What changed in KeyCorp's 2025 10-K compared to 2024?

Across the narrative sections we track, KeyCorp (KEY) added 631 paragraphs, removed 619, and edited 439 between the 2024 and 2025 10-K filings. The biggest movers are Item 7. Management's Discussion & Analysis (+271/−289), Item 1. Business (+185/−169), Item 1A. Risk Factors (+132/−122).

Did KeyCorp add new Risk Factors in the 2025 10-K?

Yes — Item 1A Risk Factors shows 132 new/edited paragraphs and 122 removed paragraphs versus the 2024 10-K.

What changed in KeyCorp's MD&A (Item 7) in 2025?

Item 7 Management's Discussion & Analysis shows 271 new/edited paragraphs and 289 removed paragraphs year-over-year. Read the side-by-side diff to see exactly which revenue, margin, and outlook commentary was rewritten.

Did KeyCorp update its Cybersecurity disclosure (Item 1C) in 2025?

Item 1C Cybersecurity has 32 paragraph-level changes between the 2024 and 2025 filings.

Where does this KEY 10-K diff come from?

The source filings are KeyCorp's official 2024 and 2025 Form 10-K annual reports from SEC EDGAR. 10q10k.net parses each filing, aligns paragraphs by section (Item 1, 1A, 1C, 2, 3, 7, 7A), and highlights every added, removed and edited sentence side-by-side.

What changed in KeyCorp's 10-K — 2024 vs 2025

Paragraph-level year-over-year comparison of KeyCorp's 2024 and 2025 10-K annual filings, covering the Business, Risk Factors, Legal Proceedings, Cybersecurity, MD&A and Market Risk sections. Every new, removed and edited paragraph is highlighted side-by-side so you can see exactly what management changed in the 2025 report.

+631 added−619 removedSource: 10-K (2026-02-23) vs 10-K (2025-02-21)

Top changes in KeyCorp's 2025 10-K

631 paragraphs added · 619 removed · 439 edited across 6 sections

Item 7. Management's Discussion & Analysis+271 / −289 · 211 edited
Item 1. Business+185 / −169 · 103 edited
Item 1A. Risk Factors+132 / −122 · 93 edited
Item 1C. Cybersecurity+32 / −30 · 27 edited
Item 5. Market for Registrant's Common Equity+9 / −7 · 3 edited

Item 1. Business

Business — how the company describes what it does

103 edited+82 added−66 removed91 unchanged

2024 filing

2025 filing

Biggest changeG-SIB (including KeyBank) to submit full resolution plans every three years, (iii) requires IDIs with total assets between $50 billion and $100 billion to submit informational filings every three years, (iv) requires triennial filers to submit more limited supplements in the off years, (v) enhances and clarifies the requirements for the content of resolution submissions, (vi) codifies certain 19 Table of contents aspects of guidance and feedback provided to filers subject to the current rule, (vii) expands expectations regarding engagement and capabilities testing, and (viii) establishes an enhanced credibility standard for the evaluation of resolution submissions.

Biggest changeG-SIB (including KeyBank) to submit full resolution plans every three years and more limited supplements in the off years, and (iii) expands expectations regarding engagement with the FDIC and capabilities testing. The final rule was effective on October 1, 2024.

The Commercial operating segment is a full-service, commercial banking platform that focuses primarily on serving the borrowing, cash 6 Table of contents management, and capital markets needs of middle market clients within Key’s 15-state branch footprint. The Institutional operating segment operates nationally in providing lending, equipment financing, and banking products and services to large corporate and institutional clients.

The Commercial operating segment is a full-service, commercial banking platform that focuses primarily on serving the borrowing, cash management, and capital markets needs of middle market clients within Key’s 15-state branch footprint. The 6 Table of contents Institutional operating segment operates nationally in providing lending, equipment financing, and banking products and services to large corporate and institutional clients.

Recent regulatory capital-related developments On July 27, 2023, the federal banking agencies issued a proposal (the “Capital Proposal”) that would make significant changes to the Regulatory Capital Rules applicable to banking organizations with total assets of $100 billion or more and their depository institution subsidiaries (“Large Banking Organizations”) (including KeyCorp and KeyBank) and banking organizations with significant trading activity.

Regulatory capital-related developments On July 27, 2023, the federal banking agencies issued a proposal (the “Capital Proposal”) that would make significant changes to the Regulatory Capital Rules applicable to banking organizations with total assets of $100 billion or more and their depository institution subsidiaries (“Large Banking Organizations”) (including KeyCorp and KeyBank) and banking organizations with significant trading activity.

Under federal law, a BHC also must serve as a source of financial strength to its subsidiary depository institution(s) by providing financial assistance in the event of financial distress. This support may be required when the BHC does not have the resources to, or would prefer not to, provide it.

