KEYCORP /NEW/ (KEY) Business

ITEM 1. BUSINESS

Overview

KeyCorp, organized in 1958 under the laws of the State of Ohio, is headquartered in Cleveland, Ohio. We are a BHC under the BHCA and one of the nation’s largest bank-based financial services companies, with consolidated total assets of approximately $184.4 billion at December 31, 2025. KeyCorp is the parent holding company for KeyBank National Association, its principal subsidiary, through which most of our banking services are provided. Through KeyBank and certain other subsidiaries, we provide a wide range of retail and commercial banking, commercial leasing, investment management, consumer finance, student loan refinancing, commercial mortgage servicing and special servicing, and investment banking products and services to individual, corporate, and institutional clients through two major business segments: Consumer Bank and Commercial Bank.

As of December 31, 2025, these services were provided across the country through KeyBank’s 940 full-service retail banking branches and a network of 1,120 ATMs in 15 states, as well as additional offices, online and mobile banking capabilities, and a telephone banking call center. Additional information pertaining to our two business segments is included in the “Business Segment Results” section in Item 7. Management’s Discussion and Analysis of Financial Condition and Results of Operations of this report, and in Note 23 (“Business Segment Reporting”) of the Notes to Consolidated Financial Statements presented in Item 8. Financial Statements and Supplementary Data, which are incorporated herein by reference.

In addition to the customary banking services of accepting deposits and making loans, our bank and its trust company subsidiary offer personal and institutional trust custody services, personal financial and planning services, access to mutual funds, treasury services, and international banking services. Through our bank, trust company, and registered investment adviser subsidiaries, we provide investment management services to clients that include large corporate and public retirement plans, foundations and endowments, high-net-worth individuals, and multi-employer trust funds established for providing pension or other benefits to employees.

We provide other financial services — both within and outside of our primary banking markets — through various nonbank subsidiaries. These services include community development financing, securities underwriting, investment banking and capital markets products, and brokerage. We also provide merchant services to businesses.

KeyCorp is a legal entity separate and distinct from its banks and other subsidiaries. Accordingly, the right of KeyCorp, its security holders, and its creditors to participate in any distribution of the assets or earnings of its banks and other subsidiaries is subject to the prior claims of the creditors of such banks and other subsidiaries, except to the extent that KeyCorp’s claims in its capacity as a creditor may be recognized.

We derive the majority of our revenues within the United States from customers domiciled in the United States. Revenue from foreign countries and external customers domiciled in foreign countries was immaterial to our consolidated financial statements.

Demographics

Our management structure and basis of presentation is divided into two business segments, Consumer Bank and Commercial Bank. Note 23 (“Business Segment Reporting”) describes the products and services offered by each of these business segments and provides more detailed financial information pertaining to the segments, including changes in basis of presentation.

The Consumer Bank serves individuals and small businesses throughout our 15-state branch footprint and through our digital brand by offering a variety of deposit and investment products, personal finance and financial wellness services, lending, student loan refinancing, mortgage and home equity, credit card, treasury services, and business advisory services. In addition, wealth management and investment services are offered to assist non-profit and high-net-worth clients with their banking, trust, portfolio management, charitable giving, and related needs.

The Commercial Bank consists of the Commercial and Institutional operating segments. The Commercial operating segment is a full-service, commercial banking platform that focuses primarily on serving the borrowing, cash management, and capital markets needs of middle market clients within Key’s 15-state branch footprint. The

6

Table of contents

Institutional operating segment operates nationally in providing lending, equipment financing, and banking products and services to large corporate and institutional clients. The industry coverage and product teams have established expertise in the following sectors: Consumer, Energy, Healthcare, Industrial, Public Sector, Real Estate, and Technology. It is also a significant, national, commercial real estate lender and third-party master and special servicer of commercial mortgage loans. The operating segment includes the KBCM platform which provides a broad suite of capital markets products and services including syndicated finance, debt and equity underwriting, fixed income and equity sales and trading, derivatives, foreign exchange, mergers & acquisition and other advisory, and public finance.

Additional Information

Our executive offices are located at 127 Public Square, Cleveland, Ohio 44114-1306, and our telephone number is (216) 689-3000. Our website is www.key.com, and the investor relations section of our website may be reached through www.key.com/ir. We make available free of charge, on or through the investor relations section of our website, annual reports on Form 10-K, quarterly reports on Form 10-Q, and current reports on Form 8-K, and amendments to those reports filed or furnished pursuant to Section 13(a) or 15(d) of the Securities Exchange Act of 1934, as amended (the “Exchange Act”), as well as proxy statements, as soon as reasonably practicable after we electronically file such material with, or furnish it to, the SEC. Also posted on our website, and available in print upon request from any shareholder to our Investor Relations Department, are the charters for the committees of our Board of Directors, which includes the Audit Committee, Compensation and Organization Committee, Executive Committee, Nominating and Corporate Governance Committee, Risk Committee, and Technology Committee; our Corporate Governance Guidelines; the Code of Business Conduct and Ethics for our directors, officers, and employees; our Standards for Determining Independence of Directors; our policy for Review of Transactions Between KeyCorp and Its Directors, Executive Officers and Other Related Persons; our Statement of Political Activity; and our Corporate Responsibility Report. Within the time period required by the SEC and the NYSE, we will post on our website any amendment to the Code of Ethics and any waiver applicable to any senior executive officer or director. We also make available a summary of filings made with the SEC of statements of beneficial ownership of our equity securities filed by our directors and officers and persons who own more than 10% of a registered class of our equity securities under Section 16 of the Exchange Act. The “Regulatory Disclosures & Filings” section under the “Financials” tab of the investor relations section of our website includes public disclosures concerning our historic annual and mid-year stress-testing activities under the Dodd-Frank Act and our quarterly regulatory capital disclosures under the third pillar of Basel III.

Information contained on or accessible through, including any reports available on, our website or any other website referenced in this report is not part of this report. References to websites in this report are intended to be inactive textual references only.

Shareholders may obtain a copy of any of the above-referenced corporate governance documents by writing to our Investor Relations Department at Investor Relations, KeyCorp, 127 Public Square, Mailcode OH-01-27-0737, Cleveland, Ohio 44114-1306; by calling (216) 689-4221; or by sending an e-mail to investor_relations@keybank.com.

7

Table of contents

Competition

The market for banking and related financial services is highly competitive and continuously evolving. Legislative, regulatory, economic, and technology changes, as well as consolidation within the financial services industry, could result in increased competition from new and existing market participants. Key competes with other providers of financial services, such as BHCs, commercial banks, savings associations, credit unions, mortgage banking companies, finance companies, mutual funds, insurance companies, investment management firms, private credit funds, investment banking firms, broker-dealers, financial technology companies, and other local, regional, national, and global institutions that offer financial services. Some of our competitors are larger and may have more financial resources, while some of our competitors enjoy fewer regulatory constraints and may have lower cost structures. The financial services industry has become more competitive as technology advances have lowered barriers to entry, enabling more companies, including nonbank companies, to provide financial services. Mergers and acquisitions have also led to increased concentration in the banking industry, placing added competitive pressure on Key’s core banking products and services as we see competitors enter some of our markets or offer similar products. We compete by offering quality products and innovative services at competitive prices, and by maintaining our product and service offerings to keep pace with customer preferences and industry standards. Successfully competing in our markets also depends on our ability to invest in technology and infrastructure, execute transactions reliably and effectively, maintain and enhance our reputation, and attract, retain, and motivate talented employees, all while prudently managing risks and expenses. For more information on competition and related risks, see Item 1A. Risk Factors - “We operate in a highly competitive industry.”

Human Capital

Engaging a high performing and collaborative workforce is a top strategic priority for Key. Our human capital management strategy is focused on attracting, retaining, developing, motivating and rewarding the talent our businesses need to drive sound, profitable growth, and ultimately, enhance shareholder value, which we do by offering a competitive total rewards package, providing opportunities for career development and growth, and fostering a culture that is fair and inclusive for all.

Competitive Rewards

We make investments to hire and retain the people we need to serve our customers and communities and regularly review our pay practices to reflect changing market and economic conditions. As of December 31, 2025, 95% of employees earned $20 or more per hour. In recent years, we have made other compensation adjustments in response to market trends, competitive pressures, and a dynamic market for talent.

