2024 to $8.5 billion as of December 31, 2025. As of December 31, 2025, average retail deposits represented 48% of our total funding sources, which is comprised of retail and wholesale deposits, and secured and unsecured borrowings. As of that same date, retail deposits that exceeded applicable Federal Deposit Insurance Corporation (FDIC) insurance limits, which are generally $250,000 per depositor, per insured bank, per ownership category, were estimated to be $638 million, or 5% of Total deposits. The measurement of estimated uninsured deposits aligns with regulatory guidelines.

Our online Bread Savings platform is scalable, allowing us to expand without having to rely on a traditional “brick and mortar” branch network. We continue to focus on growing our Bread Savings operations and believe we are well-positioned to continue to benefit from the consumer-driven shift from branch banking to direct banking. We seek to differentiate our deposit product offerings from our competitors on the basis of rates we pay on deposits, the quality of our customer service and the competitiveness of our digital banking capabilities.

Services Supporting our Primary Product Offerings

Our primary product offerings, as described above, are supported and enhanced by numerous services and capabilities that we provide, including: (i) risk management, underwriting and funding services; (ii) credit card and other loan processing and servicing; (iii) fraud prevention; (iv) marketing, and data and analytics; and (v) our digital and mobile capabilities.

Risk Management, Underwriting and Funding Services. We provide risk management solutions, underwriting and funding services for our co-brand, private label, and DTC credit card programs, as well as our Bread Pay partnerships.

We process millions of credit card applications each year using internal algorithms, external credit bureau data and automated proprietary scoring technology to make responsible risk-based underwriting decisions when approving new accounts and establishing credit limits. Credit quality is monitored on a regular and consistent basis. This information helps us adjust our strategies when required to better evaluate individual credit risk. We continue to enhance our credit risk management by evaluating and investing in new technology and advancing our data and modeling capabilities, including through the potential use of deep learning and AI tools. Doing so allows us to navigate changing macroeconomic conditions and stay within our well-established risk appetite.

Credit Card and Other Loan Processing and Servicing. We manage and service the accounts we originate for our co-brand and private label credit card programs, as well as our DTC credit cards and Bread Pay products. Since 2022, Fiserv, a leading global provider of outsourced payments and financial services technology solutions, has provided our core credit card processing services, which has helped us enable improved speed to market, including the ability to quickly and seamlessly add new products and capabilities that benefit our partners and cardholders. It has also strengthened our ability to ensure we are operating on a compliant core platform, and enables efficient integration of digital technology, while supporting our data and analytics capabilities and improving operational efficiencies. See also “—Technology/Systems” below for additional information regarding our approach toward the systems and technologies we use in the operation of our business.

Our customer care operations are influenced by our retail heritage, and we view every customer touch point as an opportunity to provide an exceptional experience. Our customer care operations offer omnichannel servicing, including through phone, mail, email, text, smartphone application and the web. We blend domestic and off-shore locations as an important part of our servicing strategy, to maintain service availability beyond typical work hours in the United States and to optimize our cost structure. We provide focused training programs in all areas, and have developed an AI powered knowledge management solution for our customer care associates, in order to achieve the highest possible customer service standards and customer experience. We monitor our performance by conducting surveys with our partners and our

6

Table of Contents

customers and in our 2025 survey, conducted by Medallia, Inc., we have received a Net Promoter Score of 54.5; survey results above 50 are considered excellent or superior by industry standards. In addition, in 2025 for the twentieth consecutive time, we were certified by BenchmarkPortal as a Center of Excellence for the quality of our operations, the most prestigious customer care industry ranking attainable. Founded by Purdue University in 1995, BenchmarkPortal is a global leader of best practices for customer care centers.

Our efforts to collect on delinquent accounts are made first by our collection department. After an account becomes 30 days past due, a proprietary collection scoring algorithm automatically scores the risk of the account becoming further delinquent; based upon the level of risk indicated, a collection strategy is deployed, which may include tech-enabled, targeted collections strategies to engage with cardholders in the most efficient communication channel. If after exhausting all in-house collection efforts we are unable to collect on the account, we may engage collection agencies or outside attorneys to continue those efforts, or sell the charged-off balances.

Fraud Prevention. We monitor our customers’ accounts to help prevent, detect, investigate and resolve fraud across the various products we offer. We employ a variety of fraud mitigation controls during the lifecycle of accounts, including capabilities related to account acquisition, transaction processing and account management. We use proprietary custom fraud models developed by our data scientists, together with externally-sourced scores and solutions used across the industry, to seek to identify fraud and protect our stakeholders, including our customers and brand partners. We leverage device intelligence technology to risk-assess digital applications and online servicing channels, and we subject monetary transactions to authorization and approval scrutiny through a variety of techniques designed to help identify and halt fraudulent transactions, including machine-learning models, rules-based decision-making logic, report analysis, data integrity checks and manual account reviews. We have a cross-functional team of risk, fraud and security professionals that regularly evaluate and enhance our fraud-prevention capabilities and monitor emerging industry trends and solutions.

Marketing, and Data and Analytics. Through our integrated marketing programs and campaigns, we design and implement strategies that assist our partners in acquiring, retaining and expanding customer engagement to drive a more loyal, frequent shopper that increases customer lifetime value. Our programs capture transaction data that we analyze to better understand consumer behavior, which we use to increase the effectiveness of both our and our partners’ marketing activities. Through our marketing technology, data and analytics capabilities, including the use of machine learning and AI technology, we focus on data insights that drive actionable strategies and enhance revenue growth and customer retention. We use multi-channel marketing platforms and capabilities, including in-store, web, permission-based email, permission-based mobile messaging and direct mail to engage customers in the channels of their choice.

Digital and Mobile Capabilities. We are constantly seeking to improve our digital and mobile capabilities, in order to support and enhance our product offerings, drive growth for our brand partners and improve the customer experience. We seek to provide a seamless, personalized digital and mobile experience that is responsive to our customers’ evolving expectations. Recent improvements to our digital and mobile capabilities include API enhancements, enriched software development kits, virtual card commercialization, and our enhanced, fully integrated Bread Financial mobile app. We are continually seeking to enhance customers’ self-service capabilities in our digital channels, which allow customers to address their needs when and how they want, while also generating efficiencies by reducing the cost to serve our customers.

In addition, through our Enhanced Digital Suite, a group of marketing and credit application features, we help our brand partners capitalize on online trends by bringing through more qualified applicants, a higher credit sales conversion rate and a higher average purchase value. Enhanced Digital Suite includes a unified software development kit that provides access to our broad suite of products; it also promotes credit payment options, relevant to the customer, earlier in the shopping experience. The credit application is simple and easy, offers prefilled fields and prescreens customers in real-time, allowing for immediate credit approval without leaving the brand partner’s site, thereby improving the customer’s shopping experience and our brand partner’s checkout conversion rate. Across all product offerings, we remain focused on creating an exceptional digital and mobile experience for our customers, which we believe improves our competitive position and drives future growth.

For additional information relating to our business, business strategy and products and services, see “Item 7. Management’s Discussion and Analysis of Financial Condition and Results of Operations – Business Environment.”

