121 added · 149 removed between the two most recent 10-Ks. The risks a company starts — or stops — disclosing are often the story.
Newly disclosed
For example, as a result of the GENIUS Act, passed in 2025 to provide a regulatory framework for stablecoins in the U.S., increased competition may emerge from issuers of stablecoins and providers of related technology.
Fifth Third has exposure to counterparties in the financial services industry and other industries and routinely executes transactions with such counterparties, which may expose Fifth Third to credit risk in the event of default of a counterparty or client.
For further information, refer to Regulation and Supervision in Item 1 of this Annual Report on Form 10-K and Note 3 of the Notes to Consolidated Financial Statements. 28 Fifth Third Bancorp Table of Contents OPERATIONAL RISKS Fifth Third’s business is dependent on the availability and performance of operational and information technology systems, including those provided by third-party service providers.
Any failures or disruptions of Fifth Third’s systems or operations, including in connection with outages or disruptions of systems provided by third parties, could adversely affect Fifth Third’s business and results of operations by subjecting Fifth Third to losses or liability, among other negative impacts, including reputational harm, litigation, regulatory fines or penalties or losses not covered by insurance.
Fifth Third and its service providers are exposed to cybersecurity risks, including risk of cyber-attacks and other information security breaches, which create both operational and reputational risk for the Bank and its customers across all lines of business.
Additionally, security breaches involving the loss, mishandling, theft or corruption of customer or client information could result in adverse consequences including financial losses to Fifth Third's customers, litigation, regulatory sanctions, lost customers and revenue, increased costs and reputational harm.
AI is under ongoing scrutiny by various governmental and regulatory bodies, with federal, state and international authorities either implementing or considering legal frameworks that could impact Fifth Third’s ability to leverage AI effectively.
The limited experience with novel AI algorithms or applications within financial services generally, coupled with the swift pace of technological advancements and the rapid adoption of AI by Fifth Third’s partners and competitors, may hinder Fifth Third’s ability to effectively mitigate or detect these risks.
If Fifth Third is unable to attract and retain qualified employees, or do so at rates necessary to maintain its competitive position, or if compensation costs required to attract and retain employees become more expensive, Fifth Third’s performance, including its competitive position, could be materially adversely affected. 31 Fifth Third Bancorp Table of Contents LEGAL AND REGULATORY COMPLIANCE RISKS Fifth Third and/or its affiliates are or may become involved from time to time in information-gathering requests, investigations and litigation, regulatory or other enforcement proceedings by various governmental regulatory agencies and law enforcement authorities, as well as self-regulatory agencies, which may lead to adverse consequences.
If Fifth Third breaches contractual representations or warranties and does not remedy the breach within a specified period, it may be required to repurchase loans, indemnify the securitization trust, investor, or insurer, or reimburse them for credit losses.
Difficulties in identifying suitable acquisition or investment opportunities, integrating acquisitions, or evaluating or entering into strategic investments and relationships may hinder Fifth Third from achieving the expected benefits from these acquisitions, investments or relationships.
If Fifth Third’s risk management framework proves ineffective, Fifth Third could incur litigation costs, negative regulatory consequences, reputational damages among other adverse consequences and Fifth Third could suffer unexpected losses that may affect its financial condition or results of operations.
No longer disclosed
Fifth Third may also be subject to disruptions of its operating systems arising from events that are beyond its control (for example, cyber-attacks, equipment failure, or electrical or telecommunications outages).
Such mishandling or misuse could include circumstances where, for example, such information was erroneously provided to parties who are not permitted to have the information, either through the fault of the Bancorp’s systems, employees or counterparties, or where such information was intercepted or otherwise compromised by threat actors.
The Bancorp may be subject to disruptions of its operating systems arising from events that are wholly or partially beyond the 28 Fifth Third Bancorp Table of Contents Bancorp’s control, which may include, for example, security breaches; electrical or telecommunications outages; failures of computer components or servers or other damage to the Bancorp’s property or assets; natural disasters or severe weather conditions; health emergencies; or events arising from local or larger-scale political events, including outbreaks of hostilities or terrorist acts.
Heightened standards under proposed and recently finalized laws or regulations, or regulations soon to enter into force whose enforcement is yet to begin (such as, for example, capital and liquidity rules, or heightened Community Reinvestment Act standards), may result in increased obligations and compliance costs, may result in supervisory or enforcement action and may factor into Fifth Third’s ability to expand services and/or engage in new actions.
As an example, borrowers may “strategically default,” or discontinue making payments on their real estate-secured loans if the value of the real estate is less than what they owe, even if they are still financially able to make the payments.
While Fifth Third heavily invests in information security, technical resiliency, business continuity and disaster recovery planning, and has policies and procedures designed to detect, limit, and prevent the impact of these possible events, there can be no assurance that any such failure, interruption or security breach will not occur or, if any does occur, that it can be remediated in such a way to eliminate the risk.
Additionally, security breaches or the loss, theft or corruption of customer information such as social security numbers, credit card numbers, account balances or other information could result in losses by Fifth Third's customers, litigation, regulatory sanctions, lost customers and revenue, increased costs and significant reputational harm.
Any failures or disruptions of the Bancorp’s systems or operations could give rise to losses in service to customers and clients, adversely affect the Bancorp’s business and results of operations by subjecting the Bancorp to losses or liability, or require the Bancorp to expend significant resources to correct the failure or disruption, as well as by exposing the Bancorp to reputational harm, litigation, regulatory fines or penalties or losses not covered by insurance.
The Bancorp could also be adversely affected if it loses access to information or services from a third-party service provider as a result of a security breach or system or operational failure, or disruption affecting the third-party service provider.
In addition, Fifth Third’s implementation of certain new technologies, such as those related to artificial intelligence, automation and algorithms, in Fifth Third’s business processes may have unintended consequences due to its limitations or its failure to use them effectively.
LEGAL AND REGULATORY COMPLIANCE RISKS Fifth Third and/or its affiliates are or may become involved from time to time in information-gathering requests, investigations and litigation, regulatory or other enforcement proceedings by various governmental regulatory agencies and law enforcement authorities, as well as self-regulatory agencies which may lead to adverse consequences.
Fifth Third may be required to repurchase residential mortgage loans, indemnify the securitization trust, investor or insurer, or reimburse the securitization trust, investor or insurer, for credit losses incurred on loans in the event of a breach of contractual representations or warranties that is not remedied within a specified period (usually 60 days or less) after Fifth Third receives notice of the breach.