These investments include a comprehensive and competitive total rewards program, representing our investment in our teammates’ collective success and reflecting our commitment to helping them thrive. Key’s benefits offerings include employee health and welfare plans, a 401(k) plan with competitive matching contributions (dollar for dollar, up to the first 7% of eligible pay contributed on a per pay period basis for eligible employees), up to ten weeks of paid parental leave, a Discounted Stock Purchase Plan, wellness incentives, and a lifestyle reimbursement account program for covered expenses related to health, mental wellness, family needs, and finances.

Teammates can also participate in a variety of company-sponsored volunteer and giving opportunities, including Neighbors Make the Difference Day, our national employee volunteer day, and the Employee Matching Gift Program, which offers eligible employees the opportunity to support qualified nonprofit organizations and multiply their contributions through the KeyBank Foundation.

We have a pay-for-performance culture that is guided by the following three principles:

•Pay decisions are based on Key’s performance, business unit performance, and individual performance.

•We deliver pay in a way that balances short-term and long-term financial performance objectives and aligns to shareholder value creation.

•We support sustainable performance with policies that focus on prudent risk-taking and the balance between risk and reward.

We design our compensation programs to balance risk and reward and align with the guidance of our regulators, and we regularly monitor these programs to remain within our risk tolerances. We subject all discretionary

8

Table of contents

incentives paid to our employees to a robust risk adjustment process that begins before grant and extends beyond payment.

Career Development and Growth

We invest in our teammates’ growth and professional development through a variety of internal networking groups that are open to all teammates, including our Key Business Impact and Networking Groups (“KBINGs”), formal and informal mentoring programs, including Key’s enterprise-wide formal mentoring program, MentorMe at Key, and a suite of leadership development programs. We also offer employees the opportunities to develop and enhance their skills through formal learning curricula and to obtain tuition reimbursement for eligible collegiate or post-collegiate education and relevant certifications.

Key’s Workforce

Key had an average of 17,226 full time equivalent employees in 2025. As of December 31, 2025, a total of 17,883 full-time and part-time employees worked in the following regions, which are generally aligned to the regions Key uses for its retail branch banking network:

We invest significant time and resources in creating an attractive work environment and competitive total rewards package that attracts and retains top talent. Key’s annualized rate for voluntary turnover as of December 31, 2025, was 12.7%, lower than our annualized voluntary turnover rate for 2024, which was 13.2%, and lower than our previous five-year historical average of 15.3%.

Information About Our Executive Officers

KeyCorp’s executive officers are principally responsible for managing the operations of KeyCorp, making policy for KeyCorp, executing on strategic decisions, and managing material risks, subject to the supervision and direction of

9

Table of contents

the Board. All executive officers are subject to annual election at the annual organizational meeting of the Board held each May.

Set forth below are the names and ages of the executive officers of KeyCorp as of December 31, 2025, the positions held by each at KeyCorp during the past five years, and the year each first became an executive officer of KeyCorp. Because Mohit Ramani and James Waters have been employed at KeyCorp for less than five years, information is being provided concerning their prior business experience. There are no family relationships among the directors or the executive officers, and there is no arrangement or understanding between any executive officer and any other person pursuant to which the executive officer was selected.

Victor B. Alexander (46) - Mr. Alexander has been KeyCorp’s Head of Consumer Bank and an executive officer of KeyCorp since January 2020. Prior to that time, he served as the Head of Home Lending from October 2018 to January 2020 and Treasurer from July 2017 to October 2018.

Amy G. Brady (59) - Ms. Brady is KeyCorp’s Chief Information Officer, serving in that role since May 2012. Ms. Brady has been an executive officer of KeyCorp since she joined in 2012. She has been a director of DuPont de Nemours, Inc., a multi-industry specialty solutions company, since 2019.

Trina M. Evans (61) - Ms. Evans has been the Director of Corporate Center for KeyCorp since August 2012. Prior to this role, Ms. Evans was the Chief Administrative Officer for Key Community Bank and the Director of Client Experience for KeyBank. She became an executive officer of KeyCorp in March 2013.

Kenneth C. Gavrity (49) - Mr. Gavrity has been Head of Commercial Bank since November 2023 and became an executive officer of KeyCorp in May 2021. Prior to this, Mr. Gavrity served as Head of Enterprise Payments from January 2019 to November 2023 and Head of Commercial Payments from 2016 to 2019.

Stacy L. Gilbert (54) - Ms. Gilbert has been the Chief Accounting Officer and an executive officer of KeyCorp since March 2024. Prior to her appointment as Chief Accounting Officer, Ms. Gilbert served as Corporate Controller for KeyCorp since August 2023. She previously served as Assistant Corporate Controller and Senior Director of External Reporting and Accounting Policy from April 2021 to August 2023.

Christopher M. Gorman (65) - Mr. Gorman has been Chairman, Chief Executive Officer, and President of KeyCorp since May 1, 2020. Mr. Gorman previously served as President and Chief Operating Officer from September 2019 to May 2020 and President of Banking and Vice Chairman from 2017 to September 2019. From 2016 to 2017, he served as Merger Integration Executive responsible for leading the integration efforts related to KeyCorp’s merger with First Niagara. Prior to that, Mr. Gorman was the President of Key Corporate Bank from 2010 to 2016. He became an executive officer of KeyCorp in 2010.

Clark H.I. Khayat (54) - Mr. Khayat has been Chief Financial Officer since March 2023 and an executive officer since September 2018. Mr. Khayat rejoined KeyCorp as Chief Strategy Officer in January 2018 and served in that role until March 2023. Mr. Khayat had previously served as Head of Key’s Enterprise Commercial Payments group from April 2014 to June 2016.

Allyson M. Kidik (46) - Ms. Kidik has been the Chief Auditor and an executive officer of KeyCorp since July 2022. Ms. Kidik previously served as Senior Deputy General Auditor from 2018 to 2022 and Deputy General Auditor from 2015 to 2018.

Angela G. Mago (60) - Ms. Mago has served as the Chief Human Resources Officer since November 2023. She previously served as Head of Commercial Bank from May 2019 to November 2023 and Co-Head of Key Corporate Bank from 2016 to May 2019. She became an executive officer of KeyCorp in 2016.

Andrew J. Paine III (56) - Mr. Paine has been the Head of Institutional Bank since 2019. He previously served as Co-Head of Key Corporate Bank from 2016 to May 2019. He also serves as President of KeyBanc Capital Markets Inc., a role he has held since 2013. He became an executive officer of KeyCorp in 2016.

Mohit Ramani (52) - Mr. Ramani has served as Chief Risk Officer and an executive officer of KeyCorp since January 2025. Prior to that time, he served in a variety of roles with Truist Financial Corporation, including Deputy Chief Risk Officer and Chief Credit Officer from January 2023 to January 2025 and Chief Business Unit Risk Officer from 2000 to 2023.

10

Table of contents

James L. Waters (59) - Mr. Waters became the General Counsel and Secretary and an executive officer of KeyCorp in July 2021. From 2018 to 2021, he served as General Counsel and Corporate Secretary of Cullen/Frost Bankers, Inc., a financial holding company.

Supervision and Regulation

The regulatory framework applicable to BHCs and banks is intended primarily to protect consumers, the DIF, taxpayers and the banking system as a whole, rather than to protect the security holders and creditors of financial services companies. Comprehensive reform of the legislative and regulatory environment for financial services companies remains ongoing. We cannot predict changes in applicable laws, regulations or regulatory agency policies, but any such changes may materially affect our business, financial condition, results of operations, or access to liquidity or credit.

Overview

Federal law establishes a system of regulation under which the Federal Reserve is the umbrella regulator for BHCs, while their subsidiaries are principally regulated by prudential or functional regulators: (i) the OCC for national banks and federal savings associations; (ii) the FDIC for state non-member banks and savings associations; (iii) the Federal Reserve for state member banks; (iv) the CFPB for consumer financial products or services; (v) the SEC and FINRA for securities broker/dealer activities; (vi) the SEC, CFTC, and NFA for swaps and other derivatives; and (vii) state insurance regulators for insurance activities. Certain specific activities, including traditional bank trust and fiduciary activities, may be conducted in a bank without the bank being deemed a “broker” or a “dealer” in securities for purposes of securities functional regulation.

BHC acquisition rules and permissible activities

Under the BHCA, BHCs generally may not directly or indirectly own or control more than 5% of the voting shares, or substantially all of the assets, of any bank, without prior approval from the Federal Reserve. In addition, BHCs are generally prohibited from engaging in commercial or industrial activities. However, a BHC that satisfies certain requirements regarding management, capital adequacy, and Community Reinvestment Act performance may elect to be treated as a Financial Holding Company (“FHC”) for purposes of federal law, and as a result may engage in a substantially broader scope of activities that are considered to be financial in nature or complementary to those activities. KeyCorp has elected to be treated as a FHC and, as such, is authorized to engage in securities underwriting and dealing, insurance agency and underwriting, and merchant banking activities. In addition, the Federal Reserve has permitted FHCs, like KeyCorp, to engage in the following activities, under the view that such activities are complementary to a financial activity: physical commodities trading activities, energy management services, and energy tolling, among others.