7

Table of Contents

Technology/Systems

We leverage information and technology to help achieve our business objectives and to develop and deliver products and services that satisfy our brand partners’ and customers’ needs, all while seeking to enhance our governance and control over the availability, quality and security of our data.

A key part of our strategic focus is the development and use of resilient, efficient and flexible computer and operational systems to deliver growth for our brand partners, support sophisticated marketing and account management strategies, service our customers, and develop and scale new and diversified products. We believe the continued development and integration of these systems is an important part of our efforts to reduce costs, improve quality and security, and provide faster, more flexible technology services. Consequently, we continuously review capabilities and develop or acquire systems, processes and competencies to meet our unique business requirements, including strategic investments in cloud capabilities, machine learning and AI, emerging technologies and automation, and data analytics.

As part of our continuous efforts to review and improve our technologies, we may either develop such capabilities internally or use third-party service providers who have the ability to deliver technology that is of higher quality, lower cost, or both. Specifically, we rely on third parties to help us deliver systems and operational infrastructure, these relationships include (but are not limited to): Amazon Web Services and Microsoft for our cloud infrastructure, and Fiserv for our credit card processing services, as previously reported.

We are committed to safeguarding our customers’ and our own information and technology, implementing backup and recovery systems, and generally require the same of our third-party service providers. We take measures that are designed to mitigate against known attacks and use internal and external resources to scan for vulnerabilities in the platforms, systems, and applications necessary for delivering our products and services. We cannot guarantee, however, that our cybersecurity risk management program and processes, or those of our third-party service providers, including our policies, controls or procedures, will be fully implemented, adhered to, or effective in protecting both our customers’ and our own information and technology from cyberattacks. For a discussion of the risks associated with our use of technology systems, see “Part I—Item 1A. Risk Factors” under the heading “Cybersecurity, Technology and Vendor Risks.”

Disaster and Contingency Planning

We operate, either internally or through third-party service providers, multiple data processing centers to store and otherwise process our customer transaction data. Given the significant amount of data that we or our third-party service providers manage, much of which is real-time data to support our partners’ commerce initiatives, we have established redundant capabilities for our data centers. We have a number of safeguards in place that are designed to protect us from data-related risks and in the event of a disaster, to restore our data centers’ systems. For additional information, see “Item 1A. Risk Factors – Risk Management – Operational Risk.”

Protection of Intellectual Property and Other Proprietary Rights

We rely on a combination of patents, copyrights, trademarks, and trade secrets (and corresponding laws relating to such intellectual property), confidentiality procedures, contractual provisions, and other similar measures to protect our technology and proprietary information used in our business. We generally enter into confidentiality agreements with our employees, consultants and third-party business partners to protect our proprietary information. We control access to and distribution of our technology and its related documentation and other proprietary information through licenses and contractual restrictions. Despite our efforts to protect our technology and proprietary rights, unauthorized parties may attempt to copy or otherwise obtain the use of our technology that we consider proprietary, and third parties may attempt to develop similar technology independently. We have a number of domestic and foreign patents and pending patent applications. We pursue protection of our trademarks through registration, primarily in the United States, although we also have either registered trademarks or applications pending for certain marks in other countries. We maintain a trade secret program for certain proprietary intellectual property for which we choose not to seek patent or copyright protection. No individual patent, copyright, or trademark is material to us or our business.

Competition

The markets for our products and services are highly competitive, continuously changing, highly innovative, and subject to regulatory scrutiny and oversight. We compete with a wide range of businesses, including major financial institutions and financial technology firms, or fintechs. Some of our current and potential competitors may be larger than we are, have

8

Table of Contents

larger customer bases, greater brand recognition, longer operating histories, a dominant or more secure position, broader geographic scope, volume, scale, resources, and market share than we do, or offer products and services that we do not offer. Other competitors may be smaller or younger companies that are more agile in responding quickly to regulatory and technological changes. Many of the areas in which we compete evolve rapidly with innovative and disruptive technologies, emerging competitors, business alliances, shifting consumer habits and user needs, price sensitivity on the part of merchants and consumers, and frequent introductions of new products and services. The consumer credit and payments industry is highly competitive and we face an increasingly dynamic industry as emerging technologies enter the marketplace.

In competing to acquire and retain the business of brand partners and customers, our primary competition is with other financial institutions whose marketing focus has been on developing credit card programs with attractive value propositions, high spend and consequentially large revolving balances. These competitors further drive their businesses by cross-selling their other financial products to their cardholders. We also compete for brand partners, including on program financial and other terms, underwriting standards and capabilities, marketing expertise, service levels, the breadth of our product and service offerings, digital, technological and integration capabilities, brand recognition and reputation. We focus on retailers and brand partners that understand the competitive advantage of building a loyal customer base. We have a long history of effectively analyzing transaction data we obtain through partner loyalty programs and managing our lending programs, including customer specific transaction data and overall consumer spending patterns, to develop and implement successful marketing strategies for our partners.

As a form of payment, our customers have numerous consumer credit and other payment options available to them, and our products compete with cash, checks, electronic bank transfers, debit cards, general purpose credit cards (including those on the Visa, MasterCard, American Express and Discover Card networks), various forms of consumer installment loans and split-pay products, other private label credit card brands, prepaid cards, digital wallets and mobile payment solutions, and other tools that simplify and personalize shopping experiences for consumers and merchants. Among other factors, our products compete with these other forms of payment on the basis of interest rates and fees, credit limits, reward programs and other product features. As the payments industry continues to evolve, in the future we expect increasing competition from new and non-traditional competitors, such as fintechs, and with respect to new products, services and technologies, such as the emergence or increase in popularity of agentic commerce (in which autonomous AI agents initiate and execute transactions on behalf of users), digital payment platforms and currencies, including stablecoins, and other alternative payment and deposit solutions. For example, in July 2025, President Trump signed the Guiding and Establishing National Innovation for U.S. Stablecoins Act, or the “GENIUS Act,” into law, establishing a federal licensing and supervisory framework for payment stablecoins and their issuers. The GENIUS Act may accelerate and increase the competition that non-traditional financial institutions pose to banks’ payment services, as well as adverse impacts to our deposit business and the value proposition of our customer loyalty and rewards programs. To the extent the use of stablecoins matures, stablecoins could achieve broad adoption through regulated issuance by traditional banks, fintechs and other market entrants, as well as being integrated in closed loop systems operated by large digital ecosystems and platforms. Moreover, some of our competitors, including new and emerging competitors in the digital and mobile payments space, are not subject to the same regulatory requirements or legislative scrutiny to which we are, which could place us at a competitive disadvantage.

In our retail deposits business, we have acquisition and servicing capabilities similar to other direct-banking competitors. We compete for deposits with traditional banks, and in seeking to grow our Bread Savings platform, we compete with other banks that have direct-banking models similar to ours. Competition among direct banks is intense because online banking provides customers the ability to quickly and easily deposit and withdraw funds, and open and close accounts in favor of products and services offered by competitors. As noted above, to the extent the use of stablecoins matures, stablecoins may also serve as an alternative to traditional deposits.