Source of strength doctrine Under federal law, a BHC also must serve as a source of financial strength to its subsidiary depository institution(s) by providing financial assistance in the event of financial distress. This support may be required when the BHC does not have the resources to, or would prefer not to, provide it.

Prudential standards were required to include enhanced risk-based capital requirements and leverage limits, liquidity requirements, risk-management and risk committee requirements, resolution plan requirements, credit exposure report requirements, single counterparty credit limits (“SCCL”), supervisory and company-run stress test requirements and, for certain financial companies, a debt-to-equity limit.

Prudential standards were required to include enhanced risk-based capital requirements and leverage limits, liquidity requirements, risk-management and risk committee requirements, resolution plan requirements, credit exposure report requirements, single counterparty credit limits, supervisory and company-run stress test requirements, and for certain financial companies, a debt-to-equity limit.

Gorman has been Chairman, Chief Executive Officer, and President of KeyCorp since May 1, 2020. Mr. Gorman previously served as President and Chief Operating Officer from September 2019 to May 2020 and President of Banking and Vice Chairman from 2017 to September 2019.

Gorman (65) - Mr. Gorman has been Chairman, Chief Executive Officer, and President of KeyCorp since May 1, 2020. Mr. Gorman previously served as President and Chief Operating Officer from September 2019 to May 2020 and President of Banking and Vice Chairman from 2017 to September 2019.

Because Mo Ramani and James Waters have been employed at KeyCorp for less than five years, information is being provided concerning their prior business experience. There are no family relationships among the directors or the executive officers, and there is no arrangement or understanding between any executive officer and any other person pursuant to which the executive officer was selected.

Because Mohit Ramani and James Waters have been employed at KeyCorp for less than five years, information is being provided concerning their prior business experience. There are no family relationships among the directors or the executive officers, and there is no arrangement or understanding between any executive officer and any other person pursuant to which the executive officer was selected.

Khayat has been Chief Financial Officer since March 2023 and an executive officer since September 2018. Mr. Khayat rejoined KeyCorp as Chief Strategy Officer in January 2018 and served in that role until March 2023. Mr. Khayat had previously served as Head of Key’s Enterprise Commercial Payments group from April 2014 to June 2016. Allyson M. Kidik (45) - Ms.

KeyCorp is no longer required to submit a resolution plan because of the rule change discussed below while KeyBank remains subject to resolution plan requirements as discussed below. BHCs with less than $250 billion in total consolidated assets are no longer required to submit a resolution plan unless they have $75 billion or more in certain risk-based indicators.

KeyCorp is no longer required to submit a resolution plan because of the rule change discussed below while KeyBank remains subject to resolution plan requirements as discussed below. Category IV BHCs with less than $250 billion in total consolidated assets are no longer required to submit a resolution plan unless they have $75 billion or more in certain risk-based indicators.

Basel III To address deficiencies in the international regulatory capital standards identified during the 2007-2009 global financial crisis, in 2010 the Basel Committee released comprehensive revisions to the international regulatory capital framework, commonly referred to as “Basel III.” The Basel III revisions are designed to strengthen the quality and quantity of regulatory capital, in part through the introduction of a Common Equity Tier 1 capital requirement; provide more comprehensive and robust risk coverage, particularly for securitization exposures, equities, and off-balance sheet positions; and address pro-cyclicality concerns through the implementation of capital 12 Table of contents buffers.

Basel III To address deficiencies in the international regulatory capital standards identified during the 2007-2009 global financial crisis, the Basel Committee in 2010 released comprehensive revisions to the international regulatory capital framework, commonly referred to as “Basel III.” The Basel III revisions are designed to strengthen the quality and quantity of regulatory capital, in part through the introduction of a Common Equity Tier 1 capital requirement; provide more comprehensive and robust risk coverage, particularly for securitization exposures, equities, and off-balance sheet positions; and address pro-cyclicality concerns through the implementation of capital buffers.

The Consumer Bank serves individuals and small businesses throughout our 15-state branch footprint and through our Laurel Road digital brand by offering a variety of deposit and investment products, personal finance and financial wellness services, lending, student loan refinancing, mortgage and home equity, credit card, treasury services, and business advisory services.

The Consumer Bank serves individuals and small businesses throughout our 15-state branch footprint and through our digital brand by offering a variety of deposit and investment products, personal finance and financial wellness services, lending, student loan refinancing, mortgage and home equity, credit card, treasury services, and business advisory services.

From 2016 to 2017, he served as Merger Integration Executive responsible for leading the integration efforts related to KeyCorp’s merger with First Niagara. Prior to that, Mr. Gorman was the President of Key Corporate Bank from 2010 to 2016. He became an executive officer of KeyCorp in 2010. Clark H.I. Khayat (53) - Mr.

