CAPITAL ONE FINANCIAL CORP (COF) Business

Item 1. Business

OVERVIEW

General

Capital One Financial Corporation, a Delaware corporation established in 1994 and headquartered in McLean, Virginia, is a diversified financial services holding company with banking and non-banking subsidiaries. Capital One Financial Corporation and its subsidiaries (the “Company” or “Capital One”) operate as a global payments provider and diversified financial institution, delivering a broad array of financial products and services to consumers, small businesses and commercial clients through digital channels, branch locations, cafés and other distribution channels.

As of December 31, 2025, Capital One Financial Corporation’s principal operating subsidiary was Capital One, National Association (“CONA”). On May 18, 2025 (the “Closing Date”), Discover Financial Services (“Discover”) merged into Capital One and Discover Bank merged into CONA. See “Part II—Item 8. Financial Statements and Supplementary Data—Note 2—Business Combinations and Discontinued Operations” for additional information. The Company is hereafter collectively referred to as “we,” “us” or “our.” CONA is referred to as the “Bank.”

References to “this Report” or our “2025 Form 10-K” or “2025 Annual Report” are to our Annual Report on Form 10-K for the fiscal year ended December 31, 2025. All references to 2025, 2024 and 2023, refer to our fiscal years ended, or the dates, as the context requires, December 31, 2025, December 31, 2024 and December 31, 2023, respectively. Certain business terms used in this document are defined in “Part II—Item 7. Management’s Discussion and Analysis of Financial Condition and Results of Operations (“MD&A”)—Glossary and Acronyms” and should be read in conjunction with the Consolidated Financial Statements included in this Report.

We were the largest issuer of credit cards in the United States of America (“U.S.”) based on the outstanding balance of credit card loans as of December 31, 2025. In addition to credit cards, we also offer debit cards, bank lending, treasury management and depository services, auto loans and other consumer lending products in markets across the U.S. As one of the nation’s largest banks based on deposits as of December 31, 2025, we service banking customer accounts through digital channels and our network of branch locations, cafés, call centers and automated teller machines (“ATMs”). Additionally, through the acquisition of Discover, we acquired new products including personal loans as well as the Discover Network, the PULSE Network, Diners Club International (“Diners Club”) and Network Partners (collectively, the “Global Payment Network”).

The Discover Network processes transactions for credit and debit cards issued on its network and provides payment transaction processing and settlement services. The PULSE Network operates an electronic funds transfer network, providing financial institutions issuing debit cards on the PULSE Network with access to ATMs domestically and internationally, as well as merchant acceptance throughout the U.S. for debit card transactions. Diners Club is a global payments network of licensees, which are generally financial institutions, that issue Diners Club-branded charge cards and/or provide card acceptance services. We also have agreements with a number of financial institutions, financial technology firms, networks and other commercial service providers (collectively, “Network Partners”) for the provision of card issuing, payments processing and related services on the Global Payment Network.

We also offer credit card products and certain other services outside of the U.S. principally through Capital One (Europe) plc (“COEP”), an indirect subsidiary of CONA organized and located in the United Kingdom (“U.K.”), and through a branch of CONA in Canada. Both COEP and our Canadian branch of CONA have the authority to provide credit card loans. In addition, we offer Global Payment Network services globally.

Business Developments

We regularly explore and evaluate opportunities to acquire financial products and services as well as financial assets, including credit card and other loan portfolios, and enter into strategic partnerships as part of our growth strategy. We also explore opportunities to acquire technology companies and related assets to improve our information technology infrastructure and to deliver on our digital strategy. We may issue equity or debt to fund our acquisitions. In addition, we regularly consider the potential disposition of certain of our assets, branches, partnership agreements or lines of business.

Table of Contents

Discover Acquisition

On February 19, 2024, the Company entered into an agreement and plan of merger (the “Merger Agreement”), by and among Capital One, Discover, a Delaware corporation and Vega Merger Sub, Inc., a Delaware corporation and a direct, wholly owned subsidiary of the Company (“Merger Sub”). On May 18, 2025, the Company closed the acquisition of Discover, pursuant to which (a) Merger Sub merged with and into Discover, with Discover as the surviving entity in the merger (the “Merger”); (b) immediately following the Merger, Discover, as the surviving entity, merged with and into Capital One, with Capital One as the surviving entity in the second-step merger (the “Second Step Merger”); and (c) immediately following the Second Step Merger, Discover Bank, a Delaware-chartered and wholly owned subsidiary of Discover, merged with and into CONA, with CONA as the surviving entity in the merger (the “CONA Bank Merger,” and collectively with the Merger and the Second Step Merger, the “Transaction”). The Transaction enables the Company to leverage its newly acquired networks, customer base, technology, and data ecosystem to drive value for merchants, consumers and small businesses. The Company has substantially completed the reissuance of legacy Capital One customer debit cards onto the Global Payment Network.

Upon closing, each share of common stock of Discover outstanding immediately prior to the effective time of the Merger, other than certain shares held by Discover or Capital One, was converted into the right to receive 1.0192 shares of common stock of Capital One. Holders of Discover common stock received cash in lieu of fractional shares. At the effective time of the Second Step Merger, each share of Fixed-to-Floating Rate Non-Cumulative Perpetual Preferred Stock, Series C, of Discover, and each share of 6.125% Fixed-Rate Reset Non-Cumulative Perpetual Preferred Stock, Series D, of Discover, in each case outstanding immediately prior to the effective time of the Second Step Merger, was converted into the right to receive a share of newly created Fixed-to-Floating Rate Non-Cumulative Perpetual Preferred Stock, Series O or 6.125% Fixed-Rate Reset Non-Cumulative Perpetual Preferred Stock, Series P of Capital One.

As of the Closing Date, the fair value of purchase consideration transferred was $51.8 billion. The fair value of total identifiable assets acquired was $168.6 billion, which included $108.2 billion of loans held for investment. The fair value of deposits assumed was $106.9 billion. Our results of operations for the year ended December 31, 2025 reflect the activity of Discover’s acquired business operations for the period since the Closing Date. See “Part II—Item 8. Financial Statements and Supplementary Data—Note 2—Business Combinations and Discontinued Operations” for additional information.

On November 24, 2025, we completed the sale of the Discover Home Loan Business. See “Part II—Item 8. Financial Statements and Supplementary Data—Note 2—Business Combinations and Discontinued Operations” for additional information.

Agreement to Acquire Brex

On January 22, 2026, Capital One Financial Corporation entered into an Agreement and Plan of Merger and Reorganization (the “Brex Merger Agreement”) with Brex Inc., a Delaware corporation (“Brex”), and certain other parties thereto, pursuant to which, upon the terms and subject to the conditions set forth therein, the Company will acquire Brex (the “Brex Transaction”). The completion of the Brex Transaction is subject to the satisfaction of customary closing conditions, including clearance under the Hart-Scott-Rodino Antitrust Improvements Act of 1976, as amended.

Pursuant to the terms and subject to the conditions set forth in the Brex Merger Agreement, the Company will acquire the outstanding equity of Brex for $5.15 billion in aggregate consideration, subject to certain adjustments described in the Brex Merger Agreement, consisting of approximately $2.58 billion in cash and approximately 10.6 million shares of common stock of Capital One.

Table of Contents

Additional Information

Our common stock trades on the New York Stock Exchange (“NYSE”) under the symbol “COF” and is included in the Standard & Poor’s (“S&P”) 100 Index. We maintain a website at www.capitalone.com. Documents available under “Governance & Leadership” in the Investor Relations section of our website include:

•our Certificate of Incorporation, Bylaws, Corporate Governance Guidelines and Code of Conduct; and

•charters for the Audit, Compensation, Governance and Nominating and Risk Committees of the Board of Directors.

These documents also are available in print to any stockholder who requests a copy. We intend to disclose any future amendments to, or waivers from, our Code of Conduct on the website following the date of any such amendment or waiver.