Supervision and Regulation

We operate primarily through our insured depository institution subsidiaries, Comenity Bank (CB) and Comenity Capital Bank (CCB), which, as noted above, together are referred to herein as the “Banks.” Federal and state laws and regulations extensively regulate the operations of the Banks. This regulatory framework is intended to protect individual consumers, depositors, the Deposit Insurance Fund (DIF) of the FDIC and the U.S. banking system as a whole, rather than for the protection of stockholders and creditors. Set forth below is a summary of the significant laws and regulations applicable to each of CB and CCB. The description that follows is qualified in its entirety by reference to the full text of the statutes, regulations, and supervisory policies that are described. Such statutes, regulations, and supervisory policies are subject to ongoing review by Congress, state legislatures, and federal and state regulatory agencies. A change in any of the statutes,

9

Table of Contents

regulations, or supervisory policies applicable to CB and/or CCB, or in the leadership or direction of our regulators, could have a material effect on our operations or financial condition. Further, while the current Presidential Administration and the congressional majorities in the U.S. Senate and House of Representatives support a reduced regulatory burden, the scope of regulation and the intensity of supervision will likely remain uncertain even in the current regulatory and political environments.

CB is a Delaware-chartered bank operating as a credit card bank under a Competitive Equality Banking Act (CEBA) exemption from the definition of “bank” under the Bank Holding Company Act (BHC Act). To maintain its status as a CEBA credit card bank, CB must continue to comply with the following requirements:

•engage only in credit card operations;

•do not accept demand deposits or deposits that the depositor may withdraw by check or similar means for payment to third parties;

•do not accept any savings or time deposits of less than $100,000, except for deposits pledged as collateral for its extensions of credit;

•maintain only one office that accepts deposits; and

•do not engage in the business of making commercial loans (except credit card loans to certain small businesses).

CB is subject to prudential regulation, supervision and examination by the Delaware Office of the State Bank Commissioner, as its chartering authority, and the FDIC as its primary federal regulator. CB’s deposits are insured by the FDIC up to the applicable deposit insurance limits in accordance with applicable law and FDIC regulations. CB is not a member of the Federal Reserve System.

CCB is a Utah-chartered industrial bank. As an industrial bank, CCB is exempt from the definition of “bank” under the BHC Act. CCB is subject to prudential regulation, supervision and examination by the Utah Department of Financial Institutions (UDFI), as its chartering authority, and the FDIC as its primary federal regulator. CCB’s deposits are insured by the FDIC up to the applicable deposit insurance limits in accordance with applicable law and FDIC regulations. CCB is not a member of the Federal Reserve System.

Planned Merger of CB with and into CCB

On December 17, 2025, we filed applications with the federal and respective state banking regulators for permission to merge CB with and into CCB, with CCB being the surviving entity. Pending regulatory approval and the expiration of any applicable waiting periods, the merger of CB and CCB is expected to occur in the second half of 2026. The proposed merger is designed to streamline and reduce the regulatory complexity of our banking operations and is expected to result in a number of operational and financial benefits, including a simplified regulatory framework, improved access to the retail deposit funding market, greater flexibility in managing our securitization activities, and other liquidity and capital risk management benefits. The merger is not expected to have a significant impact on our consolidated financial position, results of operations, or liquidity. Assuming the merger is consummated, the resulting bank, CCB, would remain headquartered in Draper, Utah, and would have total assets of approximately $21.4 billion, total deposits of approximately $14.1 billion, and Tier I capital of $2.8 billion, in each case as of December 31, 2025, on a pro forma basis. The resulting bank would be a Utah-chartered industrial bank that is not a member of the Federal Reserve System. We cannot provide any assurance that the merger will be approved, or that we will be successful in realizing the expected operational and financial benefits of the merger.

Consumer Financial Protection Bureau Supervision

The Consumer Financial Protection Bureau (CFPB) promulgates regulations for the federal consumer financial protection laws and supervises and examines large banks (those with more than $10 billion of total assets) with respect to those laws. Banks in a multi-bank organization, such as CB and CCB, are subject to supervision and examination by the CFPB with respect to the federal consumer financial protection laws if at least one bank reports total assets over $10 billion for four consecutive quarters, which CCB has, and thus both Banks are subject to supervision and examination by the CFPB with respect to federal consumer protection laws.

Regulation of Bread Financial Holdings, Inc.

Because neither CB nor CCB is considered a “bank” within the meaning of the BHC Act, the Parent Company is not a bank holding company (BHC) subject to regulation thereunder. If any of our entities became subject to regulation as a

10

Table of Contents

BHC, among other things, BFH and our non-bank subsidiaries would be subject to regulation, supervision and examination by the Board of Governors of the Federal Reserve System (Federal Reserve Board or FRB) and our operations would be limited to activities that are closely related to banking. If the Parent Company were to qualify as a financial holding company (FHC), operations could include those activities that are financial in nature. However, under Section 616 of the Dodd-Frank Act, any company that directly or indirectly controls an insured depository institution is required to serve as a source of financial strength to its subsidiary institution and may not conduct its operations in an unsafe or unsound manner. This doctrine is commonly known as the “Source of Strength” doctrine. As such a company, this means that BFH must stand ready to use available resources to provide adequate capital funds to the Banks during periods of financial stress or adversity and should maintain the financial flexibility and capital-raising capacity to obtain additional funding resources to support the Banks. This support may be required at times when BFH might otherwise have determined not to provide it or when doing so is not otherwise in the interests of BFH or its stockholders or creditors. BFH’s failure to meet its obligation to serve as a source of strength to the Banks may be considered an unsafe and unsound banking practice. In that regard, although the Parent Company is not a BHC, we seek to maintain capital levels and ratios in excess of the minimums required for a BHC.

Separately, under Utah state law the Parent Company is subject to examination by the UDFI. Under that statutory authority, the UDFI subjects the Parent Company to periodic inspections to determine the degree to which it serves as source of financial and managerial strength to CCB, and to understand the business activities conducted outside CCB.

Regulation of the Banks

Federal and state banking laws and regulations govern, among other things, the scope of a bank’s business, the investments a bank may make, the reserves against deposits a bank must maintain, the loans a bank makes and collateral it takes, the activities of a bank with respect to mergers and acquisitions, management practices, and numerous other aspects of our operations.

Examinations by regulators consider not only compliance with applicable laws, regulations, and supervisory policies of the agency, but also capital levels, asset quality, risk management effectiveness, the ability and performance of management and the board of directors, the effectiveness of internal controls, earnings, liquidity, and various other factors. Following examinations by its bank regulators, the Banks receive supervisory findings and ultimately are assigned supervisory ratings. Examination reports, supervisory ratings, and other actions under this supervisory framework, which are considered confidential supervisory information, can impact the conduct, growth, and profitability of our operations, possibly to a significant degree.

Regulatory Capital Requirements

The Banks are subject to certain risk-based capital and leverage ratio requirements under the Basel Committee on Banking Supervision standardized approach for U.S. banking organizations adopted by the FDIC. These rules implement the Basel III international regulatory capital standards in the United States, as well as certain provisions of the Dodd-Frank Act. These quantitative calculations are minimums, and the FDIC may determine that a bank, based on size, complexity, or risk profile, must maintain a higher level of capital to operate in a safe and sound manner.