Source of strength doctrine

Under federal law, a BHC also must serve as a source of financial strength to its subsidiary depository institution(s) by providing financial assistance in the event of financial distress. This support may be required when the BHC does not have the resources to, or would prefer not to, provide it. Certain loans by a BHC to a subsidiary bank are subordinate in right of payment to deposits in, and certain other indebtedness of, the subsidiary bank. In addition, federal law provides that in the bankruptcy of a BHC, any commitment by the BHC to a federal bank regulatory agency to maintain the capital of a subsidiary bank will be assumed by the bankruptcy trustee and entitled to priority of payment.

Supervisory framework

The Dodd-Frank Act created the FSOC to overlay the U.S. supervisory framework for BHCs, IDIs, and other financial service providers, by serving as a systemic risk oversight body. Specifically, the FSOC is authorized to: (i) identify risks to U.S. financial stability that could arise from the material financial distress or failure, or ongoing activities, of large, interconnected SIFIs, or that could arise outside the financial services marketplace; (ii) promote market discipline by eliminating expectations that the U.S. government will shield shareholders, creditors, and counterparties from losses in the event of failure; and (iii) respond to emerging threats to the stability of the U.S. financial system. The FSOC is responsible for facilitating regulatory coordination; information collection and sharing; designating nonbank financial companies for consolidated supervision by the Federal Reserve; designating

11

Table of contents

systemic financial market utilities and systemic payment, clearing, and settlement activities requiring prescribed risk management standards and heightened federal regulatory oversight; recommending stricter standards for SIFIs; and, together with the Federal Reserve, determining whether action should be taken to break up firms that pose a grave threat to U.S. financial stability.

As an FHC, KeyCorp is subject to regulation, supervision, and examination by the Federal Reserve under the BHCA. Our national bank subsidiaries and their subsidiaries are subject to regulation, supervision, and examination by the OCC. At December 31, 2025, we operated one full-service, FDIC-insured national bank subsidiary, KeyBank, and one national bank subsidiary that is limited to fiduciary activities. The FDIC also has certain, more limited regulatory, supervisory, and examination authority over KeyBank and KeyCorp under the FDIA and the Dodd-Frank Act.

We have other financial services subsidiaries that are subject to regulation, supervision, and examination by the Federal Reserve, as well as other state and federal regulatory agencies and self-regulatory organizations. Because KeyBank engages in derivative transactions, in 2013 it provisionally registered as a swap dealer with the CFTC and became a member of the NFA, the self-regulatory organization for participants in the U.S. derivatives industry. Our securities brokerage and asset management subsidiaries are subject to supervision and regulation by the SEC, FINRA, and state securities regulators, and our insurance agency subsidiary is subject to regulation by the insurance regulatory authorities of the states in which it operates. Our other nonbank subsidiaries are subject to laws and regulations of both the federal government and the various states in which they are authorized to do business.

Enhanced prudential standards and tailoring rules

The Dodd-Frank Act required the Federal Reserve to impose enhanced prudential standards upon BHCs with at least $50 billion in total consolidated assets (like KeyCorp). Prudential standards were required to include enhanced risk-based capital requirements and leverage limits, liquidity requirements, risk-management and risk committee requirements, resolution plan requirements, credit exposure report requirements, single counterparty credit limits, supervisory and company-run stress test requirements, and for certain financial companies, a debt-to-equity limit.

The Economic Growth, Regulatory Relief, and Consumer Protection Act (“EGRRCPA”) raised the asset threshold above which the Federal Reserve is required to apply enhanced prudential standards to BHCs with at least $250 billion in total consolidated assets and gave the Federal Reserve the authority to apply enhanced prudential standards to BHCs with at least $100 billion in assets but less than $250 billion in assets (like KeyCorp) if it determines that the application of the enhanced prudential standards is appropriate to prevent or mitigate risks to financial stability or to promote the safety and soundness of the BHC or BHCs, taking into consideration the BHC’s or BHCs’ capital structure, riskiness, complexity, financial activities, size, and other relevant factors.

Final rules related to the implementation of EGRRCPA (“Tailoring Rules”) established four risk-based categories of BHCs and their bank subsidiaries with $100 billion or more in total consolidated assets and applied tailored regulatory requirements to each respective category. KeyCorp and KeyBank fall within the least restrictive of those categories (“Category IV”). The requirements applicable to Category IV firms pursuant to the Tailoring Rules are discussed below.

Regulatory Capital and Liquidity Requirements

Background

KeyCorp and KeyBank are subject to regulatory capital requirements that are based largely on the work of an international group of supervisors known as the Basel Committee on Banking Supervision (“Basel Committee”). The Basel Committee is responsible for establishing international bank supervisory standards for implementation in member jurisdictions, to enhance and align bank regulation on a global scale, and to promote financial stability. The regulatory capital framework developed by the Basel Committee and implemented in the United States is a predominately risk-based capital framework that establishes minimum capital requirements based on the amount of regulatory capital a banking organization maintains relative to the amount of its total assets, adjusted to reflect credit risk (“risk-weighted assets”). Each banking organization subject to this regulatory capital framework is required to satisfy certain minimum risk-based capital measures (e.g., a tier 1 risk-based capital ratio requirement of tier 1 capital to total risk-weighted assets), and in the United States, a minimum leverage ratio requirement of tier 1 capital to average total on-balance sheet assets, which serves as a backstop to the risk-based measures.

12

Table of contents

A capital instrument is assigned to one of two tiers based on the relative strength and ability of that instrument to absorb credit losses on a going concern basis. Capital instruments with relatively robust loss-absorption capacity are assigned to tier 1, while other capital instruments with relatively less loss-absorption capacity are assigned to tier 2. A banking organization’s total capital equals the sum of its tier 1 and tier 2 capital.

The Basel Committee also developed a market risk capital framework (that also has been implemented in the United States) to address the substantial exposure to market risk faced by banking organizations with significant trading activity and augment the credit risk-based capital requirements described above. For example, the minimum total risk-based capital ratio requirement for a banking organization subject to the market risk capital rule equals the ratio of the banking organization’s total capital to the sum of its credit risk-weighted assets and market risk-weighted assets. Only KeyCorp is subject to the market risk capital rule, as KeyBank does not engage in substantial trading activity.

Basel III

To address deficiencies in the international regulatory capital standards identified during the 2007-2009 global financial crisis, the Basel Committee in 2010 released comprehensive revisions to the international regulatory capital framework, commonly referred to as “Basel III.” The Basel III revisions are designed to strengthen the quality and quantity of regulatory capital, in part through the introduction of a Common Equity Tier 1 capital requirement; provide more comprehensive and robust risk coverage, particularly for securitization exposures, equities, and off-balance sheet positions; and address pro-cyclicality concerns through the implementation of capital buffers. The Basel Committee also released a series of revisions to the market risk capital framework to address deficiencies identified during its initial implementation (e.g., arbitrage opportunities between the credit risk-based and market risk capital rules) and in connection with the global financial crisis.

KeyCorp and KeyBank are subject to regulatory capital requirements implemented by the U.S. banking agencies that are based largely on Basel III (“Regulatory Capital Rules”). Consistent with the international framework, the Regulatory Capital Rules further restrict the type of instruments that may be recognized in tier 1 and tier 2 capital; establish a minimum Common Equity Tier 1 capital ratio requirement of 4.5% and capital buffers to absorb losses during periods of financial stress while allowing an institution to provide credit intermediation as it would during a normal economic environment; and refine several of the methodologies used for determining risk-weighted assets. The Regulatory Capital Rules provide additional requirements for large banking organizations with over $250 billion in total consolidated assets or $10 billion in foreign exposure, but those additional requirements do not apply to KeyCorp or KeyBank. However, some of those additional requirements will apply to KeyCorp and KeyBank if proposed revisions to the Regulatory Capital Rules are adopted. The proposed revisions to the Regulatory Capital Rules are discussed below under the heading “Regulatory capital-related developments.” For purposes of the Regulatory Capital Rules, KeyCorp and KeyBank are treated as “standardized approach” banking organizations.