In addition, we make available free of charge through our website all of our U.S. Securities and Exchange Commission (“SEC”) filings, including our Annual Reports on Form 10-K, Quarterly Reports on Form 10-Q, Current Reports on Form 8-K and amendments to those reports filed or furnished pursuant to Section 13(a) or 15(d) of the Exchange Act, as soon as reasonably practicable after electronically filing or furnishing such material to the SEC at www.sec.gov. We also routinely post financial and other information, which could be deemed to be material to investors, on our investor relations website. The content of any of our websites referred to in this Report is not incorporated by reference into this Report or any other filings with the SEC.

Table of Contents

OPERATIONS AND BUSINESS SEGMENTS

Our consolidated total net revenues are derived primarily from lending to consumer and commercial customers net of funding costs associated with our deposits, long-term debt and other borrowings. We also earn non-interest income which primarily consists of discount and interchange income, net of reward expenses, and service charges and other customer-related fees. Our expenses primarily consist of the provision for credit losses, operating expenses, marketing expenses and income taxes.

Our principal operations are organized for management reporting purposes into three major business segments, which are defined primarily based on the products and services provided or the types of customers served: Credit Card, Consumer Banking and Commercial Banking. The operations of acquired businesses have been integrated into or managed as a part of our existing business segments. Certain activities that are not part of a business segment are included in the Other category, such as the management of our corporate investment portfolio and asset/liability positions performed by our centralized Corporate Treasury group and any residual tax expense or benefit beyond what is assessed to our business segments in order to arrive at the consolidated effective tax rate. The Other category also includes unallocated corporate expenses that do not directly support the operations of the business segments or for which the business segments are not considered financially accountable in evaluating their performance, such as certain restructuring charges, integration expenses and certain liabilities incurred by Discover ahead of the Transaction.

•Credit Card: Consists of our domestic consumer card lending, personal loans, domestic small business card lending and international card businesses in the U.K. and Canada.

•Consumer Banking: Consists of our deposit gathering and lending activities for consumers and small businesses, national auto lending and services offered by the Global Payment Network.

•Commercial Banking: Consists of our lending, deposit gathering, capital markets and treasury management services to commercial real estate and commercial and industrial customers. Our customers typically include companies with annual revenues between $20 million and $2 billion.

The results related to the acquired Home Loan business have been reflected as discontinued operations. As such, the related results have been excluded from continuing operations and business segment result.

Customer usage and payment patterns, estimates of future expected credit losses, levels of marketing expense and operating efficiency all affect our profitability. In our Credit Card business, we generally experience fluctuations in purchase volume and the level of outstanding loan receivables from seasonal variances in consumer spending and payment patterns which, for example, have historically been the highest around the winter holiday season. Net charge-off rates for our credit card loan portfolio have historically exhibited seasonal patterns as well and generally tend to be the highest in the first quarter of the year.

The Global Payment Network earns fees, which are paid by network participants (primarily acquirers, merchants and issuers), for transactions on the Global Payment Network. Additionally, for transactions on Bank-issued credit and debit cards processed on the Global Payment Network, a portion of the amount that merchants pay to the Global Payment Network is passed through to the Bank. The Bank is also an issuer of credit and debit cards that use other networks, and for these cards the Bank earns interchange fees, which are paid by merchants, when customers use its cards.

For additional information on our business segments, including the financial performance of each business, see “Part II—Item 7. MD&A—Executive Summary,” “Part II—Item 7. MD&A—Business Segment Financial Performance” and “Part II—Item 8. Financial Statements and Supplementary Data—Note 18—Business Segments and Revenue from Contracts with Customers” of this Report.

Table of Contents

COMPETITION

Each of our business segments operates in a highly competitive environment, and we face competition in all aspects of our business from numerous bank and non-bank providers of financial services.

Our Credit Card business competes with international, national, regional and local issuers of Visa® and Mastercard® credit cards, as well as with American Express®, private-label card brands and, to a certain extent, issuers of debit cards. In general, customers are attracted to credit card issuers largely on the basis of price, credit limit, reward programs, customer experience and other product features.

Our Consumer Banking and Commercial Banking businesses compete with national, state and direct banks as well as with savings and loan associations and credit unions for loans and deposits. Our competitors also include automotive finance companies, commercial banking companies and other financial services providers that provide loans, deposits, and other similar services and products. In addition, we compete against non-bank institutions that are able to offer these products and services. As a result of our recent acquisition of the Global Payment Network, we now compete in the global payments industry, both with traditional competitors and new, emerging alternative payment providers.

We also consider new and emerging companies in digital and mobile payments and other financial technology providers among our competitors. We compete with many forms of payment mechanisms, including a variety of new and evolving alternative payment mechanisms, systems and products, offered by both bank and non-bank providers.

Our businesses generally compete on the basis of the quality and range of their products and services, transaction execution, innovation and price, and, with respect to our payment network businesses, the strength, reach, pricing and capabilities of our network offerings to merchants, acquirers and issuers. Competition varies based on the types of clients, customers, industries and geographies served. Our ability to compete depends, in part, on our ability to attract and retain our associates and on our reputation as well as our ability to keep pace with innovation, in particular in the development of new technology platforms. There can be no assurance, however, that our ability to market products and services successfully or to obtain adequate returns on our products and services will not be impacted by the nature of the competition that now exists or may later develop, or by the broader economic environment. For a discussion of the risks related to our competitive environment, see “Item 1A. Risk Factors.”

SUPERVISION AND REGULATION

General

The regulatory framework applicable to banking organizations is intended primarily for the protection of depositors and the stability of the U.S. financial system, rather than for the protection of stockholders and creditors.

As a banking organization, we are subject to extensive regulation and supervision by U.S. federal and state laws, as well as the applicable laws of the jurisdictions outside the U.S. in which we do business. In addition to banking laws and regulations, we are subject to various other laws and regulations, all of which directly or indirectly affect our operations, management and ability to make distributions to stockholders. We and our subsidiaries are also subject to supervision and examination by multiple regulators. In addition to laws and regulations, regulatory agencies may issue policy statements, interpretive letters and similar written guidance applicable to us and our subsidiaries. Any change in the statutes, regulations or regulatory policies applicable to us, including changes in their interpretation or implementation, could have a material effect on our business or organization.

The descriptions below summarize certain significant federal and state laws, as well as international laws, to which we are subject. The descriptions are qualified in their entirety by reference to the particular statutory or regulatory provisions summarized. They do not summarize all possible or proposed changes in current laws or regulations and are not intended to be a substitute for the related statutes or regulatory provisions.

Prudential Regulation of Banking

Capital One Financial Corporation is a bank holding company (“BHC”) and a financial holding company (“FHC”) under the Bank Holding Company Act of 1956, as amended (“BHC Act”), and is subject to the requirements of the BHC Act, including approval requirements for investments in or acquisitions of banking organizations, capital adequacy standards and limitations

Table of Contents

on non-banking activities. As a BHC and FHC, we are subject to supervision, examination and regulation by the Board of Governors of the Federal Reserve System (“Federal Reserve”). Permissible activities for a BHC include those activities that are so closely related to banking as to be a proper incident thereto. In addition, an FHC is permitted to engage in activities considered to be financial in nature (including, for example, securities underwriting and dealing and merchant banking activities), incidental to financial activities or, if the Federal Reserve determines that they pose no risk to the safety or soundness of depository institutions or the financial system in general, activities complementary to financial activities.

To become and remain eligible for FHC status, a BHC and its subsidiary depository institutions must meet certain criteria, including capital, management and Community Reinvestment Act (“CRA”) requirements. Failure to meet such criteria could result, depending on which requirements were not met, in restrictions on new financial activities or acquisitions or being required to discontinue existing activities that are not generally permissible for BHCs.

The Bank is a national association chartered under the National Bank Act, the deposits of which are insured by the Federal Deposit Insurance Corporation (“FDIC”) up to applicable limits. The Bank is subject to comprehensive regulation and periodic examination by the Office of the Comptroller of the Currency (“OCC”), the FDIC and the Consumer Financial Protection Bureau (“CFPB”).

We also are registered as a financial institution holding company under the laws of the Commonwealth of Virginia and, as such, we are subject to periodic examination by the Virginia Bureau of Financial Institutions.