Under the Basel III capital rules, the Banks’ assets, exposures, and certain off-balance sheet items are subject to risk weights used to determine CB’s and CCB’s risk-weighted assets, which then are used to determine the minimum capital that CB and CCB should keep as reserves to reduce the risk of insolvency. These risk-weighted assets are used to calculate the following minimum capital ratios for the Banks:

•Common Equity Tier 1 (CET1) Risk-Based Capital Ratio – the ratio of CET1 capital to risk-weighted assets. In the calculation of CET1 capital, we follow the Basel III Standardized Approach. CET1 capital primarily includes common stockholders’ equity subject to certain regulatory adjustments and deductions, including for goodwill and intangible assets, net, certain deferred tax assets, and accumulated other comprehensive income or loss.

•Tier 1 Risk-Based Capital Ratio – the ratio of Tier 1 capital to risk-weighted assets. In the calculation of Tier 1 capital, we follow the Basel III Standardized Approach. Tier 1 capital is primarily comprised of CET1 capital, perpetual preferred stock, and certain qualifying capital instruments. For us, until the fourth quarter of 2025 when we completed our first issuance of perpetual preferred stock, this ratio was the same as the CET1 Risk-Based Capital Ratio because we did not have any perpetual preferred stock or other qualifying capital instruments that would adjust the ratio.

11

Table of Contents

•Total Risk-Based Capital Ratio – the ratio of total capital, including CET1 capital, Tier 1 capital, and Tier 2 capital, to risk-weighted assets. In the calculation of total capital, we follow the Basel III Standardized Approach. Tier 2 capital primarily includes qualifying subordinated debt and qualifying allowance for credit losses.

The Banks are also subject to the requirements of a fourth ratio, the Leverage ratio, which itself does not incorporate risk-weighted assets:

•Tier 1 Leverage Ratio – the ratio of Tier 1 capital to quarterly average assets (net of goodwill, certain other intangible assets, and certain other deductions).

The Basel III capital rules require a minimum CET1 Risk-Based Capital Ratio of 4.5%, a minimum Tier 1 Risk-Based Capital Ratio of 6.0%, and a minimum Total Risk-Based Capital Ratio of 8.0%. In addition to meeting the minimum capital requirements, under the Basel III capital rules, the Banks must also maintain the required 2.5% Capital Conservation Buffer to avoid becoming subject to restrictions on capital distributions and certain discretionary bonus payments to executive management. The Capital Conservation Buffer is calculated as a ratio of CET1 capital to risk-weighted assets, and it essentially increases the required minimum risk-based capital ratios. As a result, the Banks must maintain a CET1 Risk-Based Capital Ratio of at least 7%, a Tier 1 Risk-Based Capital Ratio of at least 8.5% and a Total Risk-Based Capital Ratio of at least 10.5% to avoid being subject to the noted restrictions. The Tier 1 Leverage Ratio is not impacted by the Capital Conservation Buffer; the required minimum Tier 1 Leverage Ratio for all banks and BHCs is 4%.

A bank, however, may be considered well-capitalized while remaining out of compliance with the Capital Conservation Buffer. To be considered well-capitalized, the Banks must maintain the following capital ratios which are in excess of the minimums described above:

•CET1 Risk-Based Capital Ratio of 6.5% or greater;

•Tier 1 Risk-Based Capital Ratio of 8.0% or greater;

•Total Risk-Based Capital Ratio of 10.0% or greater; and

•Tier 1 Leverage Ratio of 5.0% or greater.

Failure to be well-capitalized or to meet minimum capital requirements could result in certain mandatory and possible additional discretionary actions by regulators that, if undertaken, could have a material adverse effect on our operations or financial condition. Failure to be well-capitalized or to meet minimum capital requirements could also result in restrictions on the Banks’ ability to pay dividends or otherwise distribute capital or to receive regulatory approval of applications. The Banks seek to maintain capital levels and ratios in excess of the minimum regulatory requirements inclusive of the 2.5% Capital Conservation Buffer. As of December 31, 2025, the Banks’ regulatory capital ratios were above the well-capitalized standards, inclusive of the Capital Conservation Buffer.

Dividends

Bread Financial Holdings, Inc. is a legal entity separate and distinct from the Banks. Declaration and payment of cash dividends on, or repurchases of, our equity securities depends upon cash dividend payments to Bread Financial Holdings, Inc. by the Banks, which are our primary source of revenue and cash flow. As state-chartered banks, under Delaware or Utah law, as applicable, the Banks are subject to regulatory restrictions on the payment and amounts of dividends. Further, the ability of the Banks to pay dividends to Bread Financial Holdings, Inc. is also subject to their profitability, financial condition, capital expenditures and other cash flow requirements, and any such dividends are also subject to the approval of the Board of Directors of the applicable Bank. No assurances can be given that the Banks will, in any circumstances, pay dividends to Bread Financial Holdings, Inc.

The payment of dividends by the Banks and Bread Financial Holdings, Inc. and any repurchases of our equity securities may also be affected by other factors, such as the requirement to maintain adequate capital above regulatory requirements. The Federal Banking Agencies, being the Office of the Comptroller of the Currency (OCC), the FRB and the FDIC, have indicated that paying dividends that deplete a bank’s capital base to an inadequate level would be an unsafe and unsound banking practice; a bank may not pay any dividend if payment would cause it to become undercapitalized or if it already is undercapitalized. Moreover, the Federal Banking Agencies have issued policy statements that provide that banks should generally only pay dividends out of current operating earnings. The Federal Banking Agencies have the authority to prohibit banks from paying a dividend if it is deemed that such payment would be an unsafe or unsound practice. The FDIC also may require its prior consent before a bank pays a dividend that exceeds retained earnings or comes from the surplus account of common or preferred stock.

12

Table of Contents

Prompt Corrective Action and Safety and Soundness

Under applicable “prompt corrective action” (PCA) statutes and regulations, insured depository institutions, such as the Banks, are placed into one of five capital categories, ranging from “well capitalized” to “critically undercapitalized.” The PCA statute and regulations provide for progressively more stringent supervisory measures as an institution’s capital category declines. An institution that is not well capitalized is generally prohibited from accepting brokered deposits and offering interest rates on deposits higher than the prevailing rate in its market. An undercapitalized institution must submit an acceptable restoration plan to the appropriate Federal Banking Agency. One requisite element of such a plan is that the institution’s parent holding company guarantee the institution’s compliance with the plan, subject to certain limitations. As of December 31, 2025, the Banks qualified as “well capitalized” under applicable regulatory capital standards.

Insured depository institutions may also be subject to potential enforcement actions of varying levels of severity by the Federal Banking Agencies for unsafe or unsound practices in conducting their businesses, or for violation of any law, rule, regulation, condition imposed in writing by the agency, or term of a written agreement with the agency. In more serious cases, enforcement actions may include:

•the issuance of directives to increase capital;

•the issuance of formal and informal agreements;

•the imposition of civil monetary penalties;

•the issuance of a cease and desist order that can be judicially enforced;

•the issuance of removal and prohibition orders against officers, directors, and other institution-affiliated parties;

•the termination of the institution’s deposit insurance;

•the appointment of a conservator or receiver for the institution; and

•the enforcement of such actions through injunctions or restraining orders based upon a judicial determination that the FDIC, as receiver, would be harmed if such equitable relief was not granted.