Under the Regulatory Capital Rules, standardized approach banking organizations, such as KeyCorp and KeyBank, are required to meet the minimum capital and leverage ratios set forth in the following table. At December 31, 2025, KeyCorp’s ratios under the fully phased-in Regulatory Capital Rules were as set forth in the following table.

Minimum Capital Ratios and KeyCorp Ratios Under Regulatory Capital Rules

(a)As a standardized approach banking organization, KeyCorp is not subject to the 3% supplementary leverage ratio requirement. However, KeyCorp will be subject to the supplementary leverage ratio if proposed revisions to the Regulatory Capital Rules are adopted.

(b)Stress capital buffer must consist of Common Equity Tier 1 capital. As a standardized approach banking organization, KeyCorp is not subject to the countercyclical capital buffer of up to 2.5% imposed upon an advanced approaches banking organization under the Regulatory Capital Rules. However, KeyCorp will be subject to the countercyclical capital buffer if proposed revisions to the Regulatory Capital Rules are adopted. KeyCorp’s stress capital buffer is 3.20% as of October 1, 2025.

Revised prompt corrective action framework

The federal Prompt Corrective Action (“PCA”) framework under the FDIA groups FDIC-insured depository institutions into one of five prompt corrective action capital categories: “well capitalized,” “adequately capitalized,” “undercapitalized,” “significantly undercapitalized,” and “critically undercapitalized.” In addition to implementing the Basel III capital framework in the United States, the Regulatory Capital Rules also revised the PCA capital category

13

Table of contents

threshold ratios applicable to FDIC-insured depository institutions such as KeyBank. The revised PCA framework table below identifies the capital category threshold ratios for a “well capitalized” and an “adequately capitalized” institution under the PCA framework.

“Well Capitalized” and “Adequately Capitalized” Capital Category Ratios under

Revised Prompt Corrective Action Framework

(a)A “well capitalized” institution also must not be subject to any written agreement, order or directive to meet and maintain a specific capital level for any capital measure.

(b)As a standardized approach banking organization, KeyBank is not subject to the 3% supplementary leverage ratio requirement, which became effective January 1, 2018. However, KeyBank will be subject to the supplementary leverage ratio if proposed revisions to the Regulatory Capital Rules are adopted.

As of December 31, 2025, KeyBank (consolidated) satisfied the risk-based and leverage capital requirements necessary to be considered “well capitalized” for purposes of the revised PCA framework. However, investors should not regard this determination as a representation of the overall financial condition or prospects of KeyBank because the PCA framework is intended to serve a limited supervisory function. Moreover, it is important to note that the PCA framework does not apply to BHCs, like KeyCorp.

Regulatory capital-related developments

On July 27, 2023, the federal banking agencies issued a proposal (the “Capital Proposal”) that would make significant changes to the Regulatory Capital Rules applicable to banking organizations with total assets of $100 billion or more and their depository institution subsidiaries (“Large Banking Organizations”) (including KeyCorp and KeyBank) and banking organizations with significant trading activity. This proposal would implement the final elements of the Basel III capital framework and make other changes to the Regulatory Capital Rules in response to the bank failures that occurred in 2023. The Capital Proposal would establish a new framework for calculating risk-weighted assets (the “expanded risk-based approach”) that would apply to Large Banking Organizations. The expanded risk-based approach would include a new more risk-sensitive standardized approach for measuring credit risk and operational risk. It would also include new standardized approaches for measuring market risk and credit valuation adjustment risk but would allow the use of internal models for market risk in certain circumstances with regulatory approval.

In addition, the Capital Proposal would also align the calculation of regulatory capital for Category III and IV banking organizations (like KeyCorp and KeyBank) with the calculation of regulatory capital for Category I and II banking organizations. Under the proposal, Category III and IV banking organizations would be required to include most components of AOCI, including net unrealized gains and losses on available-for-sale securities, in regulatory capital. Furthermore, all Large Banking Organizations would be subject to the supplementary leverage ratio and countercyclical capital buffer requirement.

The federal banking agencies have indicated that they will be revising the Capital Proposal that was issued in July 2023, but it is uncertain what changes will be made to the proposal. Key is monitoring developments regarding this matter.

Capital planning, stress testing, and stress capital buffer

The Federal Reserve’s capital plan rule requires each U.S.-domiciled, top-tier BHC with total consolidated assets of at least $100 billion (like KeyCorp) to develop and maintain on an annual basis a written capital plan supported by a robust internal capital adequacy process. The capital plan must include, among other things, an assessment of the expected uses and sources of capital over a nine-quarter planning horizon, a description of all planned capital actions over the planning horizon, a detailed description of the BHC’s process for assessing capital adequacy, a discussion of any expected changes to the BHC’s business plan that are likely to have a material impact on its capital adequacy or liquidity, and the BHC’s capital policy. The capital plan must be submitted to the Federal Reserve for supervisory review in connection with the BHC’s CCAR (described below). The supervisory review includes an assessment of many factors, including KeyCorp’s ability to maintain capital above each minimum regulatory capital ratio on a pro forma basis under expected and stressful conditions throughout the planning horizon.

14

Table of contents

The Federal Reserve’s CCAR is an intensive assessment of the capital adequacy of large U.S. BHCs and of the practices these BHCs use to assess their capital needs. The Federal Reserve expects BHCs subject to CCAR to have and maintain regulatory capital in an amount that is sufficient to withstand a severely adverse operating environment and, at the same time, be able to continue operations, maintain ready access to funding, meet obligations to creditors and counterparties, and provide credit intermediation.

The Federal Reserve conducts a supervisory stress test on BHCs with at least $100 billion in total consolidated assets (including KeyCorp), pursuant to which the Federal Reserve projects revenues, expenses, losses, and resulting post-stress capital levels and regulatory capital ratios under conditions that affect the U.S. economy under supervisory baseline and severely adverse scenarios that are determined by the Federal Reserve. The Federal Reserve conducts a supervisory stress test of the largest BHCs on an annual basis. Under one of the Tailoring Rules, Category IV BHCs (such as KeyCorp) are subject to a supervisory stress test conducted by the Federal Reserve every other year rather than every year.

On March 4, 2020, the Federal Reserve adopted a final rule integrating certain aspects of the Federal Reserve’s Regulatory Capital Rules with CCAR and the stress test rules in order to simplify the overall capital framework that is currently applicable to BHCs that have $100 billion or more in total consolidated assets (including KeyCorp). The final rule amended the capital conservation buffer requirement under the Regulatory Capital Rules by replacing the static risk-weighted assets component of the buffer with a new measure, the stress capital buffer, which will be based on the results of an individual BHC’s supervisory stress test and cannot be less than 2.5 percent of risk-weighted assets. A firm will be subject to limitations on capital distributions and discretionary bonus payments if it does not satisfy all minimum capital requirements and its stress capital buffer requirement. Under the Tailoring Rules, the portion of the stress capital buffer for a Category IV firm based on the Federal Reserve’s stress test will be calculated biennially. During a year in which in which a Category IV firm does not undergo a supervisory stress test, the firm will receive an updated stress capital buffer that reflects the firm’s updated planned common stock dividends.

A firm’s stress capital buffer requirement will become effective on October 1 of each year and will remain in effect until September 30 of the following year unless the firm receives an updated stress capital buffer requirement from the Federal Reserve. If a rule change proposed by the Federal Reserve on April 17, 2025 is adopted, a firm’s stress capital buffer requirement will become effective on January 1 rather than October 1 in order to give firms more time to adjust to updated capital requirements. The adjusted stress capital buffer requirement would then remain in effect until the following December 31 unless the firm receives an updated stress capital buffer requirement from the Federal Reserve.

On June 27, 2025, the Federal Reserve announced the results of the supervisory stress test that it conducted of 22 large BHCs (not including KeyCorp). As a Category IV banking organization subject to a supervisory stress test every other year, KeyCorp was not required to participate in the Federal Reserve’s supervisory stress test in 2025. On August 29, 2025, the Federal Reserve published the updated stress capital buffer requirements for large BHCs, including BHCs like KeyCorp that did not participate in the supervisory stress test in 2025. KeyCorp’s updated stress capital buffer is 3.2% (based on the results of KeyCorp’s 2024 supervisory stress test and adjusted for KeyCorp’s planned common stock dividends as set forth in KeyCorp’s 2025 capital plan). This stress capital buffer became effective on October 1, 2025, and will remain in effect until September 30, 2026, unless KeyCorp later receives an updated stress capital buffer requirement from the Federal Reserve.