We also face regulation in the international jurisdictions in which we conduct business. The Bank is subject to laws and regulations in foreign jurisdictions where it operates, currently in the U.K. and Canada. In the U.K., the Bank operates through COEP, an authorized payment institution regulated by the Financial Conduct Authority (“FCA”). COEP’s parent, Capital One Global Corporation, is wholly owned by the Bank and is subject to regulation by the Federal Reserve as an “agreement corporation” under the Federal Reserve’s Regulation K. COEP does not take deposits. In Canada, the Bank operates as an authorized foreign bank and is permitted to conduct its credit card business in Canada through its Canadian branch, Capital One Bank (Canada Branch) (“Capital One Canada”). Capital One Canada does not take deposits. The primary regulators of Capital One Canada are the Office of the Superintendent of Financial Institutions (“OSFI”) and the Financial Consumer Agency of Canada (“FCAC”). Non-bank subsidiaries are subject to regulation in foreign jurisdictions, including licensing and registration requirements.

The foreign legal and regulatory requirements to which the Company’s non-U.S. operations are subject include, among others, those related to consumer protection, business practices and limits on interchange fees. For more information on foreign regulatory activity concerning interchange fees, please see “Item 1A. Risk Factors” under the heading “Our business, financial condition and results of operations may be adversely affected by legislation, regulation and merchants’ efforts to reduce the fees (including the interchange component) charged by credit and debit card networks and acquirers to facilitate card transactions.”

Capital and Stress Testing Regulation

The Company and the Bank are subject to capital adequacy guidelines adopted by the Federal Reserve and OCC, respectively. For a further discussion of the capital adequacy guidelines, see “Part II—Item 7. MD&A—Capital Management” and “Part II—Item 8. Financial Statements and Supplementary Data—Note 12—Regulatory and Capital Adequacy.”

Basel III and U.S. Capital Rules

The Company and the Bank are subject to the regulatory capital requirements established by the Federal Reserve and the OCC, respectively (“Basel III Capital Rules”). The Basel III Capital Rules implement certain capital requirements published by the Basel Committee on Banking Supervision (“Basel Committee”), along with certain provisions of the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (“Dodd-Frank Act”) and other capital provisions.

As a BHC with total consolidated assets of at least $250 billion but less than $700 billion and not exceeding any of the applicable risk-based thresholds, the Company is a Category III institution under the Basel III Capital Rules.

The Bank, as a subsidiary of a Category III institution, is a Category III bank. Moreover, the Bank, as an insured depository institution, is subject to prompt corrective action (“PCA”) capital regulations, as described below.

Table of Contents

Under the Basel III Capital Rules, we must maintain a minimum common equity Tier 1 (“CET1”) capital ratio of 4.5%, a Tier 1 capital ratio of 6.0% and a total capital ratio of 8.0%, in each case in relation to risk-weighted assets. In addition, we must maintain a minimum leverage ratio of 4.0% and a minimum supplementary leverage ratio of 3.0%. We are also subject to the capital conservation buffer requirement and countercyclical capital buffer requirement, each as described below. Our capital and leverage ratios are calculated based on the Basel III standardized approach framework.

We have elected to exclude certain elements of accumulated other comprehensive income (“AOCI”) from our regulatory capital as permitted for a Category III institution. See “Basel III Finalization Proposal” below for information on the recognition of AOCI in regulatory capital under the proposed changes to the Basel III Capital Rules.

Global systemically important banks (“G-SIBs”) that are based in the U.S. are subject to an additional CET1 capital requirement known as the “G-SIB Surcharge.” We are not a G-SIB based on the most recent available data and thus we are not subject to a G-SIB Surcharge.

Capital Buffer Requirements

The Basel III Capital Rules require banking institutions to maintain a capital conservation buffer, composed of CET1 capital, above the regulatory minimum ratios. Under the Federal Reserve’s stress capital buffer rule (“Stress Capital Buffer Rule”), the Company’s “standardized approach capital conservation buffer” includes its stress capital buffer requirement (as described below), any G-SIB Surcharge (which is not applicable to us) and the countercyclical capital buffer requirement (which is currently set at 0%). Any determination to increase the countercyclical capital buffer applicable to the Company generally would be effective twelve months after the announcement of such an increase, unless the Federal Reserve sets an earlier effective date.

The Company’s stress capital buffer requirement is recalibrated every year based on the Company’s supervisory stress test results unless otherwise determined by the Federal Reserve, as discussed below. In particular, the Company’s stress capital buffer requirement equals, subject to a floor of 2.5%, the sum of (i) the difference between the Company’s starting CET1 capital ratio and its lowest projected CET1 capital ratio under the severely adverse scenario of the Federal Reserve’s supervisory stress test plus (ii) the ratio of the Company’s projected four quarters of common stock dividends (for the fourth to seventh quarters of the planning horizon) to the projected risk-weighted assets for the quarter in which the Company’s projected CET1 capital ratio reaches its minimum under the supervisory stress test.

Based on the Company’s 2025 supervisory stress test results, the Company’s stress capital buffer requirement for the period beginning on October 1, 2025 through September 30, 2026 is 4.5%. On February 4, 2026, the Federal Reserve notified all participating firms, including the Company, that because the Stress Testing Transparency Proposal (defined below) remains subject to public comment, the Federal Reserve is maintaining stress capital buffer requirements for all such firms at their current levels. Consequently, absent further action from the Federal Reserve, the Company’s stress capital buffer requirement will remain at 4.5% until September 30, 2027. Accordingly, the Company’s minimum capital requirements plus the standardized approach capital conservation buffer for CET1 capital, Tier 1 capital and total capital ratios under the stress capital buffer framework are 9.0%, 10.5% and 12.5%, respectively, for the period from October 1, 2025 through September 30, 2027.

The Stress Capital Buffer Rule does not apply to the Bank. Pursuant to the OCC’s capital regulations, which are only applicable to the Bank, the capital conservation buffer for the Bank continues to be fixed at 2.5%. The Bank is also subject to the countercyclical capital buffer requirement (which is currently set at 0%). Any determination to increase the countercyclical capital buffer applicable to the Bank generally would be effective twelve months after the announcement of such an increase, unless the OCC sets an earlier effective date. Accordingly, the Bank’s minimum capital requirements plus its capital conservation buffer for CET1 capital, Tier 1 capital and total capital ratios are 7.0%, 8.5% and 10.5%, respectively. See “Part II—Item 7. MD&A—Capital Management” and “Part II—Item 8. Financial Statements and Supplementary Data—Note 12—Regulatory and Capital Adequacy” for additional information.

If the Company or the Bank fails to maintain its capital ratios above the minimum capital requirements plus the applicable capital conservation buffer requirements, it will face increasingly strict automatic limitations on capital distributions and discretionary bonus payments to certain executive officers.

In April 2025, the Federal Reserve issued a notice of proposed rulemaking to amend the calculation of the stress capital buffer requirement (the “SCB Averaging Proposal”). The proposal would average stress test results over two consecutive years for purposes of determining the stress capital buffer requirement. The proposal would also shift the annual effective date of the stress capital buffer requirement from October 1 to January 1. The proposal has not yet been finalized, and our stress capital

Table of Contents

buffer requirement disclosed above has been calculated under the current framework and does not reflect the proposed averaging.

See also “Capital Planning and Stress Testing” below for more information about the stress capital buffer determination process.

Market Risk Rule

The “Market Risk Rule” supplements the Basel III Capital Rules by requiring institutions subject to the rule to adjust their risk-based capital ratios to reflect the market risk in their trading book. The Market Risk Rule generally applies to institutions with aggregate trading assets and liabilities equal to 10% or more of total assets or $1 billion or more. As of December 31, 2025, the Company and the Bank are subject to the Market Risk Rule. See “Part II—Item 7. MD&A—Market Risk Profile” for additional information.

Basel III Finalization Proposal

In July 2023, the Federal Reserve, OCC and the FDIC (collectively, the “Federal Banking Agencies”) released a notice of proposed rulemaking (“Basel III Finalization Proposal”) to revise the Basel III Capital Rules applicable to banking organizations with total assets of $100 billion or more and their subsidiary depository institutions, including the Company and the Bank.

