Our ability to manage risk is dependent on our ability to
consistently execute all elements of our risk management
program, develop and maintain a culture of managing risk well
throughout the Corporation and manage risks associated with
third parties, including providers of products and/or services, to
allow for effective risk management and help confirm that risks
are appropriately considered, evaluated and responded to in a
timely manner. Uncertain economic and geopolitical conditions,
health emergencies and pandemics, heightened legislative and
regulatory scrutiny of and change within the financial services
industry, the pace of technological changes, accounting, tax and
market developments, the failure of employees, representatives
and third parties to comply with our policies and Risk Framework
and the overall complexity of our operations, among other
developments, have in the past and may in the future result in a
heightened level of risk, including operational, reputational and
compliance risk. Our failure to manage evolving risks or properly
anticipate, manage, control or mitigate risks could result in
additional losses and adversely affect our results of operations.
Regulatory, Compliance and Legal
We are highly regulated and subject to evolving government
legislation and regulations and certain settlements, orders and
agreements with government authorities from time to time.
Our businesses are highly regulated and we are subject to
evolving and comprehensive regulation under federal and state
laws in the U.S. and the laws of the various foreign jurisdictions
in which we operate, including increasing and complex economic
sanctions regimes. These laws and regulations significantly
affect and have the potential to restrict the scope of our existing
businesses, require changes to our business strategies, limit
our ability to pursue certain business opportunities, including
the products and services we offer, reduce certain fees and
rates and/or make our products and services more expensive
for our clients. We are also required to file various financial and
nonfinancial regulatory reports to comply with laws, rules and
regulations in the jurisdictions in which we operate, which
results in additional compliance risk.
We continue to adjust our business and operations, legal
entity structure, disclosure and policies, processes, procedures
and controls, including with regard to capital and liquidity
management, risk management and data management, in an
effort to comply with laws, rules and regulations, as well as
evolving expectations, guidance and interpretation by regulatory
authorities, including the Department of Treasury (including the
Internal Revenue Service (IRS) and OFAC), Federal Reserve,
OCC, CFPB, Financial Stability Oversight Council, FDIC,
Department of Labor, SEC and CFTC in the U.S., foreign
regulators, other government authorities and self-regulatory
organizations. Further, we expect to become subject to future
laws, rules and regulations beyond those currently proposed,
adopted or contemplated in the U.S. or abroad, as well as
evolving interpretations of existing and future laws, rules and
regulations, which may include policies and rulemaking related
to FDIC assessments, loss allocations between financial
institutions and customers with regard to the use of our
products and services, including electronic payments, emerging
technologies, such as the development and use of AI and
machine learning, cybersecurity and data, and further climate
risk management and ESG reporting, including emissions and
sustainability disclosure. The cumulative effect of all of the
current and possible future legislation and regulations, as well
as related interpretations, on our litigation and regulatory
exposure, businesses, operations and profitability remains
uncertain and necessitates that we make certain assumptions
with respect to the scope and requirements of existing,
prospective and proposed laws, rules and regulations in our
business planning and strategies. If these assumptions prove
incorrect, we could be subject to increased regulatory, legal and
compliance risks and costs, as well as potential reputational
harm. Also, U.S. and regulatory initiatives abroad may overlap,
and non-U.S. regulation and initiatives may be inconsistent or
may conflict with current or proposed U.S. regulations, which
could lead to compliance risks and increased costs.
Our regulators’ prudential and supervisory authority gives
them broad power and discretion to direct our actions, and they
have assumed an active oversight, inspection and investigatory
role across the financial services industry. Regulatory focus is
not limited to laws, rules and regulations applicable to the
financial services industry, but includes other significant laws,
rules and regulations that apply across industries and
jurisdictions, including those related to anti-money laundering,
anti-bribery, anti-corruption know-your-customer requirements,
embargo programs and economic sanctions.
We are also subject to laws, rules and regulations in the
U.S. and abroad, including the GDPR and CCPA as modified by
the CPRA, and a number of additional jurisdictions enacting or
considering similar laws or amendments to existing laws,
regarding privacy and the disclosure, collection, use, sharing
and safeguarding of personally identifiable information, including
our employees, customers, suppliers, counterparties and other
third parties, the violation of which could result in litigation,
regulatory fines, enforcement actions and operational loss.
Additionally, we are and will continue to be subject to new and
evolving data privacy laws in the U.S. and abroad, which could
result in additional costs of compliance, litigation, regulatory
fines and enforcement actions. There remains complexity and
uncertainty, including potential suspension or prohibition,
regarding data transfer because of concerns over compliance
with laws, rules and regulations for cross-border flows and
transfers of personal data from the European Economic Area
(EEA) to the U.S. and other jurisdictions outside of the EEA,
resulting from judicial and regulatory guidance. To the extent
that a new EU-U.S. Data Privacy Framework leads to a relaxation
of applicable legislation and regulations, regardless of transfer
mechanism, challenges are expected from consumer advocacy
groups. Other jurisdictions, including China and India, have
commenced consultation efforts or enacted new legislation or
regulations to establish standards for personal data transfers. If
cross-border personal data transfers are suspended or
restricted or we are required to implement distinct processes for
each jurisdiction’s standards, this could result in operational
disruptions to our businesses, additional costs, increased
enforcement activity, new contract negotiations with third
parties, and/or modification of such data management.
As part of their enforcement authority, our regulators and
other government authorities have the authority to, among other
things, conduct investigations and assess significant civil or
criminal monetary fines, penalties or restitution, issue cease
and desist orders, suspend or withdraw licenses and
authorizations, initiate injunctive action, apply regulatory
sanctions or cause us to enter into consent orders. The
amounts paid by us and other financial institutions to settle
proceedings or investigations have, in some instances, been
substantial and may increase. In some cases, governmental
authorities have required criminal pleas or other extraordinary
terms as part of such resolutions, which could have significant
consequences, including reputational harm, loss of customers,
restrictions on the ability to access capital markets, and the
inability to operate certain businesses or offer certain products.
17 Bank of America