Reserve Requirements

FRB regulations require insured depository institutions to maintain cash reserves against their transaction accounts, primarily interest-bearing and regular checking accounts, as well as cardholder credit balances. The required cash reserves can be in the form of vault cash and, if vault cash does not fully satisfy the required cash reserves, in the form of a balance maintained with the Federal Reserve Banks; we maintain a significant majority of our liquidity portfolio on deposit within the Federal Reserve banking system.

The regulations authorize different ranges of reserve requirement ratios depending on the amount of transaction account balances held. A zero percent reserve requirement ratio is applied to transaction balances below the reserve requirement exemption amount. In addition, transaction account balances maintained over the reserve requirement exemption amount and up to a certain amount, known as the low reserve tranche, may be subject to a reserve requirement ratio of not more than 3 percent (and which may be zero), and transaction account balances over the low reserve tranche may be subject to a reserve requirement ratio of not more than 14 percent (and which may be zero). The reserve requirement exemption and the low reserve tranche are both subject to adjustment on an annual basis, as applicable, by the FRB. Effective March 26, 2020, in response to the COVID-19 pandemic, the reserve requirement ratios on all net transaction accounts were reduced to zero percent, thereby eliminating reserve requirements for all depository institutions. The annual indexation of the reserve requirement exemption amount and the low reserve tranche for the years 2021-2026 was required by statute, but did not affect depository institutions’ reserve requirements, which remain at zero.

Federal Deposit Insurance

The deposits of the Banks are insured up to applicable limits by the DIF of the FDIC. The current standard maximum deposit insurance amount is $250,000 per depositor, per insured depository institution, per ownership category, in accordance with applicable FDIC regulations.

The FDIC uses a risk-based assessment system that imposes insurance premiums based on a risk matrix that takes into account the risks attributable to different categories and concentrations of an insured depository institution’s assets and liabilities, and supervisory rating. The base for insurance assessments is the average consolidated total assets less the average tangible equity capital of an institution. Assessment rates are calculated using formulas that take into account the risk of the institution being assessed.

13

Table of Contents

Under the Federal Deposit Insurance Act (the FDIA), the FDIC may terminate an institution’s deposit insurance upon a finding that the institution has engaged in unsafe and unsound practices, is in an unsafe and unsound condition or has violated any applicable law, regulation, order or condition imposed by the FDIC.

Cross Guaranty Provisions

The cross guaranty provisions of the FDIA require each insured depository institution controlled by the same parent company to be financially responsible for the failure or resolution costs of any affiliated insured depository institution. Generally, the amount of the cross guaranty liability is equal to the estimated loss to the DIF for the resolution of the affiliated institution(s) in default. The FDIC’s claim under the cross guaranty provision is superior to claims of stockholders of the insured depository institution or its parent company and to most claims arising out of obligations or liabilities owed to affiliates of the institution, but is subordinate to claims of depositors, secured creditors and holders of subordinated debt (other than affiliates) of the commonly controlled insured depository institution. The FDIC may decline to enforce the cross guaranty provision if it determines that a waiver is in the best interest of the DIF.

Depositor Preference

The FDIA provides that, in the event of the liquidation or other resolution of an insured depository institution, the claims of depositors of the institution, including the claims of the FDIC as subrogee of insured depositors, and certain claims for administrative expenses of the FDIC as a receiver, will have priority over other general unsecured claims against the institution. If an insured depository institution fails, insured and uninsured depositors, along with the FDIC, will have priority in payment ahead of unsecured, non-deposit creditors, including the parent company, with respect to any extensions of credit they have made to such insured depository institution.

Restrictions on Transactions with Affiliates and Insiders

Sections 23A and 23B of the Federal Reserve Act and the FRB’s Regulation W limit the extent to which the Parent Company and its non-bank affiliates (including non-bank subsidiaries) can borrow or otherwise obtain credit from, or engage in other covered transactions with either of the Banks, which may have the effect of limiting the extent to which either Bank can finance or otherwise supply funds to the Parent Company or its non-bank affiliates. “Covered transactions” are subject to quantitative and qualitative limits and include:

•loans or extensions of credit;

•purchases of or investments in securities;

•purchases of assets, including assets subject to an agreement to repurchase;

•acceptance of securities as collateral for a loan or extension of credit;

•a derivative transaction to the extent that the transaction causes the bank to have a credit exposure to the affiliate; or

•the issuance of a guarantee, acceptance, or letter of credit.

In addition, with certain exceptions, each loan or extension of credit by either Bank to the Parent Company or its non-bank affiliates must be secured by collateral with a market value ranging from 100% to 130% of the amount of the loan or extension of credit, depending on the type of collateral. Further, all transactions between the Banks and the Parent Company or any non-bank affiliates must be on arm’s length terms and consistent with safe and sound banking practices. The Banks are also prohibited from purchasing low-quality assets from the Parent Company or any non-bank affiliates.

The Banks are also subject to Sections 22(g) and 22(h) of the Federal Reserve Act, and the FRB’s implementing Regulation O as made applicable to the Banks by the regulations of the FDIC. These provisions impose limitations on loans and extensions of credit by the Banks to their executive officers, directors and principal stockholders and their related interests, as well as those of the Banks’ affiliates. The limitations restrict the terms and aggregate amount of such transactions. Regulation O also imposes certain recordkeeping and reporting requirements.

Volcker Rule

Section 619 of the Dodd-Frank Act, commonly known as the Volcker Rule, restricts the ability of banking entities, such as Bread Financial Holdings, Inc. and the Banks, from (i) engaging in proprietary trading and (ii) investing in or sponsoring covered funds, subject to certain limited exceptions. Under the Volcker Rule, the term covered funds is defined as any issuer that would be an investment company under the Investment Company Act but for the exemption in section 3(c)(1) or 3(c)(7) of that Act, which includes collateralized loan obligation securities, collateralized debt obligation securities, and

14

Table of Contents

certain foreign funds. There are also several exemptions from the definition of covered funds, including, among other things, loan securitizations, joint ventures, certain types of foreign funds, entities issuing asset-backed commercial paper, and registered investment companies. We do not engage in proprietary trading or invest in or sponsor covered funds.

Incentive Compensation

The Federal Banking Agencies have issued comprehensive guidance intended to ensure that the incentive compensation policies of banking organizations do not undermine the safety and soundness of those organizations by encouraging excessive risk-taking. The incentive compensation guidance sets expectations for banking organizations concerning their incentive compensation arrangements and related risk management, control and governance processes. The incentive compensation guidance, which covers all employees that have the ability to materially affect the risk profile of an organization, either individually or as part of a group, is based upon three primary principles: (i) balanced risk-taking incentives; (ii) compatibility with effective controls and risk management; and (iii) strong corporate governance. Any deficiencies in compensation practices that are identified may be incorporated into the organization’s supervisory ratings, which can affect its ability to make acquisitions or take other actions. In addition, under the incentive compensation guidance, a banking organization’s federal supervisor may initiate enforcement action if the organization’s incentive compensation arrangements pose a risk to the safety and soundness of the organization. Further, the Basel III capital rules limit discretionary bonus payments to bank executives if the institution’s regulatory capital ratios fail to exceed certain thresholds.