The Basel III Finalization Proposal would introduce a new framework for calculating risk-weighted assets (“Expanded Risk-Based Approach”). An institution subject to the proposal would be required to calculate its risk-weighted assets under both the Expanded Risk-Based Approach and the existing Basel III standardized approach and, for each risk-based capital ratio, would be bound by the calculation that produces the lower ratio. All capital buffer requirements, including the stress capital buffer requirement, would apply regardless of whether the Expanded Risk-Based Approach or the existing Basel III standardized approach produces the lower ratio. The proposal would also replace the existing approach for calculating market risk with a new approach based on both internal models and standardized methodologies.

The Basel III Finalization Proposal would also make certain changes to the calculation of regulatory capital for Category III and IV institutions. Under the proposal, these institutions would be required to begin recognizing certain elements of AOCI in CET1 capital, including unrealized gains and losses on available for sale securities. The proposal would also generally reduce the threshold above which these institutions must deduct certain assets from their CET1 capital, including certain deferred tax assets, mortgage servicing assets and investments in unconsolidated financial institutions.

The Basel III Finalization Proposal includes a three-year transition period over which risk-weighted assets calculated under the Expanded Risk-Based Approach and the recognition of AOCI in CET1 capital would be phased in.

The Federal Banking Agencies have indicated an intent to repropose the Basel III Finalization Proposal. It is uncertain if and when a reproposal will be issued, and if so, whether and to what extent it will differ from the original Basel III Finalization Proposal. As a result, the timing and content of any final rule, and the potential effects of any final rule on the Company and the Bank, remain uncertain.

FDICIA and Prompt Corrective Action

The Federal Deposit Insurance Corporation Improvement Act of 1991 (“FDICIA”) requires the Federal Banking Agencies to take PCA for banks that do not meet minimum capital requirements. FDICIA establishes five capital ratio levels: well capitalized; adequately capitalized; undercapitalized; significantly undercapitalized; and critically undercapitalized. The three undercapitalized categories are based upon the amount by which a bank falls below the ratios applicable to an adequately capitalized institution. The capital categories relate to FDICIA’s PCA provisions, and such capital categories may not constitute an accurate representation of the Bank’s overall financial condition or prospects.

For an insured depository institution to be well capitalized, it must maintain a total risk-based capital ratio of 10% or more; a Tier 1 capital ratio of 8% or more; a CET1 capital ratio of 6.5% or more; and a leverage ratio of 5% or more. An adequately capitalized depository institution must maintain a total risk-based capital ratio of 8% or more; a Tier 1 capital ratio of 6% or more; a CET1 capital ratio of 4.5% or more; a leverage ratio of 4% or more; and, for Category III and certain other institutions, a supplementary leverage ratio of 3% or more. The PCA provisions also authorize the Federal Banking Agencies to reclassify a bank’s capital category or take other action against banks that are determined to be in an unsafe or unsound condition or to have engaged in unsafe or unsound banking practices.

Table of Contents

Capital Planning and Stress Testing

Under the Federal Reserve’s capital plan rule, a covered company, such as the Company, must submit a capital plan to the Federal Reserve on an annual basis that contains a description of all planned capital actions, including dividends or stock repurchases, over a nine-quarter planning horizon beginning with the first quarter of the calendar year the capital plan is submitted.

Pursuant to the capital plan rule, the Company must file its capital plan with the Federal Reserve by April 5 of each year (unless the Federal Reserve designates a later date), using data as of the end of the prior calendar year. The Federal Reserve will release the results of the supervisory stress test and notify the Company of its preliminary stress capital buffer requirement by June 30 of that year, and final stress capital buffer requirement by August 31 of that year. The Company’s final stress capital buffer requirement will be effective from October 1 of the year in which the capital plan is submitted through September 30 of the following year. In April 2025, the Federal Reserve issued the SCB Averaging Proposal. For more information on the SCB Averaging Proposal, please see “Capital Buffer Requirements.”

As a general matter, the Company may make capital distributions in excess of those included in its capital plan without the prior approval of the Federal Reserve so long as the Company is otherwise in compliance with the capital rule’s automatic limitations on capital distributions. However, as described below, in the event a capital plan resubmission is required, all capital distributions would be subject to the prior approval of the Federal Reserve.

The Federal Reserve’s capital plan rule further provides that if a covered company determines there has been or will be a material change in its risk profile, financial condition, or corporate structure since it last submitted its capital plan, it must update and resubmit its capital plan within 30 calendar days, subject to a potential 60-day extension.

We are also subject to supervisory and company-run stress testing requirements (also known as the Dodd-Frank Act stress tests (“DFAST”)). DFAST is a forward-looking exercise conducted by the Federal Reserve and each covered company to help assess whether a company has sufficient capital to absorb losses and continue operations during adverse economic conditions. In particular, the Federal Reserve is required to conduct annual stress tests on certain covered companies, including us, to ensure that the covered companies have sufficient capital to absorb losses and continue operations during adverse economic conditions, as well as to determine the Company’s stress capital buffer requirement as described above. As a Category III institution, we are also required to conduct company-run stress tests and publish the results of such tests on our website or other public forum on a biennial basis. Under the OCC’s stress test rule, a bank with at least $250 billion in assets, including the Bank, must conduct its own company-run stress tests. The Bank must also disclose the results of its stress test on a biennial basis.

In October 2025, the Federal Reserve proposed revisions to its supervisory stress testing framework. The first proposal included requirements for the Federal Reserve to annually disclose its supervisory stress test models and provide a formal public comment period on material changes to these models and the design of annual stress test scenarios, as well as shifting the “as of” or “jump-off” date of the stress test data from December 31 to September 30 (the “Stress Testing Transparency Proposal”). The second proposal requested comment on the specific supervisory stress test scenarios proposed to be used in the 2026 stress test cycle.

Funding and Dividends from Subsidiaries

Dividends from the Company’s direct and indirect subsidiaries represent a major source of the funds we use to pay dividends on our capital stock, make payments on our corporate debt securities and meet our other obligations. There are various federal law limitations on the extent to which the Bank can finance or otherwise supply funds to the Company through dividends and loans. These limitations include minimum regulatory capital and capital buffer requirements, federal banking law requirements concerning the payment of dividends out of net profits or surplus, provisions of Sections 23A and 23B of the Federal Reserve Act and Regulation W governing transactions between an insured depository institution and its affiliates, as well as general federal regulatory oversight to prevent unsafe or unsound practices. In general, federal and applicable state banking laws prohibit insured depository institutions, such as the Bank, from making dividend distributions without first obtaining regulatory approval if such distributions are not paid out of available earnings or would cause the institution to fail to meet applicable capital adequacy standards.

Table of Contents

Liquidity Regulation

The Company and the Bank are subject to minimum liquidity standards as adopted by the Federal Reserve and OCC, respectively. For a further discussion of the minimum liquidity standards, see “Part II—Item 7. MD&A—Liquidity Risk Profile.”

The Basel Committee has published a liquidity framework that includes two standards for liquidity risk supervision. One standard, the liquidity coverage ratio (“LCR”), seeks to promote short-term resilience by requiring organizations to hold sufficient high-quality liquid assets (“HQLAs”) to survive a stress scenario lasting for 30 days. The other standard, the net stable funding ratio (“NSFR”), seeks to promote longer-term resilience by requiring sufficient stable funding over a one-year period based on the liquidity characteristics of the organization’s assets and activities.

The Company and the Bank are subject to the LCR standard as implemented by the Federal Reserve and OCC, respectively (“LCR Rule”). The LCR Rule requires both the Company and the Bank to hold an amount of eligible HQLA that equals or exceeds 100% of its respective projected adjusted net cash outflows over a 30-day period, each as calculated in accordance with the LCR Rule. The LCR Rule requires both the Company and the Bank to calculate its respective LCR daily. In addition, the Company is required to make quarterly public disclosures of its LCR and certain related quantitative liquidity metrics, along with a qualitative discussion of its LCR.