On October 24, 2025, the Federal Reserve issued a proposal that would codify a process under which the Federal Reserve would be required to annually disclose and seek public comment on the models and scenarios used in the supervisory stress test. The Federal Reserve indicated that the proposal is intended to enhance the transparency and public accountability of the Federal Reserve’s supervisory stress test framework. The Federal Reserve also proposed revisions to reporting forms submitted by firms subject to the supervisory stress test to reduce burden and improve risk capture in the stress tests. Comments on the proposal were due by January 22, 2026.

Liquidity requirements

Under final rules adopted by the federal banking agencies, the largest U.S. banking organizations are subject to a liquidity coverage ratio (“LCR”), calculated as the ratio of a banking organization’s high-quality liquid assets to its total net cash outflows over 30 consecutive calendar days, and a net stable funding ratio (“NSFR”), calculated as the ratio of the amount of stable funding available to a banking organization to its required amount of stable funding

15

Table of contents

over a one-year time horizon. KeyCorp and KeyBank are not subject to an LCR requirement or an NSFR requirement under these rules because KeyCorp and KeyBank are Category IV banking organizations that have average weighted short-term wholesale funding of less than $50 billion.

However, Category IV BHCs, like KeyCorp, are subject to liquidity requirements contained in regulations adopted by the Federal Reserve pursuant to the Dodd-Frank Act and EGRRCPA. Under these regulations, KeyCorp is subject to requirements involving cash flow projections over short-term and long-term time horizons, a contingency funding plan, liquidity risk limits, the monitoring of liquidity risks (with respect to collateral, legal entities, currencies, business lines, and intraday exposures), quarterly liquidity stress testing, liquidity risk management requirements, monthly liquidity reporting requirements, and a liquidity buffer that is sufficient to meet projected net stressed cash-flow needs over a 30-day planning horizon.

Dividend restrictions

Federal law and regulation impose limitations on the payment of dividends by our national bank subsidiaries, like KeyBank. Historically, dividends paid by KeyBank have been an important source of cash flow for KeyCorp to pay dividends on its equity securities and interest on its debt. Dividends by our national bank subsidiaries are limited to the lesser of the amounts calculated under an earnings retention test and an undivided profits test. Under the earnings retention test, without the prior approval of the OCC, a dividend may not be paid if the total of all dividends declared by a bank in any calendar year is in excess of the current year’s net income combined with the retained net income of the two preceding years. Under the undivided profits test, a dividend may not be paid in excess of a bank’s undivided profits. Moreover, under the FDIA, an IDI may not pay a dividend if the payment would cause it to be less than “adequately capitalized” under the PCA framework or if the institution is in default in the payment of an assessment due to the FDIC. Similarly, under the Regulatory Capital Rules, a banking organization that fails to satisfy the minimum capital conservation buffer requirement will be subject to certain limitations, which include restrictions on capital distributions. For more information about the payment of dividends by KeyBank to KeyCorp, please see Note 22 (“Regulatory Matters”) in this report.

FDIA, Resolution Authority and Financial Stability

Deposit insurance and assessments

The DIF provides insurance coverage for domestic deposits funded through assessments on IDIs like KeyBank. The amount of deposit insurance coverage for each depositor’s deposits is $250,000 per depository.

The FDIC must assess the deposit insurance premium based on an IDI’s assessment base, calculated as its average consolidated total assets minus its average tangible equity. KeyBank’s current annualized premium assessments can range from $.025 to $.45 for each $100 of its assessment base. The rate charged depends on KeyBank’s performance on the FDIC’s “large and highly complex institution” risk-assessment scorecard, which includes factors such as KeyBank’s regulatory rating, its ability to withstand asset and funding-related stress, and the relative magnitude of potential losses to the FDIC in the event of KeyBank’s failure.

On October 18, 2022, the FDIC adopted a final rule, applicable to all IDIs (including KeyBank), to increase the initial base deposit insurance assessment rate schedules uniformly by two basis points consistent with the Amended Restoration Plan approved by the FDIC on June 21, 2022. The FDIC indicated that it was taking this action in order to restore the DIF reserve ratio to the required statutory minimum of 1.35% by the statutory deadline of September 30, 2028. Under the final rule, the increase in rates began with the first quarterly assessment period of 2023 and will remain in effect unless and until the reserve ratio meets or exceeds 2% in order to support growth in the DIF in progressing toward the FDIC’s long-term goal of a 2% reserve ratio.

On March 10, 2023, and March 12, 2023, Silicon Valley Bank (“SVB”) and Signature Bank (“Signature”) were closed by the state banking authorities in California and New York, respectively, and the FDIC was appointed as receiver of SVB and Signature. All deposits of SVB and Signature were transferred to bridge banks established by the FDIC under the systemic risk exception to the least cost test in the FDIA so that the uninsured deposits as well as the insured deposits of both banks were protected by the FDIC. Under the FDIA, the loss to the DIF arising from the use of the systemic risk exception must be recovered through one or more special assessments.

16

Table of contents

On November 16, 2023, the FDIC issued a final rule to impose a special assessment on IDIs (including KeyBank) to recover the loss to the DIF resulting from the use of the systemic risk exception to protect the uninsured depositors of SVB and Signature. Under the final rule, the FDIC would collect a special assessment from IDIs at an annual rate of approximately 13.4 basis points (or 3.36 basis points per quarter) over eight quarterly assessment periods, starting with the first quarterly assessment period of 2024 (i.e., January 1, 2024 through March 31, 2024) with an invoice payment date of June 28, 2024. The assessment base for the proposed special assessment is equal to an IDI’s estimated uninsured deposits reported as of December 31, 2022, adjusted to exclude the first $5 billion in estimated uninsured deposits held by the IDI.

On December 16, 2025, the FDIC issued an interim final rule to reduce the quarterly rate at which the special assessment will be collected from 3.36 basis points to 2.97 basis points in the eighth collection quarter (with an invoice payment date of March 30, 2026) in order to ensure that the amount collected will be approximately equal to the FDIC’s current estimate of the loss to the DIF from the use of the systemic risk exception. The interim final rule also provides that the FDIC will provide an offset to IDIs’ regular quarterly deposit insurance assessments if the aggregate amount collected exceeds losses following resolution of litigation between the FDIC and SVB’s parent company. The interim final rule further provides that upon the final termination of the receiverships, the FDIC will either (1) provide an offset to IDIs’ regular quarterly deposit insurance assessments if the amount collected exceeds losses or (2) collect from IDIs a one-time final shortfall assessment if losses exceed the amount collected. Comments on the interim final rule were due by January 20, 2026.

Conservatorship and receivership of insured depository institutions

Upon the insolvency of an IDI, the FDIC will be appointed as receiver or, in rare circumstances, conservator for the insolvent institution under the FDIA. In an insolvency, the FDIC may repudiate or disaffirm any contract to which the institution is a party if the FDIC determines that performance of the contract would be burdensome and that disaffirming or repudiating the contract would promote orderly administration of the institution’s affairs. If the contractual counterparty makes a claim against the receivership (or conservatorship) for breach of contract, the amount paid to the counterparty would depend upon, among other factors, the receivership (or conservatorship) assets available to pay the claim and the priority of the claim relative to others. In addition, the FDIC may enforce most contracts entered into by the insolvent institution, notwithstanding any provision that would terminate, cause a default, accelerate or give other rights under the contract solely because of the insolvency, the appointment of the receiver (or conservator), or the exercise of rights or powers by the receiver (or conservator). The FDIC may also transfer any asset or liability of the insolvent institution without obtaining approval or consent from the institution’s shareholders or creditors. These provisions would apply to obligations and liabilities of KeyCorp’s IDI subsidiary, KeyBank, including obligations under senior or subordinated debt issued to public investors.

Receivership of certain SIFIs

The Dodd-Frank Act created a new resolution regime, as an alternative to bankruptcy, known as the “orderly liquidation authority” (“OLA”) for certain SIFIs, including BHCs and their affiliates. Under the OLA, the FDIC would generally be appointed as receiver to liquidate and wind down a failing SIFI. The determination that a SIFI should be placed into OLA receivership is made by the U.S. Treasury Secretary, who must conclude that the SIFI is in default or in danger of default and that the SIFI’s failure poses a risk to the stability of the U.S. financial system. This determination must come after supermajority recommendations by the Federal Reserve and the FDIC, and consultation between the U.S. Treasury Secretary and the President.