The Dodd-Frank Act requires the Federal Banking Agencies and the Securities and Exchange Commission (SEC) to establish joint regulations or guidelines prohibiting incentive-based payment arrangements at specified regulated entities, including the Banks, that encourage inappropriate risks, (i) by providing an executive officer, employee, director or principal stockholder with excessive compensation, fees, or benefits, or (ii) that could lead to material financial loss to the entity. Whenever these joint regulations or guidelines are finalized, which does not appear imminent, the manner and form may impact our executive compensation.

The Dodd-Frank Act also requires publicly traded companies to give stockholders a non-binding “say-on-pay” vote on executive compensation at least every three years and on so-called “golden parachute” payments in connection with approvals of mergers and acquisitions. We have held our “say-on-pay” vote annually.

USA PATRIOT Act

Under Title III of the USA PATRIOT Act, all financial institutions are required to take certain measures to identify their customers, prevent money laundering, monitor customer transactions, and report suspicious activity to U.S. law enforcement agencies. Financial institutions are also required to respond to requests for information from Federal Banking Agencies and law enforcement agencies. Information sharing among financial institutions for the above purposes is encouraged by an exemption granted to complying financial institutions from the privacy provisions of the Gramm-Leach-Bliley Act (GLBA) and other privacy laws. Financial institutions that hold correspondent accounts for foreign banks or provide private banking services to foreign individuals are required to take measures to avoid dealing with certain foreign individuals or entities, including foreign banks with profiles that raise money laundering concerns, and are prohibited from dealing with foreign “shell banks” and persons from jurisdictions of particular concern. The Federal Banking Agencies and the Secretary of the Treasury have adopted regulations to implement several of these provisions.

Furthermore, financial institutions are required to establish internal anti-money laundering programs. These programs must include policies, procedures, processes and other internal controls designed to monitor, identify, manage and mitigate the risk of money laundering or terrorist financing posed by a financial institution’s products, services, customers and geographic locale. These controls include procedures and processes to detect and report suspicious transactions, perform customer due diligence, respond to requests from law enforcement, identify and verify a legal entity customer’s beneficial owner(s) at the time a new account is opened and to understand the nature and purpose of the customer relationship, and meet all recordkeeping and reporting requirements related to particular transactions involving currency or monetary instruments. These programs must be coordinated by a compliance officer, undergo annual independent audits to assess effectiveness, and require training of employees. The effectiveness of a financial institution in combating money laundering activities is a factor to be considered in any application submitted by a financial institution to engage in a merger transaction under the Bank Merger Act. Failure to comply with these regulations may result in fines, penalties, lawsuits, regulatory sanctions, reputational damage, or restrictions on business. Our Banks have in place a Bank Secrecy Act and USA PATRIOT Act compliance program and engage in very few transactions of any kind with foreign financial institutions or foreign persons.

15

Table of Contents

Office of Foreign Assets Control Regulations

The United States government has imposed economic sanctions that affect transactions with designated foreign countries, nationals, and others. These are typically known as the “OFAC rules” based on their administration by the U.S. Treasury Department Office of Foreign Assets Control (OFAC). The OFAC administered sanctions targeting countries take many different forms. Generally, OFAC sanctions contain one or more of the following elements: (i) restrictions on trade with or investment in a sanctioned country, including prohibitions against direct or indirect imports from and exports to a sanctioned country and prohibitions on U.S. persons engaging in financial transactions relating to making investments in, or providing investment-related advice or assistance to, a sanctioned country; and (ii) a blocking of assets in which the government or specially designated nationals of the sanctioned country have an interest, by prohibiting transfers of property subject to U.S. jurisdiction (including property in the possession or control of U.S. persons). Blocked assets (e.g., property and bank deposits) cannot be paid out, withdrawn, set off, or transferred in any manner without a license from the OFAC. Failure to comply with these sanctions could have serious legal and reputational consequences.

Third-Party Risk Management

The FDIC, along with the other Federal Banking Agencies, issued final guidance on managing risks associated with third-party relationships in June 2023. The guidance states that sound third-party risk management takes into account the level of risk, complexity, and size of the bank and the nature of the third-party relationship. In July 2024, the Federal Banking Agencies released a joint statement on banks’ arrangements with third parties to deliver bank deposit products and services. The joint statement cautions that operational and compliance risks arise when banks hand over substantial control of key functions to a third-party. Banks can manage risk through policies and procedures governing organizational structures, lines of reporting, expertise and staffing, internal controls and audit functions. Banks can also conduct risk assessments to assess controls for mitigating risk relating to specific third-party arrangements, engage in due diligence of third-party relationships, set appropriate contractual relationships, and establish monitoring routines to identify risks.

Identity Theft

The Fair and Accurate Credit Transactions Act of 2003 (FACT Act) amended the Fair Credit Reporting Act (FCRA) to combat identity theft, along with its implementing regulation, Regulation V, require insured state nonmember banks, such as the Banks, to establish programs to address risks of identity theft. The rules require financial institutions and creditors to develop and implement a written identity theft prevention program that is designed to detect, prevent, and mitigate identity theft in connection with certain existing accounts or the opening of new accounts. The rules include guidelines to assist entities in the formulation and maintenance of programs that would satisfy these requirements. In addition, the rules establish special requirements for any credit and debit card issuers that are subject to the jurisdiction of the FDIC to assess the validity of notifications of changes of address under certain circumstances. The Banks implemented an ID Theft Prevention Program (Program), approved by their Boards of Directors, in compliance with these requirements. The Banks review and make enhancements to the Program on an ongoing basis.

Open Banking

In October 2024, the CFPB finalized a rule implementing a section of the Dodd-Frank Act, which requires certain entities, including the Banks, to, among other things, make available to a consumer, upon request, information in its control or possession concerning the consumer financial product or service that the consumer obtained from that entity. The final rule also requires data providers holding a consumer account, such as the Banks, to establish a developer interface satisfying certain data security specifications and other standards, through which the data provider can receive requests for, and provide specific types of data covered by the rule in electronic, usable form to authorized third parties, including data aggregators. Under the final rule, data providers are prohibited from charging consumers or third parties fees for processing these consumer data requests. The final rule also places certain data security, authorization, and other obligations on third parties accessing covered data from data providers, which could include the Banks when acting in certain capacities. The final rule also requires third parties to limit their collection, use, and retention of the data received to only what is reasonably necessary to provide the consumers’ requested product or service. In October 2024, industry trade associations filed a lawsuit against the CFPB alleging the agency exceeded its statutory authority and asking the court to vacate the rule. In July 2025, the District Court for the Eastern District of Kentucky granted the motion by the CFPB to stay the proceedings while the CFPB conducts a rulemaking to revise the final rule. In August 2025, the CFPB published an advance notice of proposed rulemaking requesting input on certain aspects of the rule it was reconsidering, and in October 2025 the District Court entered a preliminary injunction barring enforcement of the rule while it is being reconsidered by the CFPB.