As a Category III institution with less than $75 billion in weighted average short-term wholesale funding, the Company’s and the Bank’s total net cash outflows are multiplied by an outflow adjustment percentage of 85%. Although the Bank may hold more HQLA than it needs to meet its LCR requirements, the LCR Rule restricts the amount of such excess HQLA held at the Bank (referred to as “Trapped Liquidity”) that can be included in the Company’s HQLA amount. Because we typically manage the Bank’s LCR to levels well above 100%, the result is additional Trapped Liquidity as the Bank’s net cash outflows are reduced by the outflow adjustment percentage of 85%.

The Company and the Bank are subject to the NSFR standard as implemented by the Federal Reserve and OCC, respectively (“NSFR Rule”). The NSFR Rule requires each of the Company and the Bank to maintain an amount of available stable funding, which is a weighted measure of a company’s funding sources over a one-year time horizon, calculated by applying standardized weightings to equity and liabilities based on their expected stability, that is no less than a specified percentage of its required stable funding, which is calculated by applying standardized weightings to assets, derivatives exposures and certain other items based on their liquidity characteristics. As a Category III institution, the Company and the Bank are each required to maintain available stable funding in an amount at least equal to 85% of its required stable funding. The Company is required to make public disclosures of its NSFR every second and fourth quarter, including certain quantitative metrics and a qualitative discussion of its NSFR drivers and results.

In addition to the LCR and NSFR requirements discussed above, the Company is required to meet liquidity risk management standards, conduct internal liquidity stress tests and maintain a 30-day buffer of highly liquid assets, in each case, consistent with Federal Reserve regulations.

Deposit Funding and Brokered Deposits

Under FDICIA, only well capitalized and adequately capitalized institutions may accept “brokered deposits,” as defined by FDIC regulations. Adequately capitalized institutions, however, must obtain a waiver from the FDIC before accepting brokered deposits, and such institutions may not pay rates that significantly exceed the rates paid on deposits of similar maturity obtained from the institution’s normal market area or, for deposits obtained from outside the institution’s normal market area, the national rate on deposits of comparable maturity. See “Part II—Item 7. MD&A—Liquidity Risk Profile” for additional information.

The FDIC is authorized to terminate a bank’s deposit insurance upon a finding by the FDIC that the bank’s financial condition is unsafe or unsound or that the institution has engaged in unsafe or unsound practices or has violated any applicable rule, regulation, order or condition enacted or imposed by the bank’s regulatory agency.

Table of Contents

Resolution and Recovery Planning Requirements and Related Authorities

Resolution and Recovery Planning

The Company is required by Section 165(d) of the Dodd-Frank Act to submit to the Federal Reserve and FDIC every three years a resolution plan for orderly resolution in the event it faces material financial distress or failure, with submissions alternating between a full resolution plan and a targeted resolution plan. In addition, the Company may be required to submit an interim update to its resolution plan upon a joint determination of the Federal Reserve and the FDIC, or following material mergers or acquisitions or fundamental changes to the Company’s resolution strategy. As a result of the Transaction, the Federal Reserve and the FDIC in May 2025 required the Company to file an interim update to its resolution plan by October 1, 2025 and extended the Company’s deadline for the next full resolution submission from October 1, 2025 to July 1, 2026. Following review of a plan, the Federal Reserve and FDIC may jointly determine that a resolution plan is not credible or would not facilitate an orderly resolution under the U.S. Bankruptcy Code. If the Company were to fail to adequately address deficiencies jointly identified by the Federal Reserve and FDIC in a timely manner, it may be subject to more stringent capital, leverage, or liquidity requirements, or restrictions on growth, activities, or operations.

In addition, the Bank, as an insured depository institution, is required by FDIC regulation to submit its own resolution plan to the FDIC. In June 2024, the FDIC issued a final rule amending the resolution plan submission requirements applicable to insured depository institutions with $50 billion or more in total assets, including the Bank. Under the final rule, the Bank is required to submit to the FDIC full resolution plans every three years and interim targeted information between full resolution plan submissions. In addition, under the final rule, the Bank’s resolution plan submissions are subject to more detailed content requirements and a credibility standard for the FDIC’s evaluation of resolution plans, which is enforceable against the Bank.

In addition, the OCC has enforceable guidelines that require banks with assets of $100 billion or more, including the Bank, to develop recovery plans detailing the actions they would take to remain a going concern when they experience considerable financial or non-financial risks but have not deteriorated to the point that resolution is imminent. In October 2025, the OCC proposed to rescind these recovery planning guidelines in their entirety. If adopted as proposed, the Bank would no longer be subject to the guidelines.

Long-Term Debt and Clean Holding Company Proposal

The Federal Banking Agencies have proposed a rule that would require banking organizations with $100 billion or more in total assets, including the Company, to comply with certain long-term debt requirements and so called “clean holding company” requirements that are designed to improve the resolvability of covered organizations (“LTD Proposal”). If adopted as proposed, the LTD Proposal would require the Company and the Bank to each maintain a minimum outstanding eligible long-term debt amount of no less than the greatest of (i) 6% of total risk-weighted assets, (ii) 2.5% of total leverage exposure and (iii) 3.5% of average total consolidated assets. To qualify as eligible long-term debt, a debt instrument would be required to meet the requirements currently applicable under the rules that apply to U.S. G-SIBs, as well as certain additional requirements. Additionally, the clean holding company requirements included in the LTD Proposal would limit or prohibit the Company from entering into certain transactions that could impede its orderly resolution. It is uncertain when or if a final rule will be adopted, and if so, whether and to what extent it will differ from the LTD Proposal. As a result, the timing and content of any final rule, and the potential effects of any final rule on the Company and the Bank, remain uncertain.

Source of Strength

The Federal Reserve’s Regulation Y requires a BHC to serve as a source of financial and managerial strength to its subsidiary banks (this is known as the “source of strength doctrine”). In addition, the Dodd-Frank Act requires a BHC to serve as a source of financial strength to its subsidiary banks and further requires the Federal Banking Agencies to jointly adopt rules implementing this requirement. The Federal Banking Agencies have yet to propose rules as required by the Dodd-Frank Act, but they may do so in the future.

FDIC Orderly Liquidation Authority

The Dodd-Frank Act provides the FDIC with liquidation authority that may be used to liquidate non-bank financial companies and BHCs if the Treasury Secretary, in consultation with the President and based on the recommendation of the Federal Reserve and other appropriate Federal Banking Agencies, determines that doing so is necessary, among other criteria, to mitigate serious adverse effects on U.S. financial stability. Upon such a determination, the FDIC would be appointed receiver and must liquidate a company in a way that mitigates significant risks to financial stability and minimizes moral hazard. The costs of a liquidation of a company would be borne by shareholders and unsecured creditors and then, if necessary, by risk-

Table of Contents

based assessments on large financial companies. The FDIC has issued rules implementing certain provisions of its liquidation authority.

FDIC Deposit Insurance Assessments

The Bank, as an insured depository institution, is a member of the Deposit Insurance Fund (“DIF”) maintained by the FDIC. Through the DIF, the FDIC insures the deposits of insured depository institutions up to prescribed limits for each depositor. The FDIC sets a Designated Reserve Ratio (“DRR”) for the DIF. To maintain the DIF, member institutions may be assessed an insurance premium, and the FDIC may take action to increase insurance premiums if the DRR falls below its required level.

The FDIC, as required under the Federal Deposit Insurance Act, established a plan in September 2020, to restore the DIF reserve ratio to meet or exceed 1.35 percent within eight years. On October 18, 2022, the FDIC finalized a rule that increases the initial base deposit insurance assessment rate schedules by 2 basis points (“bps”) for all insured depository institutions to improve the likelihood that the DIF reserve ratio reaches 1.35 percent by the statutory deadline of September 30, 2028. The rule took effect in January 2023 and this increase was reflected in the Bank’s first quarterly assessment in 2023.

