152 added · 145 removed between the two most recent 10-Ks. The risks a company starts — or stops — disclosing are often the story.
Newly disclosed
On December 31, 2025, the FDIC announced that it will propose changes in 2026 to the resolution plan rule to incorporate guidance it issued in April 2025 and to make additional changes to take into account lessons learned from its review of the 2025 resolution plan submissions.
In 2021, the Federal Reserve issued guidance setting forth supervisory expectations for boards of directors of large financial institutions, including BHCs with total consolidated assets of $100 billion or more (like KeyCorp).
Also, as mandated by Section 954 of the Dodd-Frank Act, the SEC has adopted rules directing U.S. stock exchanges to establish listing standards that require listed companies to adopt policies providing for the recovery or clawback of incentive-based compensation received by current or former executive officers where such compensation is based on erroneous financial information which required an accounting restatement.
In one of these lawsuits, the CFPB, on April 3, 2025, asked the court to hold the lawsuit in abeyance because the CFPB planned to issue a new proposed rulemaking on this subject.
The interim final rule also provides that the FDIC will provide an offset to IDIs’ regular quarterly deposit insurance assessments if the aggregate amount collected exceeds losses following resolution of litigation between the FDIC and SVB’s parent company.
This guidance provides that such policies should (1) provide employees incentives that appropriately balance risk and reward, (2) are compatible with effective controls and risk management, and (3) are supported by strong corporate governance, including active and effective oversight by the organization’s board of directors.
The GLBA and other laws and regulations require financial institutions to adopt and implement a comprehensive written information security program that includes administrative, technical, and physical safeguards that are designed to ensure the security and confidentiality of customer information, protect against any anticipated threats or hazards to the security or integrity of such information (including cyber threats), protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer, and ensure the proper disposal of customer information.
In addition, a financial institution is expected to have a response program that specifies actions to be taken if it detects that unauthorized individuals have gained access to customer information, including notifying affected customers of the breach.
In addition, the SEC has adopted final rules requiring public companies (including KeyCorp) to disclose on Form 8-K material cybersecurity incidents and to disclose annually on Form 10-K information regarding their cybersecurity risk management, strategy, and governance.
A union representing the CFPB’s employees and other interested parties brought a lawsuit in the United States District Court for District of Columbia, seeking a court order to stop the current U.S. presidential administration from dismantling the CFPB.
The Federal Reserve said that work was underway to provide more specific guidance on this subject as well as guidance on the Federal Reserve’s interpretation of the standard for issuing enforcement actions based on unsafe or unsound practices.
In April 2025, the FDIC issued guidance to further clarify its expectations regarding resolution plan submissions.
No longer disclosed
On December 24, 2024, five trade associations filed a lawsuit against the Federal Reserve in the United States District Court for the Southern District of Ohio to challenge the stress testing framework on the basis that the current framework violates the Administrative Procedures Act and the Due Process Clause of the United States Constitution.
However, our exposures in those markets are limited (for example, approximately 5% of our multifamily portfolio is located in New York City, Chicago, Los Angeles, and San Francisco; we also have no exposure to rent controlled properties in New York City).
Key elected the CECL phase-in option provided by regulatory guidance which delayed for two years the estimated impact of CECL on regulatory capital and phases it in over three years beginning in 2022.
G-SIB (including KeyBank) to submit full resolution plans every three years, (iii) requires IDIs with total assets between $50 billion and $100 billion to submit informational filings every three years, (iv) requires triennial filers to submit more limited supplements in the off years, (v) enhances and clarifies the requirements for the content of resolution submissions, (vi) codifies certain 19 Table of contents aspects of guidance and feedback provided to filers subject to the current rule, (vii) expands expectations regarding engagement and capabilities testing, and (viii) establishes an enhanced credibility standard for the evaluation of resolution submissions.
For example, conflicts across the world, including the Russia-Ukraine war and the Israel-Hamas war, have proven to have a material impact on certain domestic commodity prices, impacting our borrowers' input costs and disrupting supply chains both domestically and abroad.
The parties bringing the lawsuit indicated that they do not object to the use of stress tests to set stress capital buffer requirements but that they want to ensure that the Federal Reserve subjects the stress tests to public notice and comment and complies with other applicable legal requirements.
Minimum Capital Ratios and KeyCorp Ratios Under Regulatory Capital Rules Ratios (including stress capital buffer) Regulatory Minimum Requirement Stress Capital Buffer (b) Regulatory Minimum With Stress Capital Buffer KeyCorp December 31, 2024 (c) Common Equity Tier 1 4.50 % 3.10 % 7.60 % 11.92 % Tier 1 Capital 6.00 3.10 9.10 13.69 Total Capital 8.00 3.10 11.10 16.15 Leverage (a) 4.00 N/A 4.00 10.03 (a) As a standardized approach banking organization, KeyCorp is not subject to the 3% supplementary leverage ratio requirement, which became effective January 1, 2018.
However, KeyCorp will be subject to the supplementary leverage ratio if proposed revisions to the Regulatory Capital Rules discussed below are adopted. 13 Table of contents As of December 31, 2024, KeyBank (consolidated) satisfied the risk-based and leverage capital requirements necessary to be considered “well capitalized” for purposes of the revised prompt corrective action framework.
On January 19, 2021, the Federal Reserve issued a final rule to make conforming changes to the capital planning, regulatory reporting, and stress capital buffer requirements for firms subject to Category IV standards (including KeyCorp) to make these requirements consistent with the tailored regulatory framework for large banking organizations that the Federal Reserve adopted in an October 2019 rulemaking.
On December 23, 2024, the Federal Reserve announced that it intends to propose changes to its stress testing framework in order to improve the transparency of the stress tests and reduce the volatility of the resulting capital 16 Table of contents requirements.
Because the estimated loss to the DIF from the use of the systemic risk exception will be periodically adjusted and because the total assessments collected may change due to corrective amendments filed by covered IDIs regarding the reported amount of uninsured deposits for the December 31, 2022 reporting period, the FDIC may cease collection of the special assessment early, extend the special assessment collection period, or impose a final shortfall special assessment.
Based on the quarterly invoices Key received from the FDIC in June 2024, September 2024, and December 2024, Key recorded an incremental pre-tax expense of $5 million in the second quarter of 2024, and a reversal of pre-tax expense of $6 million and $3 million in the third and fourth quarter of 2024 , respectively, to true-up initial estimates to invoiced amounts.