If the FDIC is appointed as receiver under the OLA, its powers and the rights and obligations of creditors and other relevant parties would be determined exclusively under the OLA. The powers of a receiver under the OLA are generally based on the FDIC’s powers as receiver for IDIs under the FDIA. Certain provisions of the OLA were modified to reduce disparate treatment of creditors’ claims between the U.S. Bankruptcy Code and the OLA. However, substantial differences between the two regimes remain, including the FDIC’s right to disregard claim priority in some circumstances, the use of an administrative claims procedure under OLA to determine creditors’ claims (rather than a judicial procedure in bankruptcy), the FDIC’s right to transfer claims to a bridge entity, and limitations on the ability of creditors to enforce contractual cross-defaults against potentially viable affiliates of the entity in receivership. OLA liquidity would be provided through credit support from the U.S. Treasury and assessments made, first, on claimants against the receivership that received more in the OLA resolution than they would have received in ordinary liquidation (to the full extent of the excess), and second, if necessary, on SIFIs like KeyCorp utilizing a risk-based methodology.

17

Table of contents

Depositor preference

The FDIA provides that, in the event of the liquidation or other resolution of an IDI, the claims of its depositors (including claims of its depositors that have subrogated to the FDIC) and certain claims for administrative expenses of the FDIC as receiver have priority over other general unsecured claims. If an IDI fails, insured and uninsured depositors, along with the FDIC, will be placed ahead of unsecured, nondeposit creditors, including the institution’s parent BHC and subordinated creditors, in order of priority of payment.

Resolution and recovery plans

BHCs with at least $50 billion in total consolidated assets, like KeyCorp, have been required to periodically submit to the Federal Reserve and FDIC a plan discussing how the company could be rapidly and orderly resolved if the company failed or experienced material financial distress. IDIs with at least $50 billion in total consolidated assets, like KeyBank, have also been required to submit a resolution plan to the FDIC. The Federal Reserve and FDIC make available on their websites the public sections of resolution plans for the companies, including KeyCorp and KeyBank, that submitted plans. The public sections of the resolution plans of KeyCorp and KeyBank are available at http://www.federalreserve.gov/supervisionreg/resolution-plans.htm and https://www.fdic.gov/resolutions/fdic-and-financial-regulatory-reform-title-i-and-idi-resolution-planning/. KeyCorp’s last resolution plan was submitted in 2017, and KeyBank’s last resolution plan was submitted in 2025. KeyCorp is no longer required to submit a resolution plan because of the rule change discussed below while KeyBank remains subject to resolution plan requirements as discussed below.

Category IV BHCs with less than $250 billion in total consolidated assets are no longer required to submit a resolution plan unless they have $75 billion or more in certain risk-based indicators. Under this rule, KeyCorp is no longer subject to resolution planning requirements.

On June 20, 2024, the FDIC adopted a final rule to amend and restate its current resolution plan rule in order to clarify and strengthen resolution plan submission requirements and reflect lessons learned since the adoption of the FDIC’s current resolution plan rule in 2012. Among other things, the final rule (i) enhances and clarifies the requirements for the content of resolution plan submissions (ii) requires IDIs with more than $100 billion in total assets that are not affiliated with a U.S. G-SIB (including KeyBank) to submit full resolution plans every three years and more limited supplements in the off years, and (iii) expands expectations regarding engagement with the FDIC and capabilities testing. The final rule was effective on October 1, 2024. KeyBank was required to file its next resolution plan by July 1, 2025, which was its initial filing under the 2024 rule.

In April 2025, the FDIC issued guidance to further clarify its expectations regarding resolution plan submissions. On December 31, 2025, the FDIC announced that it will propose changes in 2026 to the resolution plan rule to incorporate guidance it issued in April 2025 and to make additional changes to take into account lessons learned from its review of the 2025 resolution plan submissions. The FDIC indicated that it wants to focus on resolution plan content requirements that will facilitate the quick resolution of a failed institution.

The OCC has issued recovery planning guidelines that require large OCC-regulated banks to develop and maintain a recovery plan that identifies triggers and options for responding to a wide range of severe internal and external stress scenarios so that the bank can be restored to financial strength and viability in a timely manner if it were to experience such stress situations. On October 21, 2024, the OCC adopted revisions to its recovery planning guidelines and lowered the threshold for the applicability of these guidelines from banks with at least $250 billion in average total consolidated assets to those with at least $100 billion in average total consolidated assets, including KeyBank. KeyBank was required to be in compliance with these guidelines by January 1, 2026 except that KeyBank’s compliance with the testing requirement was delayed until January 1, 2027.

On October 27, 2025, the OCC requested public comment on a proposal to rescind its recovery planning guidelines. In proposing the rescission of these guidelines, the OCC said that the guidelines were overly prescriptive and imposed an unnecessary regulatory burden on the covered institutions. The OCC said that if the recovery planning guidelines are rescinded, it would still expect all institutions that it regulates to have appropriate risk management processes in place to address all material risks in their operating environment and to maintain a formal contingency funding plan that considers a range of possible stress scenarios, assesses the stability of funding during periods of stress, and provides for a broad range of funding sources under adverse conditions. Comments on the proposal were due by December 18, 2025.

18

Table of contents

Other Regulatory Requirements and Developments

The Bank Secrecy Act

The BSA requires all financial institutions (including banks and securities broker-dealers) to, among other things, maintain a risk-based system of internal controls reasonably designed to prevent money laundering and the financing of terrorism. It includes a variety of recordkeeping and reporting requirements (such as cash and suspicious activity reporting) as well as due diligence and know-your-customer documentation requirements. Key has established and maintains an AML program to comply with the BSA’s requirements.

OFAC

The U.S. has imposed economic sanctions that affect transactions with designated foreign countries, foreign nationals, and others pursuant to various laws and executive orders. These sanctions are administered by the Office of Foreign Assets Control (“OFAC”), an office within the U.S. Department of the Treasury. Sanctions are imposed to carry out U.S. foreign policy and national security goals and involve prohibiting trade and various types of commercial and financial transactions with sanctioned countries, individuals, organizations, and groups. OFAC regulations require the rejection of transactions or the blocking of assets when a sanctioned country, individual, organization, or group is involved. Blocked assets (e.g., property and bank deposits) cannot be paid out, withdrawn, set off, or transferred in any manner without a license from OFAC. Key is required to comply with sanctions administered by OFAC. Failure to comply with the sanctions could have serious legal consequences, including the imposition of civil and criminal penalties.

Compensation-related rules and regulations

Guidelines adopted by the federal banking agencies prohibit as an unsafe and unsound practice the payment by a banking organization of excessive compensation and describe compensation as “excessive” when the amounts paid are unreasonable or disproportionate to the services performed by an executive officer, employee, director, or principal shareholder. The federal banking agencies have also issued guidance to ensure that incentive compensation policies at banking organizations are consistent with safe and sound practices. This guidance provides that such policies should (1) provide employees incentives that appropriately balance risk and reward, (2) are compatible with effective controls and risk management, and (3) are supported by strong corporate governance, including active and effective oversight by the organization’s board of directors.

Section 956 of the Dodd-Frank Act requires six federal agencies to jointly prescribe regulations or guidelines that prohibit any types of incentive-based payment arrangement that the agencies determine encourages inappropriate risks by financial institutions with more than $1 billion in assets (including KeyCorp and KeyBank). These six agencies issued proposed regulations in 2011 and 2016 to implement this provision, but these regulations have not been finalized.

Also, as mandated by Section 954 of the Dodd-Frank Act, the SEC has adopted rules directing U.S. stock exchanges to establish listing standards that require listed companies to adopt policies providing for the recovery or clawback of incentive-based compensation received by current or former executive officers where such compensation is based on erroneous financial information which required an accounting restatement. The NYSE has adopted such clawback listing standards, which are applicable to NYSE-listed companies, including KeyCorp.

Lending standards

The federal banking agencies have adopted interagency guidelines establishing standards for safety and soundness that include standards that apply to banks (including KeyBank) when making loans to borrowers. These guidelines provide, among other things, that banks should establish and maintain loan documentation practices that enable the bank to make an informed lending decision, assess risk on an ongoing basis, and ensure that any claim against a borrower is legally enforceable. The guidelines also provide that banks should establish and maintain prudent credit underwriting practices that are commensurate with the type of loans that the bank makes and take adequate account of concentration of credit risk. The guidelines further provide that banks should establish a system of independent, ongoing credit review, provide for appropriate communication to management and the board of directors, and take appropriate corrective actions to resolve problem assets.

19

Table of contents

The federal banking agencies have also adopted regulations that apply specifically to extensions of credit made by banks (including KeyBank) that are secured by liens or interests in real estate or made for the purpose of financing permanent improvements to real estate. Under these regulations, a bank is required to adopt and maintain policies that establish loan portfolio diversification standards, prudent underwriting standards (including loan-to-value limits) that are clear and measurable, loan administration procedures, and documentation, approval, and reporting requirements.