On November 16, 2023, the FDIC finalized a rule to implement a special assessment to recover the loss to the DIF arising from the protection of uninsured depositors in connection with the systemic risk determination announced on March 12, 2023, following the closures of Silicon Valley Bank and Signature Bank. The special assessment base is equal to an insured depository institution’s estimated uninsured deposits reported on its Consolidated Reports of Condition and Income as of December 31, 2022 (“2022 Call Report”), adjusted to exclude the first $5 billion of uninsured deposits. On December 16, 2025, the FDIC issued an interim final rule providing that the FDIC will collect the special assessment over an initial seven quarters of the collection period, which began in the second quarter of 2024, at a quarterly rate of 3.36 basis points and reduce the rate at which the special assessment will be collected in the eighth collection quarter, which will have an invoice payment date of March 30, 2026, to 2.97 basis points. Under the interim final rule, upon termination of the FDIC’s receiverships of Silicon Valley Bank and Signature Bank, the FDIC will either provide an offset to insured depository institutions, if the special assessment amount then-collected exceeds losses, or collect from insured depository institutions a one-time final shortfall special assessment, if losses exceed the special assessment amount then-collected. In addition, the FDIC will provide an offset to regular quarterly deposit insurance assessments for banks subject to the special assessment if, following the final resolution of litigation between the FDIC and SVB Financial Trust, the total amount collected through the special assessment exceeds the loss estimate at that time. For additional information, see “Part II—Item 8. Financial Statements and Supplementary Data—Note 19—Commitments, Contingencies, Guarantees and Others.”

Investment in the Company and the Bank

Certain acquisitions of our capital stock may be subject to regulatory approval or notice under federal or state law. Investors are responsible for ensuring that they do not, directly or indirectly, acquire shares of our capital stock in excess of the amount that can be acquired without regulatory approval, including under the BHC Act and the Change in Bank Control Act (“CIBC Act”).

Federal law and regulations prohibit any person or company from acquiring control of the Company or the Bank without, in most cases, prior written approval of the Federal Reserve or the OCC, as applicable. Control under the BHC Act exists if, among other things, a person or company acquires more than 25% of any class of our voting stock or otherwise has a controlling influence over us. A rebuttable presumption of control arises under the CIBC Act for a publicly traded BHC such as ourselves if a person or company acquires more than 10% of any class of our voting stock.

Additionally, the Bank is a “bank” within the meaning of Chapter 7 of Title 6.2 of the Code of Virginia governing the acquisition of interests in Virginia financial institutions (“Virginia Financial Institution Holding Company Act”). The Virginia Financial Institution Holding Company Act prohibits any person or entity from acquiring, or making any public offer to acquire, control of a Virginia financial institution or its holding company without making application to, and receiving prior approval from, the Virginia Bureau of Financial Institutions.

Transactions with Affiliates

There are various legal restrictions on the extent to which we and our non-bank subsidiaries may borrow or otherwise engage in certain types of transactions with the Bank. Under the Federal Reserve Act and Federal Reserve and OCC regulations, the Bank and its subsidiaries are subject to quantitative and qualitative limits on extensions of credit, purchases of assets and certain other transactions involving non-bank affiliates. In addition, transactions between the Bank and its non-bank affiliates are required to be on arm’s length terms and must be consistent with standards of safety and soundness.

Table of Contents

Volcker Rule

We and each of our subsidiaries, including the Bank, are subject to the “Volcker Rule,” a provision of the Dodd-Frank Act that contains prohibitions on proprietary trading and certain investments in, and relationships with, covered funds (hedge funds, private equity funds and similar funds), subject to certain exemptions, in each case as the applicable terms are defined in the Volcker Rule and the implementing regulations.

Regulation of Business Activities

The business activities of the Company and the Bank, as well as certain of the Company’s non-bank subsidiaries, are subject to regulation and supervision under various other laws and regulations.

Regulation of Consumer Lending Activities

The activities of the Bank as a consumer lender are subject to regulation under various federal laws, including, for example, the Truth in Lending Act (“TILA”), the Equal Credit Opportunity Act, the Fair Credit Reporting Act (“FCRA”), the CRA, the Servicemembers Civil Relief Act and the Military Lending Act, as well as under various state laws. TILA, as amended, and together with its implementing rule, Regulation Z, imposes a number of restrictions on credit card practices impacting rates and fees, requires that a consumer’s ability to pay be taken into account before issuing credit or increasing credit limits, and imposes revised disclosures required for open-end credit.

Depending on the underlying issue and applicable law, regulators may be authorized to impose penalties for violations of these statutes and, in certain cases, to order banks to compensate customers. Borrowers may also have a private right of action for certain violations. Federal bankruptcy and state debtor relief and collection laws may also affect the ability of a bank, including the Bank, to collect outstanding balances owed by borrowers.

Debit Card Interchange Fees

For debit cards issued on networks not owned by the Company, the Bank earns interchange fees when customers use its debit cards to make transactions at merchants. The Bank is subject to the Federal Reserve’s Regulation II (Debit Card Interchange Fees and Routing) for those debit cards issued on networks not owned by the Company, which limits the amount of interchange fees that can be received per debit card transaction by debit card issuers with over $10 billion in assets and places certain prohibitions on payment routing restrictions and network exclusivity.

In 2023, the Federal Reserve proposed, but has not yet finalized, amendments to Regulation II that would lower the cap on debit interchange fees and institute a process for automatically recalculating the debit interchange fee cap every two years based upon a biennial survey of large debit card issuers. Regulation II’s cap on debit interchange fees, including the 2023 proposal, has been challenged in the courts. Changes to, or the invalidity of, Regulation II could result in lower debit card interchange fees issued on four-party networks. For further discussion of Regulation II and related risks for our business, see “Item 1A. Risk Factors” under the heading “Our business, financial condition and results of operations may be adversely affected by legislation, regulation and merchants’ efforts to reduce the fees (including the interchange component) charged by credit and debit card networks and acquirers to facilitate card transactions.”

Payment Card Networks

The Global Payment Network operations are regulated by certain federal and state laws, including banking, payment services, privacy, data protection and data security laws, and are also subject to examination by the Federal Banking Agencies. For example, Regulation II includes a number of requirements for debit cards issued on networks that are not three-party networks, such as certain requirements related to routing and network exclusivity, which apply to certain activities of the Global Payment Networks when third-party issuers issue debit cards on the Global Payment Networks.

In addition, because the Global Payment Network operates internationally, certain subsidiaries through which it operates are subject to government regulation and examination, directly or indirectly, in some countries in which we have operations, or where cards that are accepted on our networks are issued or accepted.

Privacy, Data Protection and Data Security

We are, or may become, subject to a variety of continuously evolving and developing laws and regulations in the United States at the federal, state and local level regarding privacy, data protection and data security, including those related to the collection, storage, handling, use, disclosure, transfer and other processing of personal information. For example, at the federal level, we

Table of Contents

are currently subject to the Gramm-Leach-Bliley Act (“GLBA”) and the FCRA, among other laws and regulations, and expect additional privacy, data protection and data security requirements, including cyber incident reporting requirements, to apply to us as a result of future laws or regulations. This includes, for instance, the Cyber Incident Reporting for Critical Infrastructure Act (“CIRCIA”), which, once rulemaking is complete, will require, among other things, certain companies to report significant cyber incidents to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (“CISA”) within 72 hours from the time the company reasonably believes the incident occurred (and within 24 hours of making a ransom payment as a result of a ransomware attack). Moreover, legislative updates have been proposed, and will likely in the future be proposed, in the U.S. Congress for more comprehensive privacy, data protection and data security legislation, to which we may be subject if passed. At the state level, California has enacted the California Consumer Privacy Act (“CCPA”) and continues to issue regulations thereunder, and various other states also have enacted or are in the process of enacting state-level privacy, data protection and/or data security laws and regulations, with which we may be required to comply. Additionally, the Federal Banking Agencies, as well as the SEC and related self‐regulatory organizations, have issued guidance regarding cybersecurity that is intended to enhance cyber risk management among financial institutions.