16

Table of Contents

Community Reinvestment Act

The Community Reinvestment Act of 1977 (CRA) is intended to encourage banks to help meet the credit needs of their service areas, including low- and moderate-income neighborhoods, consistent with safe and sound business practices. The relevant Federal Banking Agency, the FDIC in the Banks’ case, examines each bank and assigns it a public CRA rating. A bank’s record of fair lending compliance is part of the resulting CRA examination report. CRA performance evaluations are based on a four-tiered rating system: Outstanding, Satisfactory, Needs to Improve and Substantial Noncompliance. CRA performance evaluations are considered in evaluating applications for, e.g., mergers, acquisitions and applications to open branches. The Banks each received a CRA rating of “Outstanding” at their most recent CRA examinations.

In October 2023, the Federal Banking Agencies issued a final rule overhauling the process and substantive tests used by the agencies to assess a bank’s record of meeting the credit needs of its community. In February 2024, industry trade associations filed a lawsuit against the Federal Banking Agencies alleging the agencies exceeded their statutory authority and asking the court to vacate the final rule. In March 2024, the District Court for the Northern District of Texas enjoined the Federal Banking Agencies from enforcing the final rule. In July 2025, the Federal Banking Agencies jointly issued a proposal to rescind the 2023 final rule. The agencies announced that because the 2023 final rule was subject to legal action and had not taken effect, the agencies continue to apply the regulatory framework in effect prior to the 2023 final rule.

Consumer Protection Regulation and Supervision

We are subject to the federal consumer financial protection laws implemented by the CFPB, as well as by other federal agencies including the FDIC and Federal Trade Commission. The CFPB has broad rulemaking authority that has impacted, and may continue to impact, the Banks’ operations, including with respect to credit card late fees and other amounts that we may charge. For example, the CFPB’s rulemaking authority may allow it to change regulations adopted in the past by other regulators, including regulations issued under the Truth in Lending Act by the FRB. We are also subject to certain state consumer protection laws, and state attorneys general and other state officials are empowered to enforce certain federal consumer protection laws and regulations. State authorities have increased their focus on and enforcement of consumer protection rules. These federal and state consumer protection laws apply to a broad range of our activities and to various aspects of our business, and include laws relating to interest rates, fair lending, disclosures of credit terms and estimated transaction costs to consumer borrowers, debt collection practices, the use and provision of information to consumer reporting agencies, and the prohibition of unfair, deceptive, or abusive acts or practices in connection with the offer, sale, or provision of consumer financial products and services. Each Bank has in place an effective compliance management system to comply with these laws and regulations.

In March 2024 the CFPB published a final rule that would have significantly reduced the safe harbor amount for late fees that credit card issuers are authorized to charge. In April 2025 the United States District Court for the Northern District of Texas entered an order and final judgment, pursuant to which the CFPB’s credit card late fee rule was vacated. As a result of the rule being vacated, it will have no force or effect, and the late fee safe harbor amounts will continue to be set as they were prior to the CFPB’s late fee rulemaking.

More generally, the CFPB’s ability to rescind, modify or interpret past regulatory guidance could reduce fee income, and increase our compliance costs and litigation exposure. Further, the CFPB has broad authority to enforce the prohibitions of “unfair, deceptive or abusive” acts or practices regardless of which agency supervises the Banks. The CFPB has taken enforcement action against other credit card issuers and financial services companies. Evolution of these standards could result in changes to pricing, practices, procedures and other activities relating to our credit card accounts in ways that could reduce the associated return from those accounts and potentially impact business growth plans. While the CFPB has taken public positions on certain matters, it is unclear what additional changes may be promulgated by the CFPB in the future and what effect, if any, such changes could have on our credit accounts and our consolidated financial condition.

During 2025 under the current Presidential Administration, the operations of the CFPB evolved significantly, with reductions in staff and more limited examinations and enforcement activities. Certain of these developments at the CFPB are subject to pending litigation, and the scope and intensity of the CFPB’s ongoing regulation of our business remains uncertain.

17

Table of Contents

Brokered Deposits

The FDIA prohibits an insured bank from accepting brokered deposits, unless it is “well capitalized” or it is “adequately capitalized” and then also receives a waiver from the FDIC. In December 2020 the FDIC updated its regulations that implement Section 29 of the FDIA to establish a new framework for analyzing whether certain deposit arrangements qualify as brokered deposits. In the third quarter of 2024, the FDIC published in the Federal Register a proposed rule that, if finalized as proposed, would have expanded the scope of deposits that constitute “brokered deposits” and therefore could potentially have caused certain of our present or prospective deposits to be treated as brokered. The FDIC withdrew this proposed rule in March 2025.

Guiding and Establishing National Innovation for U.S. Stablecoins Act

In July 2025, President Trump signed the GENIUS Act into law, establishing a federal licensing and supervisory framework for payment stablecoins and their issuers. The GENIUS Act may accelerate and increase the competition that non-traditional financial institutions pose to banks’ payment services, but may also create opportunities for banks to hold stablecoin reserve assets, custody stablecoins, or issue stablecoins. Several key provisions of the GENIUS Act require federal regulatory agencies to adopt implementing regulations, and the GENIUS Act will take effect the earlier of 18 months after its enactment or 120 days after the agencies issue final implementing regulations.

Privacy, Information Security and Data Protection

We are subject to various privacy, information security and data protection laws, including requirements concerning security breach notification. For example, we are subject to the GLBA and implementing regulations and guidance in the United States. Among other things, the GLBA: (i) imposes certain limitations on the ability of financial institutions to share consumers’ nonpublic personal information with nonaffiliated third parties; (ii) requires that financial institutions provide certain disclosures to consumers about their information collection, sharing and security practices and affords consumers the right to opt out of the institution’s disclosure of their personal financial information to nonaffiliated third parties (with certain exceptions); and (iii) requires financial institutions to develop, implement and maintain a written comprehensive information security program containing safeguards that are appropriate to the financial institution’s size and complexity, the nature and scope of the financial institution’s activities, the sensitivity of consumer information processed by the financial institution as well as plans for responding to data security breaches.

The State of California enacted the California Consumer Privacy Act (CCPA) in 2018, which was modified in 2020 through a voter referendum adopting the California Privacy Rights Act. Among other requirements, the CCPA requires covered businesses to provide California residents with the right to know what information is being collected from them and whether such information is sold or disclosed to third parties. The statute also allows California residents to access, delete, correct, and opt out of the sale and sharing of personal information that has been collected by covered businesses in certain circumstances. The CCPA does not apply to personal information processed pursuant to the GLBA or the California Financial Information Privacy Act. We are a covered business under the CCPA, which became effective on January 1, 2020. The enactment of the CCPA has prompted a wave of legislative developments in other states, which has created a patchwork of overlapping but different state laws, certain of which include exemptions for GLBA-regulated entities and/or personal information.