As an FHC, KeyCorp is subject to regulation, supervision, and examination by the Federal Reserve under the BHCA. Our national bank subsidiaries and their subsidiaries are subject to regulation, supervision, and examination by the OCC. At December 31, 2024, we operated one full-service, FDIC-insured national bank subsidiary, KeyBank, and one national bank subsidiary that is limited to fiduciary activities.

As an FHC, KeyCorp is subject to regulation, supervision, and examination by the Federal Reserve under the BHCA. Our national bank subsidiaries and their subsidiaries are subject to regulation, supervision, and examination by the OCC. At December 31, 2025, we operated one full-service, FDIC-insured national bank subsidiary, KeyBank, and one national bank subsidiary that is limited to fiduciary activities.

Additional information pertaining to our two business segments is included in the “Business Segment Results” section in Item 7. Management’s Discussion and Analysis of Financial Condition and Results of Operations of this report, and in Note 25 (“Business Segment Reporting”) of the Notes to Consolidated Financial Statements presented in Item 8.

Additional information pertaining to our two business segments is included in the “Business Segment Results” section in Item 7. Management’s Discussion and Analysis of Financial Condition and Results of Operations of this report, and in Note 23 (“Business Segment Reporting”) of the Notes to Consolidated Financial Statements presented in Item 8.

We have made other compensation adjustments in response to market trends, competitive pressures, and a dynamic market for talent. These investments include a comprehensive and competitive total rewards program, representing our investment in our teammates’ collective success and reflecting our commitment to helping them thrive.

In recent years, we have made other compensation adjustments in response to market trends, competitive pressures, and a dynamic market for talent. These investments include a comprehensive and competitive total rewards program, representing our investment in our teammates’ collective success and reflecting our commitment to helping them thrive.

As a standardized approach banking organization, KeyCorp is not subject to the countercyclical capital buffer of up to 2.5% imposed upon an advanced approaches banking organization under the Regulatory Capital Rules. However, KeyCorp will be subject to the countercyclical capital buffer if proposed revisions to the Regulatory Capital Rules discussed below are adopted.

Specifically, the FSOC is authorized to: (i) identify risks to U.S. financial stability that could arise from the material financial distress or failure, or ongoing activities, of large, interconnected SIFIs, or that could arise outside the financial services marketplace; (ii) promote market discipline by eliminating expectations that the U.S. government will shield shareholders, creditors, and counterparties from losses in the event of failure; and (iii) respond to emerging threats 11 Table of contents to the stability of the U.S. financial system.

Revised prompt corrective action framework The federal prompt corrective action (“PCA”) framework under the FDIA groups FDIC-insured depository institutions into one of five prompt corrective action capital categories: “well capitalized,” “adequately capitalized,” “undercapitalized,” “significantly undercapitalized,” and “critically undercapitalized.” In addition to implementing the Basel III capital framework in the United States, the Regulatory Capital Rules also revised the PCA capital category threshold ratios applicable to FDIC-insured depository institutions such as KeyBank.

Revised prompt corrective action framework The federal Prompt Corrective Action (“PCA”) framework under the FDIA groups FDIC-insured depository institutions into one of five prompt corrective action capital categories: “well capitalized,” “adequately capitalized,” “undercapitalized,” “significantly undercapitalized,” and “critically undercapitalized.” In addition to implementing the Basel III capital framework in the United States, the Regulatory Capital Rules also revised the PCA capital category 13 Table of contents threshold ratios applicable to FDIC-insured depository institutions such as KeyBank.

The OCC’s recovery planning guidelines require large OCC-regulated banks to develop and maintain a recovery plan that identifies triggers and options for responding to a wide range of severe internal and external stress scenarios so that the bank can be restored to financial strength and viability in a timely manner if it were to experience such stress situations.

The OCC has issued recovery planning guidelines that require large OCC-regulated banks to develop and maintain a recovery plan that identifies triggers and options for responding to a wide range of severe internal and external stress scenarios so that the bank can be restored to financial strength and viability in a timely manner if it were to experience such stress situations.

If the contractual counterparty made a claim against the receivership (or conservatorship) for breach of contract, the amount paid to the counterparty would depend upon, among other factors, the receivership (or conservatorship) assets available to pay the claim and the priority of the claim relative to others.

If the contractual counterparty makes a claim against the receivership (or conservatorship) for breach of contract, the amount paid to the counterparty would depend upon, among other factors, the receivership (or conservatorship) assets available to pay the claim and the priority of the claim relative to others.

Under the FDIA, the loss to the DIF arising from the use of the systemic risk exception must be recovered through one or more special assessments. 17 Table of contents On November 16, 2023, the FDIC issued a final rule to impose a special assessment on IDIs to recover the loss to the DIF resulting from the use of the systemic risk exception to protect the uninsured depositors of SVB and Signature.