The Company also is, or may become, subject to continuously evolving and developing laws and regulations in other jurisdictions regarding privacy, data protection and data security. For example, in Canada we are subject to the Personal Information Protection and Electronic Documents Act (“PIPEDA”) as well as the provincial privacy laws, and may become subject to additional privacy, data protection and data security laws and regulations in Canada, including those which may differ from PIPEDA and the provincial privacy laws, if passed. In addition, subject to limited exceptions, the European Union (“EU”) General Data Protection Regulation (“EU GDPR”) applies EU data protection laws to certain companies processing personal data of individuals in the European Economic Area, regardless of the company’s location. We also are subject to the U.K. General Data Protection Regulation (“U.K. GDPR”), a version of the EU GDPR as implemented into U.K law. These laws and regulations, and similar laws and regulations in other jurisdictions, impose strict requirements regarding the collection, storage, handling, use, disclosure, transfer, security and other processing of personal information, which may have adverse consequences, including significant compliance costs and severe monetary penalties for non-compliance.

For further discussion of privacy, data protection and data security, and related risks for our business, see “Item 1A. Risk Factors” under the headings “We face risks related to our operational, technological and organizational infrastructure,” “A cyber-attack or other security incident on us or third parties (including their supply chains) with which we conduct business, including an incident that results in the theft, loss, manipulation or misuse of information (including personal information), or the disabling of systems and access to information critical to business operations, may result in increased costs, reductions in revenue, reputational damage, legal exposure and business disruptions” and “Our required compliance with applicable laws and regulations related to privacy, data protection and data security, in addition to compliance with our own privacy policies and contractual obligations to third parties, may increase our costs, reduce our revenue, increase our legal exposure and limit our ability to pursue business opportunities.”

For further discussion of our cybersecurity risk management, see “Item 1C. Cybersecurity.”

Anti-Money Laundering, Combating the Financing of Terrorism and Economic Sanctions

The Bank Secrecy Act (“BSA”), as amended by the USA PATRIOT Act of 2001 (“Patriot Act”), and its implementing regulations require financial institutions to, among other things, implement a risk-based compliance program reasonably designed to prevent money laundering and to combat the financing of terrorism, including through suspicious activity and currency transaction reporting, the implementation of policies, procedures, and internal controls, record-keeping and customer due diligence.

The Patriot Act provides enhanced information collection tools and enforcement mechanisms to the U.S. government and expanded certain requirements for financial institutions, including due diligence and record-keeping requirements for private banking and correspondent accounts; standards for verifying customer identification at account opening; rules to produce certain records upon request of a regulator or law enforcement agency; and rules to promote cooperation among financial institutions, regulators and law enforcement agencies in identifying parties that may be involved in terrorism, money laundering and other crimes.

The Anti-Money Laundering Act of 2020 (“AML Act”), enacted as part of the National Defense Authorization Act, requires the U.S. Treasury Department’s Financial Crimes Enforcement Network (“FinCEN”) to issue a number of rules that will update and expand the BSA’s regulatory requirements. For example, the AML Act requires FinCEN to issue National Anti-Money Laundering and Countering the Financing of Terrorism Priorities, which the agency did in June 2021, and to conduct studies and issue regulations that may alter some of the due diligence, record-keeping and reporting requirements that the BSA and

Table of Contents

Patriot Act impose on banks. FinCEN has yet to issue most of the implementing regulations required by the AML Act. The AML Act also promotes increased information-sharing and use of technology and increases penalties for violations of the BSA and includes whistleblower incentives, both of which could increase the prospect of regulatory enforcement.

We are also required to comply with sanctions laws and regulations administered and imposed by the United States government, including the U.S. Treasury Department's Office of Foreign Assets Control (“OFAC”) and the Department of State, as well as comparable sanctions programs imposed by foreign governments and multilateral bodies. Sanctions can be either comprehensive or selective and use the blocking of assets and trade restrictions to accomplish foreign policy and national security goals.

Derivatives Activities

Title VII of the Dodd-Frank Act establishes a regulatory framework for the governance of the over-the-counter (“OTC”) derivatives market, including swaps and security-based swaps and requires the registration of certain market participants as swap dealers or security-based swap dealers. The Bank is registered with the Commodity Futures Trading Commission (“CFTC”) as a swap dealer. Registration as a swap dealer subjects the Bank to additional regulatory requirements with respect to its swaps and other derivatives activities. As a result of the Bank’s swap dealer registration, it is subject to the rules of the OCC concerning capital and margin requirements for swap dealers, including the mandatory exchange of variation margin and initial margin with certain counterparties. Additionally, as a registered swap dealer, the Bank is subject to requirements under the CFTC’s regulatory regime, including rules regarding business conduct standards, recordkeeping obligations, regulatory reporting and procedures relating to swaps trading. The Bank’s swaps and other derivatives activities do not require it to register with the SEC as a security-based swap dealer.

Broker-Dealer Activities

Certain of our non-bank subsidiaries are subject to regulation and supervision by various federal and state authorities. Capital One Securities, Inc., KippsDeSanto & Company and TripleTree, LLC are registered broker-dealers regulated by the SEC and the Financial Industry Regulatory Authority (“FINRA”). These broker-dealer subsidiaries are subject to, among other things, net capital rules designed to measure the general financial condition and liquidity of a broker-dealer. Under these rules, broker-dealers are required to maintain the minimum net capital deemed necessary to meet their continuing commitments to customers and others, and to keep a substantial portion of their assets in relatively liquid form. These rules also limit the ability of a broker-dealer to transfer capital to its parent companies and other affiliates. Broker-dealers are also subject to regulations covering their business operations, including sales and trading practices, public and private offerings, publication of research reports, use and safekeeping of client funds and securities, capital structure, record-keeping and the conduct of directors, officers and employees.

Climate-related Developments

Climate change and the risks it may pose to financial institutions are areas of focus by various legislative bodies and regulators. In the future, new laws, regulations or guidance may be issued, or other regulatory or supervisory actions may be taken in this area by regulatory agencies. For more information, please see “Item 1A. Risk Factors” under the heading “Climate change manifesting as physical or transition risks could adversely affect our businesses, operations and customers and result in increased costs.”

Table of Contents

HUMAN CAPITAL RESOURCES

Our human capital practices are designed to develop a collaborative work environment while rewarding employees based on the merit of their work. We prioritize employee recruitment, development, recognition and retention. As of December 31, 2025, Capital One had approximately 76,300 employees worldwide, whom we refer to as “associates.” The following disclosures provide information on our human capital resources, including certain human capital objectives and measures that we focus on in managing our business.

Governance of Human Capital

Our Board of Directors oversees our human capital management, including strategies, policies and practices, and is assisted by our Board’s Compensation Committee and Governance and Nominating Committee. Our Executive Committee, a committee of senior management which includes our Chief Human Resources Officer, advises, assists and makes recommendations to our Chief Executive Officer (“CEO”) and Board of Directors on human capital matters such as human resource practices and programs, including general employee benefits and compensation programs.

Hiring, Developing and Retaining

We employ a comprehensive people strategy that includes significant investments in recruiting and associate development in order to attract and retain top talent from all backgrounds. We recruit through a variety of channels, including professional partnerships, job fairs, online platforms and on-campus recruiting, among others. Investment in associate training and professional development is important to maintaining our talent competitiveness. Our internal enterprise learning and development team blends multiple approaches to learning to support associate development across lines of business, levels and roles, including online and live classroom training. In addition to formal programming provided by learning professionals, including regulatory compliance, role-specific topics and others, our peer-to-peer learning strategy allows associates to be both learners and teachers, further enhancing a culture of learning. We also focus on cultivating talent with leadership development courses, cohort-based programs, network building and coaching, open to all associates.

On a quarterly basis, we review our ability to attract and retain talent. Each line of business and staff group reviews hiring, tenure and attrition metrics as part of this assessment, and they implement risk mitigation plans when needed.

Compensation and Wellness

We appreciate the importance of a competitive total compensation package to attract and retain great talent. Our benefits, including competitive parental leave, on-site health centers, company contributions to associates’ 401(k) plans, educational assistance and other health, wellness and financial benefits are designed to support our associates’ wellbeing inside and outside of the workplace. Furthermore, pay equity is an important element of our pay philosophy. We evaluate base pay and incentive pay for all of our associates globally, at least annually. We review groups of associates in similar roles, adjusting for factors that appropriately explain differences in pay such as job location and experience.