Federal and state laws also require us to respond appropriately to data security breaches. A final rule issued by the FRB, OCC, and FDIC, which became effective in May 2022, requires banking organizations to notify their primary federal regulator of significant computer security incidents within 36 hours of determining that such an incident has occurred. The SEC has also adopted rules on Cybersecurity Risk Management, Strategy, Governance and Incident Disclosure, which, among other things, require the filing of a Current Report on Form 8-K following certain cybersecurity incidents.

We continue to monitor, and have a program in place designed to comply with, applicable privacy, information security and data protection requirements imposed by federal and state laws. However, if we experience a significant cybersecurity incident or our regulators deem our information security controls to be inadequate, we could be subject to supervisory criticism or penalties, and/or suffer reputational harm. For further discussion of privacy, data protection and cybersecurity, and related risks for our business, see “Part I—Item 1A. Risk Factors” under the headings “Regulation in the areas of privacy, data protection, data governance, and cyber security could increase our costs and affect or limit our business opportunities and how we collect and/or use Personal Information, and any actual or perceived failure to comply with any of these new or existing laws could adversely affect our business, results of operations, or financial condition,” “If we, our third-party providers, or brand partners fail to safeguard our confidential information and/or experience a data security

18

Table of Contents

incident, there may be damage to our brand and reputation, material financial penalties and legal claims, which could materially adversely affect our business, results of operations, and financial condition,” and “Business interruptions, including loss of data center capacity, interruption due to cyber-attacks, loss of network connectivity or inability to utilize proprietary software of third-party vendors, could affect our ability to timely meet the needs of our partners and customers and harm our business” and “Part I—Item 1C. Cybersecurity.”

Human Capital

Providing a meaningful value proposition for our associates is one of our top priorities. We seek to enhance our associate value proposition continuously to ensure that we offer competitive rewards, career opportunities and flexible work experience, which we believe enables us to attract and retain a highly qualified and motivated workforce.

As of December 31, 2025, we employed approximately 6,000 associates worldwide, with the majority concentrated in the United States. Attracting, developing and retaining top talent is critical to our business. In making these employment-related decisions, we comply with all applicable laws. We promote an inclusive, engaged culture that empowers associates through opportunities to grow, develop and lead. Our associates have been, and will remain, the backbone of our business, and we take a holistic approach to our associates’ experiences, recognizing that an engaged workforce drives our long-term growth and sustainability. Our Board of Directors and Compensation & Human Capital Committee provide important oversight of our human capital management strategy and receive regular updates from senior management and third-party consultants on human capital trends and developments and other key human capital matters that drive our ongoing success and performance.

Associate Benefits and Well-Being

Associate well-being remains a top human capital priority, and we are committed to providing our associates with competitive total compensation, benefits and wellness resources. Our associates continue to value a flexible work experience that allows them to balance office work and remote work time. Over 90% of our associates view our flexible work arrangements as a competitive advantage relative to other potential employment opportunities, and we continue to take advantage of the engagement and productivity benefits associated with increased flexibility, as well as opportunities for connectedness and social interaction. Other associate well-being resources include mental health awareness and counseling support, wellness courses and financial education, a variety of fitness and meditation classes, a reimbursement program for eligible items, memberships, and experiences that enhance well-being and other benefits to promote mental and physical health.

While we continue to improve the competitiveness of our associate benefit offerings, it is also important for associates to make informed decisions about their health and money. When surveyed, 89% of our associates are confident they have the knowledge and skills to make informed decisions about their health and money.

Associate Experience and Engagement

Delivering an exceptional customer experience relies on our ability to cultivate an engaging and rewarding experience for our associates. We maintained high levels of associate engagement and retention in 2025. We continue to listen to and act on feedback from our associates, including through our annual Associate Experience Survey and other more frequent surveys and communications. Each year after the results of the annual Associate Experience Survey have been tabulated, our senior management presents those results to our Compensation & Human Capital Committee and our Board of Directors, including discussion regarding trends observed and actions to be taken in response to the results. Input from our Board of Directors helps inform our human capital strategies and objectives going forward.

Workforce Readiness, Growth and Advancement

At Bread Financial, we know associates have different needs to meet their career goals, including by accessing new work opportunities through our suite of mobility programs. During the year we expanded our existing mobility programs, which include internship opportunities, rotational programs, and our “Flex and Stretch” programs, that allow associates to work on projects outside of their core work responsibilities. Additionally, our six-month Apprentice Program continues to be successful. These mobility programs support our associates in their career goals, while allowing us to move talent across the organization to meet our business needs.

19

Table of Contents

Robust training and development remain central to our human capital strategy. This year a new partnership with Pluralsight was launched to advance technical skills across the associate population. This enabled the creation of specialized skill paths in technology, an immersive cohort program for AI in Data Science, and an Operational Excellence academy offering Six Sigma, Design Thinking and AI training. In addition to career-oriented training and development, we require annual associate training to ensure ongoing adherence to responsible business practices and ethical conduct, and all associates must certify annually that they have read and will adhere to our Code of Ethics. Our Associate Relations team also conducted ethics roadshows in 2025, which were required for all leaders of people.

Inclusive Culture

We are committed to creating an inclusive culture that attracts and values diversity of thought, experience, background, skills and ideas, driving our associates’ sense of belonging. Over the past few years, we have advanced our actions and activities in support of creating a more inclusive work environment, including the maturation of our associate programs and expansion of our nine Associate Resource Groups, which are open to all associates across our locations and that nearly 1,600 unique associates have voluntarily joined. Based on our annual Associate Experience Survey, 86% of our associates feel a sense of belonging and 90% believe Bread Financial is committed to fostering a work environment of inclusion and belonging.

Sustainability Strategy

We are a financial services company dedicated to empowering our customers and optimizing opportunities to create value for all our stakeholders, while advancing long-term financial and reputational goals. We prioritize initiatives that strengthen our communities, reduce our environmental impact, promote inclusion and build financial confidence. We continue to advance the integration of environmental and social factors into our overall governance, risk management and reporting practices in ways that increase transparency and enhance the quality of our disclosures. Additional information regarding our sustainability strategy and responsible business practices can be found in our annual sustainability report published on our website at: https://investor.breadfinancial.com/sustainability/. No information from this website is incorporated by reference herein. Please also see “Human Capital” above.

Other Information

Our corporate headquarters are located at 3095 Loyalty Circle, Columbus, Ohio 43219, where our telephone number is 614-729-4000.

We file or furnish annual, quarterly and current reports, proxy statements and other information with the SEC. Our SEC filings are available to the public at the SEC’s website at www.sec.gov. You may also obtain copies of our annual, quarterly and current reports, proxy statements and certain other information filed or furnished with the SEC, as well as amendments thereto, free of charge from our website, www.BreadFinancial.com. No information from this website is incorporated by reference herein. These documents are posted to our website as soon as reasonably practicable after we have filed or furnished these documents with the SEC. We post our Audit Committee, Risk & Technology Committee, Compensation & Human Capital Committee and Nominating & Corporate Governance Committee charters, our corporate governance guidelines, and our code of ethics, code of ethics for senior financial officers, and code of ethics for Board members on our website.