Cybersecurity and data privacy

Federal and state laws and regulations contain extensive data privacy and cybersecurity provisions. This is an area of considerable legislative and regulatory focus, and the requirements in this area are evolving. Key monitors these developments on a continual basis and when appropriate, updates its policies, procedures, and practices to reflect any new or revised requirements.

The Gramm-Leach-Bliley Act (“GLBA”) and implementing regulations require a financial institution to provide notice to customers of its privacy policies and practices, describe the conditions under which the financial institution may disclose nonpublic personal information to non-affiliated third parties, and provide consumers with a means to “opt-out” of having that information disclosed in certain circumstances. Other federal laws and regulations require financial institutions to provide customers with the choice to “opt-out” of having certain information shared among the financial institution’s affiliates while other provisions regulate the use by financial institutions of information from credit bureaus and the provision of information to such bureaus. Various state statutes and regulations impose additional data privacy protections.

The GLBA and other laws and regulations require financial institutions to adopt and implement a comprehensive written information security program that includes administrative, technical, and physical safeguards that are designed to ensure the security and confidentiality of customer information, protect against any anticipated threats or hazards to the security or integrity of such information (including cyber threats), protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer, and ensure the proper disposal of customer information. In addition, a financial institution is expected to have a response program that specifies actions to be taken if it detects that unauthorized individuals have gained access to customer information, including notifying affected customers of the breach. A financial institution is further expected to develop appropriate processes to recover data and resume business operations if business operations of the institution or a critical service provider are impacted by a cyber-attack.

Also, rules adopted by the federal banking agencies require a financial institution to notify its primary federal regulator within 36 hours of certain computer-security incidents, including an incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, an institution’s operations or activities or its ability to deliver products or services to a material portion of its customer base. In addition, the SEC has adopted final rules requiring public companies (including KeyCorp) to disclose on Form 8-K material cybersecurity incidents and to disclose annually on Form 10-K information regarding their cybersecurity risk management, strategy, and governance.

Governance standards

In 2014, the OCC adopted guidelines imposing heightened governance and risk management standards (the “Heightened Standards”) on national banks with average total consolidated assets of $50 billion or more (including KeyBank). The Heightened Standards (1) establish minimum standards for the design and implementation of a bank’s risk governance framework and (2) set forth minimum standards for the board of directors to follow in overseeing the bank’s risk governance framework’s design and implementation.

On December 23, 2025, the OCC issued a proposal to raise the threshold for applying the Heightened Standards to $700 billion in average total consolidated assets. In proposing to raise this threshold, the OCC noted that the Heightened Standards establish highly prescriptive standards and that the application of the standards may be justified only for the largest and most complex institutions. The OCC indicated that the institutions that would be excluded from the Heightened Standards under this proposal would still be expected to maintain robust governance frameworks, risk management systems, and processes that are tailored to their individual size, complexity, and risk

20

Table of contents

profile. If this proposal is adopted, KeyBank will no longer be subject to the Heightened Standards. Comments on this proposal are due by March 2, 2026.

Regulations adopted by the Federal Reserve to implement enhanced prudential standards under the Dodd-Frank Act and EGRRCPA require a BHC with $100 billion or more in total consolidated assets to have a risk committee of its board of directors that oversees the BHC’s risk management framework. These regulations set forth detailed requirements applicable to the risk committee and the chief risk officer of such a BHC.

In 2021, the Federal Reserve issued guidance setting forth supervisory expectations for boards of directors of large financial institutions, including BHCs with total consolidated assets of $100 billion or more (like KeyCorp). This guidance describes attributes of an effective board of directors. In addition, the Federal Reserve proposed, but has not finalized, guidance that describes core principles for effective senior management, business line management, and independent risk management of large financial institutions.

Consumer Financial Protection Bureau

The CFPB, which was created by the Dodd-Frank Act in 2010, was given the authority by that statute to regulate the offer and sale of consumer financial products and services, enforce federal consumer protection laws, and supervise certain providers of consumer financial products and services, including banks with over $10 billion in assets (such as KeyBank). The current U.S. presidential administration has announced its intention to close or substantially downsize the CFPB and has taken various actions to accomplish that objective, including issuing a stop work order to CFPB employees, terminating many CFPB employees, placing other CFPB employees on administrative leave, significantly reducing the CFPB’s annual funding through legislation, and refusing to request funding from the Federal Reserve. A union representing the CFPB’s employees and other interested parties brought a lawsuit in the United States District Court for District of Columbia, seeking a court order to stop the current U.S. presidential administration from dismantling the CFPB. On March 25, 2025, the court in that case issued a preliminary injunction, which enjoined the U.S. presidential administration from taking actions to dismantle the CFPB. The U.S. presidential administration has appealed this court order. On August 15, 2025, a three-judge panel of the United States Court of Appeals for the District of Columbia Circuit vacated the preliminary injunction issued by the District Court. On December 17, 2025, the District of Columbia Court of Appeals granted the plaintiffs’ request for an en banc rehearing of this decision. In addition, the refusal of the CFPB to request funds from the Federal Reserve has been challenged in three cases, and the District Court in one of those cases ruled on December 30, 2025 that the CFPB must request and accept new funds from the Federal Reserve to stay operational. Following the court’s ruling, the CFPB requested additional funding from the Federal Reserve. Key is monitoring developments in these cases.

While the current U.S. presidential administration has sought to close or downsize the CFPB, many states have sought to increase their enforcement of existing consumer protection laws and regulations. In addition, new consumer protection laws and regulations have been adopted or proposed in many states. Key is monitoring these developments.

Data collection and reporting for small business loans

On March 30, 2023, the CFPB issued a final rule to require certain lenders (including depository institutions such as KeyBank) to report detailed data on applications for credit submitted by small businesses, including those owned by women and minorities. This rule was issued to implement Section 1071 of the Dodd-Frank Act. Various lawsuits were brought to challenge this rule. In one of these lawsuits, the CFPB, on April 3, 2025, asked the court to hold the lawsuit in abeyance because the CFPB planned to issue a new proposed rulemaking on this subject. In that case and two other cases challenging the 1071 rule, courts stayed compliance with the rule for the parties in those cases. On October 2, 2025, the CFPB issued a final rule delaying compliance with the 1071 rule for all institutions covered by the rule. On November 13, 2025, the CFPB issued a proposal to streamline the 1071 rule and to scale back the scope of data collection required under the rule. Compliance with the revised rule would be delayed until January 1, 2028. Comments on this proposal were due by December 15, 2025. Key is monitoring developments regarding this matter.

21

Table of contents

Volcker Rule

The Volcker Rule implements Section 619 of the Dodd-Frank Act, which prohibits “banking entities,” such as KeyCorp, KeyBank and their affiliates and subsidiaries, from owning, sponsoring, or having certain relationships with hedge funds and private equity funds (referred to as “covered funds”) and engaging in short-term proprietary trading of financial instruments, including securities, derivatives, commodity futures and options on these instruments.

The Volcker Rule excepts certain transactions from the general prohibition against proprietary trading, including transactions in government securities (e.g., U.S. Treasuries or any instruments issued by the GNMA, FNMA, FHLMC, a Federal Home Loan Bank, or any state or a political division of any state, among others); transactions in connection with underwriting or market-making activities; and transactions as a fiduciary on behalf of customers. A banking entity may also engage in risk-mitigating hedging activity if it can demonstrate that the hedge reduces or mitigates a specific, identifiable risk or aggregate risk position of the entity. The banking entity is required to conduct an analysis supporting its hedging strategy and the effectiveness of the hedges must be monitored and, if necessary, adjusted on an ongoing basis.

Key does not anticipate that the proprietary trading or covered fund restrictions in the Volcker Rule will have a material impact on its business, but it was required to divest certain fund investments. Key has established monitoring programs to support compliance with the Volcker Rule’s restrictions.

Bank transactions with affiliates

Federal banking law and regulation imposes qualitative standards and quantitative limitations upon certain transactions by a bank with its affiliates, including the bank’s parent BHC and certain companies the parent BHC may be deemed to control for these purposes. Transactions covered by these provisions must be on arm’s-length terms, and cannot exceed certain amounts that are determined with reference to the bank’s regulatory capital. Moreover, if the transaction is a loan or other extension of credit, it must be secured by collateral in an amount and quality expressly prescribed by statute, and if the affiliate is unable to pledge sufficient collateral, the BHC may be required to provide it. These provisions significantly restrict the ability of KeyBank to fund its affiliates, including KeyCorp, KBCM, and KeyCorp’s nonbanking subsidiaries engaged in making merchant banking investments (and certain companies in which these subsidiaries have invested). The Dodd-Frank Act expanded the coverage and scope of these regulations, including by applying them to the credit exposure arising under derivative transactions, repurchase and reverse repurchase agreements, and securities borrowing and lending transactions.