Communication and Connection

We communicate with our associates regularly to better understand their perspectives. To assess and improve associate retention and engagement, the Company surveys associates on a periodic basis with the assistance of third-party consultants and takes actions to address various areas of associate concern. We encourage full participation and use the results to effect change and promote transparency.

TECHNOLOGY AND INTELLECTUAL PROPERTY

Technology/Systems

We leverage information and technology to achieve our business objectives and to develop and deliver products and services. A key part of our strategic focus is the development and use of efficient, flexible computer and operational systems, such as cloud or artificial intelligence (“AI”) technologies. We believe that the continued adoption, development and integration of these technologies is an important part of our efforts to reduce costs, improve quality and security and provide faster, more flexible technology services. Consequently, we frequently consider our capabilities and develop or acquire systems, processes and competencies to meet our business requirements or objectives.

Table of Contents

As part of our frequent consideration of our technologies, we may either develop such capabilities internally, or rely on third-party service providers who have the ability to deliver technology that is of higher quality, lower cost, or both. We continue to rely on third-party service providers to help us deliver systems and operational infrastructure. These relationships include, but are not limited to: Amazon Web Services, Inc. (“AWS”) for our cloud infrastructure, Total System Services LLC (“TSYS”) for consumer and commercial credit card processing services for our North American and U.K. portfolios and Fidelity Information Services (“FIS”) for certain of our banking systems. Certain of the acquired Discover businesses, including the Global Payment Network, are processed through a combination of data centers and the use of third-party vendors.

We are committed to implementing safeguards designed to protect our customers’ information, as well as our own information and technology. For additional information on our risks associated with cybersecurity and our use of technology systems and our management of these risks, please see “Item 1A. Risk Factors” under the headings “A cyber-attack or other security incident on us or third parties (including their supply chains) with which we conduct business, including an incident that results in the theft, loss, manipulation or misuse of information (including personal information), or the disabling of systems and access to information critical to business operations, may result in increased costs, reductions in revenue, reputational damage, legal exposure and business disruptions” and “We face risks related to our operational, technological and organizational infrastructure” and “Item 1C. Cybersecurity.”

Intellectual Property and Other Proprietary Information

As part of our overall and ongoing strategy to protect and enhance our intellectual property rights, we rely on a variety of protections, including copyrights, trademarks, trade secrets, patents and certain restrictions on disclosure, solicitation and competition. We also undertake other measures to control access to, or distribution of, our other proprietary and confidential information. Any patents we may obtain may increase our competitive advantage, protect our investments in commercializing our technology, preserve our freedom to operate, and allow us to enter into licensing (e.g., cross-licenses) or other arrangements with third parties. For a discussion of risks associated with intellectual property, see “Item 1A. Risk Factors” under the heading “If we are not able to protect our intellectual property rights, or we violate third-party intellectual property rights, our revenue and profitability could be negatively affected.”

FORWARD-LOOKING STATEMENTS

From time to time, we have made and will make forward-looking statements, including those that discuss, among other things: strategies, goals, outlook or other non-historical matters; projections, revenues, income, returns, expenses, assets, liabilities, capital and liquidity measures, capital allocation plans, accruals for claims in litigation and for other claims against us; earnings per share, efficiency ratio, operating efficiency ratio or other financial measures for us; future financial and operating results; our plans, objectives, expectations and intentions; and the assumptions that underlie these matters.

To the extent that any such information is forward-looking, it is intended to fit within the safe harbor for forward-looking information provided by the Private Securities Litigation Reform Act of 1995.

Forward-looking statements often use words such as “will,” “anticipate,” “target,” “expect,” “think,” “estimate,” “intend,” “plan,” “goal,” “believe,” “forecast,” “outlook” or other words of similar meaning. Any forward-looking statements made by us or on our behalf speak only as of the date they are made or as of the date indicated, and we do not undertake any obligation to update forward-looking statements as a result of new information, future events or otherwise. For additional information on factors that could materially influence forward-looking statements included in this Report, see the risk factors set forth under “Item 1A. Risk Factors.” You should carefully consider the factors discussed below, and in our Risk Factors or other disclosures, in evaluating these forward-looking statements.

Numerous factors could cause our actual results to differ materially from those described in such forward-looking statements, including, among other things:

Table of Contents

•risks related to the integration of the Transaction, including our ability to successfully integrate our businesses, incur substantial expenses related to the Transaction and to the integration of Discover, and the expenses may be greater than anticipated due to factors, some or all of which may be outside our control; our ability to realize all of the anticipated benefits of the Transaction, or those benefits may take longer to realize than expected due to factors that may be outside our control; the integration of Discover may have an adverse effect on our business and results of operations due to the diversion of a substantial portion of the time and attention of our management team; potential employee attrition; and other factors that may affect our future results;

•changes and instability in the macroeconomic environment, resulting from factors that include, but are not limited to monetary, fiscal and trade policy actions such as tariffs, geopolitical conflicts or instability, such as the war in Ukraine, the ongoing conflict in the Middle East and the political instability in Venezuela, labor shortages, government shutdowns, inflation and deflation, potential recessions, technology-driven disruption of certain industries, adverse developments impacting the U.S. or global banking industry, immigration policies, lower demand for credit, changes in deposit practices and payment patterns;

•fluctuations in interest rates;

•our ability to maintain adequate sources of funding and liquidity to operate our business;

•increases in credit losses and delinquencies and the impact of incorrectly estimated expected losses, which could result in inadequate reserves;

•our ability to maintain adequate capital or liquidity levels or to comply with revised capital or liquidity requirements, which could have a negative impact on our financial results and our ability to return capital to our stockholders;

•limitations on our ability to receive dividends from our subsidiaries;

•a downgrade in our credit ratings;

•our ability to develop, operate and adapt our operational, technology and organizational infrastructure suitable for the nature of our business;

•increased costs, reductions in revenue, reputational damage, legal exposure and business disruptions that can result from a cyber-attack or other security incident on us or third parties (including their supply chains) with which we conduct business, including an incident that results in the theft, loss, manipulation or misuse of information, or the disabling of systems and access to information critical to business operations;

•the use, reliability and accuracy of the models, AI, and data on which we rely;

•our ability to manage risks of internal and external fraud;

•compliance with new and existing domestic and foreign laws, regulations and regulatory expectations, which may change over time including as a result of the political and policy goals of elected and appointed officials;

•compliance with applicable laws and regulations related to privacy, data protection and data security, in addition to compliance with our own privacy policies and contractual obligations to third parties;

•developments, changes or actions relating to any litigation, governmental investigation or regulatory enforcement action or matter involving us;

•our response to competitive pressures;

•the amount and rate of deposit growth and changes in deposit costs;

•our ability to execute on our strategic initiatives and operational plans;

•change in market preference towards other operators of payment networks and alternative payment providers;

•our ability to create and maintain a strong base of network licensees and achieving meaningful global card acceptance;

Table of Contents

•legislation, regulation and merchants’ efforts to reduce the fees (including the interchange component) charged by credit and debit card networks and acquirers to facilitate card transactions;

•the number of large merchants that accept cards on our recently acquired Discover Network or PULSE Network;

•defaults or risks from bankruptcies, liquidations, restructurings, consolidations and outages by our network participants;

•our ability to invest successfully in and introduce digital and other technological developments across all our businesses;

•our success in integrating acquired businesses and loan portfolios, and our ability to realize anticipated benefits from announced transactions and strategic partnerships;

•changes in the reputation of, or expectations regarding, us or the financial services industry with respect to practices, products, services or financial condition;

•our ability to protect our intellectual property rights;

•the success of our marketing efforts in attracting and retaining customers;

•our risk management strategies;

•our ability to attract, develop, retain and motivate key senior leaders and skilled employees;

•our ability to manage risks from catastrophic events;

•climate change manifesting as physical or transition risks;

•our assumptions or estimates in our financial statements;

•the soundness of other financial institutions and other third parties, actual or perceived; and

•other risk factors identified from time to time in our public disclosures, including in the reports that we file with the SEC.