Supervision, examination, and enforcement

KeyCorp is subject to the Federal Reserve’s supervisory rating system for large financial institutions, which includes BHCs with total consolidated assets of $100 billion or more (including KeyCorp) (“LFI Rating System”). The LFI Rating System provides a supervisory evaluation of whether an institution possesses sufficient operational strength and resilience to maintain safe and sound operations through a range of conditions and assesses an institution’s capital planning and positions, liquidity risk management and positions, and governance and controls. Ratings issued under the LFI Rating System are confidential.

On November 5, 2025, the Federal Reserve finalized revisions to the LFI Rating System. These revisions changed the component ratings that a firm must receive to be considered “well managed” for supervisory purposes. A firm that is not “well managed” faces limitations on certain activities and acquisitions. The Federal Reserve said that the revisions were intended to provide a more accurate assessment of a BHC’s financial and operational strength and resilience and better align the LFI Rating System with the rating systems used for other banking organizations.

Federal law grants substantial supervisory and enforcement powers to the federal banking agencies. The federal banking agencies may bring enforcement actions against banking organizations in various situations such as when an agency determines that a banking organization has committed a violation of law or regulation, is engaged in an unsafe or unsound practice, or has engaged in an act or practice that is unfair, deceptive, or abusive. In such enforcement actions, the federal banking agencies may, among other things, impose restrictions on an institution’s business, assess civil money penalties, or issue cease and desist orders against the banking organization or affiliated parties.

22

Table of contents

On October 7, 2025, the OCC and the FDIC issued a joint proposal for public comment that would define the term “unsafe or unsound practice” for purposes of the agencies’ supervisory and enforcement authority under Section 8 of the FDIA and would establish uniform standards for when the agencies may issue matters requiring attention (“MRAs”) and other supervisory communications in connection with the examination process. Under the proposal, the definition of an “unsafe or unsound practice” and the standard for issuing MRAs would focus on whether a practice involves a risk of material harm to the financial condition of a financial institution or a material risk of loss to the DIF. The OCC and the FDIC said that the proposed rule would promote greater clarity and certainty regarding supervisory and enforcement standards and would ensure that bank supervisors and examiners prioritize concerns related to material financial risks over concerns related to policies, processes, and documentation. Comments on this proposal were due by December 29, 2025.

On November 18, 2025, the Federal Reserve issued a statement of supervisory operating principles which indicated that MRAs issued by examiners should prioritize deficiencies that could have a material impact on a firm’s financial condition. The Federal Reserve said that work was underway to provide more specific guidance on this subject as well as guidance on the Federal Reserve’s interpretation of the standard for issuing enforcement actions based on unsafe or unsound practices.

Community Reinvestment Act

The Community Reinvestment Act (“CRA”) was enacted in 1977 to encourage depository institutions to help meet the credit needs of the communities that they serve, including low- and moderate-income (“LMI”) neighborhoods, consistent with the institutions’ safe and sound operations. The CRA requires the federal banking agencies to assess the record of each institution that they supervise in meeting the credit needs of its entire community, including LMI neighborhoods.

On October 24, 2023, the federal banking agencies adopted a final rule to substantially revise their regulations implementing the CRA. Various trade associations filed a lawsuit in the United States District Court for the Northern District of Texas seeking to invalidate the CRA final rule. On March 29, 2024, the court in that case issued a preliminary injunction barring the federal banking agencies from enforcing the CRA final rule pending the resolution of that lawsuit. The court’s decision is on appeal to the United States Court of Appeals for the Fifth Circuit. On April 1, 2025, the Fifth Circuit granted a request by the federal banking agencies to stay further proceedings in this case. On July 16, 2025, the federal banking agencies issued for public comment a proposal to rescind the CRA final rule that was issued in October 2023 and to reinstate the CRA framework that was in place prior to the issuance of that rule with certain technical amendments. The agencies said that they were doing so to restore certainty in the CRA framework for stakeholders and to limit regulatory burden on banks, while ensuring that banks continue to focus on the purpose of the CRA. Comments on the proposal were due by August 18, 2025. KeyBank will be subject to any changes that are made to the CRA regulations.

Long-term debt requirement

On August 29, 2023, the federal banking agencies issued for public comment a proposal that would require certain large BHCs and certain large IDIs to issue and maintain minimum amounts of long-term debt (“LTD”). This proposal would apply to Category II, III, and IV BHCs (including KeyCorp) and IDIs that (i) are not consolidated subsidiaries of U.S. global systemically important banks and (ii) have at least $100 billion in total assets (including KeyBank) or are affiliated with an IDI that has at least $100 billion in total assets. Under the proposal, the required minimum amount of LTD would be the greater of 6 percent of an entity’s total risk-weighted assets, 3.5 percent of an entity’s average total consolidated assets, and 2.5 percent of an entity’s total leverage exposure if it is subject to the supplementary leverage ratio. IDIs that are consolidated subsidiaries of BHCs would be required to issue the LTD to their parent company or another entity that consolidates the IDI.

Debt instruments issued to satisfy the minimum LTD requirement would have to meet certain criteria including, among other things, being unsecured, have a remaining maturity of more than one year, and not provide the holder with acceleration rights except in limited circumstances. BHCs subject to the proposal would also have to comply with certain “clean holding-company” requirements such as a cap on liabilities other than eligible LTD and a prohibition on entering into most qualified financial contracts with third parties. The proposal would provide a three-year transition period with the incremental phase-in of the requirements during this period. The federal banking agencies indicated that the proposal would improve the resolvability of the covered entities in case of their failure,

23

Table of contents

reduce costs to the DIF, and mitigate contagion and financial stability risks by reducing the risk of loss to uninsured depositors. Comments on the proposal were due by January 16, 2024.

Debit card interchange fee cap

On October 25, 2023, the Federal Reserve issued for public comment a proposal to lower the maximum interchange fee that a debit card issuer with $10 billion or more in total consolidated assets (including KeyBank) can receive for a debit card transaction. The interchange fee cap is currently set at the sum of 21 cents for each transaction plus an amount equal to 0.05% of the value of the transaction and a one cent fraud prevention adjustment for issuers that satisfy certain criteria. In the new proposal, the Federal Reserve proposed to lower the cap to the sum of 14.4 cents for each transaction plus an amount equal to 0.04% of the value of the transaction and a 1.3 cent fraud prevention adjustment. The Federal Reserve indicated that it was proposing this revision to the fee cap to reflect changes in issuer costs. The Federal Reserve also proposed to update the amount of the fee cap every other year going forward by using data it collects in a biennial survey of large debit card issuers. Comments on the proposal were due by May 12, 2024.

Personal financial data rights

On October 22, 2024, the CFPB issued a final rule to implement Section 1033 of the Dodd-Frank Act. The 1033 rule requires financial institutions (including KeyBank) to make available to consumers and authorized third parties data concerning covered consumer financial products or services in an electronic form usable by the consumer and authorized third parties. In adopting the rule, the CFPB said that the 1033 rule was a step towards bringing about an “open banking” system in the United States. Following the issuance of this rule, two trade associations and a national bank filed a lawsuit challenging the rule in the United States District Court for the Eastern District of Kentucky. In this lawsuit, the plaintiffs alleged that the CFPB exceeded its statutory authority in adopting the 1033 rule. On May 23, 2025, the CFPB filed a status report with the court saying that it agreed with the plaintiffs. On May 30, 2025, the parties challenging the rule and the CFPB filed a motion for summary judgment asking the court to invalidate the rule. In a summary judgment motion filed on June 29, 2025, the Financial Technology Association, which had been allowed to intervene in this case, asked the court to uphold the rule. Before the court issued a decision on the summary judgment motions, the CFPB asked the court to stay the litigation. On July 29, 2025, the court granted the CFPB’s request to stay the litigation. On August 21, 2025, the CFPB issued an advance notice of proposed rulemaking, asking the public to respond to a series of questions related to the 1033 rule. Comments were due by October 21, 2025. In a court filing in the case challenging the 1033 rule, the CFPB indicated that it plans to issue a revamped 1033 rule as an interim final rule. Key is monitoring developments regarding this matter.