Under the FDIA, the loss to the DIF arising from the use of the systemic risk exception must be recovered through one or more special assessments. 16 Table of contents On November 16, 2023, the FDIC issued a final rule to impose a special assessment on IDIs (including KeyBank) to recover the loss to the DIF resulting from the use of the systemic risk exception to protect the uninsured depositors of SVB and Signature.

The FSOC is responsible for facilitating regulatory coordination; information collection and sharing; designating nonbank financial companies for consolidated supervision by the Federal Reserve; designating systemic financial market utilities and systemic payment, clearing, and settlement activities requiring prescribed risk management standards and heightened federal regulatory oversight; recommending stricter standards for SIFIs; and, together with the Federal Reserve, determining whether action should be taken to break up firms that pose a grave threat to U.S. financial stability.

The FSOC is responsible for facilitating regulatory coordination; information collection and sharing; designating nonbank financial companies for consolidated supervision by the Federal Reserve; designating 11 Table of contents systemic financial market utilities and systemic payment, clearing, and settlement activities requiring prescribed risk management standards and heightened federal regulatory oversight; recommending stricter standards for SIFIs; and, together with the Federal Reserve, determining whether action should be taken to break up firms that pose a grave threat to U.S. financial stability.

This stress capital buffer became effective on October 1, 2024 and will remain in effect until September 30, 2025, unless KeyCorp later receives an updated stress capital buffer requirement from the Federal Reserve.

This stress capital buffer became effective on October 1, 2025, and will remain in effect until September 30, 2026, unless KeyCorp later receives an updated stress capital buffer requirement from the Federal Reserve.

Note 25 (“Business Segment Reporting”) describes the products and services offered by each of these business segments and provides more detailed financial information pertaining to the segments, including changes in basis of presentation.

Note 23 (“Business Segment Reporting”) describes the products and services offered by each of these business segments and provides more detailed financial information pertaining to the segments, including changes in basis of presentation.

However, KeyCorp will be subject to the supplementary leverage ratio if proposed revisions to the Regulatory Capital Rules discussed below are adopted. (b) Stress capital buffer must consist of Common Equity Tier 1 capital.

However, KeyCorp will be subject to the supplementary leverage ratio if proposed revisions to the Regulatory Capital Rules are adopted. (b) Stress capital buffer must consist of Common Equity Tier 1 capital.

The proposed revisions to the Regulatory Capital Rules are discussed below under the heading “Recent regulatory capital-related developments.” For purposes of the Regulatory Capital Rules, KeyCorp and KeyBank are treated as “standardized approach” banking organizations.

The proposed revisions to the Regulatory Capital Rules are discussed below under the heading “Regulatory capital-related developments.” For purposes of the Regulatory Capital Rules, KeyCorp and KeyBank are treated as “standardized approach” banking organizations.

Supervision and Regulation The regulatory framework applicable to BHCs and banks is intended primarily to protect consumers, the DIF, taxpayers and the banking system as a whole, rather than to protect the security holders and creditors of financial services companies. Comprehensive reform of the legislative and regulatory environment for financial services companies occurred in 2010 and remains ongoing.

Under the Regulatory Capital Rules, standardized approach banking organizations, such as KeyCorp and KeyBank, are required to meet the minimum capital and leverage ratios set forth in the following table. At December 31, 2024, KeyCorp’s ratios under the fully phased-in Regulatory Capital Rules are set forth in the following table.

Under the Regulatory Capital Rules, standardized approach banking organizations, such as KeyCorp and KeyBank, are required to meet the minimum capital and leverage ratios set forth in the following table. At December 31, 2025, KeyCorp’s ratios under the fully phased-in Regulatory Capital Rules were as set forth in the following table.

Supervision and governance KeyCorp is subject to the Federal Reserve’s supervisory rating system for large financial institutions, which includes BHCs with total consolidated assets of $100 billion or more (including KeyCorp) (“LFI Rating System”).

Supervision, examination, and enforcement KeyCorp is subject to the Federal Reserve’s supervisory rating system for large financial institutions, which includes BHCs with total consolidated assets of $100 billion or more (including KeyCorp) (“LFI Rating System”).

FDIA, Resolution Authority and Financial Stability Deposit insurance and assessments The DIF provides insurance coverage for domestic deposits funded through assessments on insured depository institutions like KeyBank. The amount of deposit insurance coverage for each depositor’s deposits is $250,000 per depository.

FDIA, Resolution Authority and Financial Stability Deposit insurance and assessments The DIF provides insurance coverage for domestic deposits funded through assessments on IDIs like KeyBank. The amount of deposit insurance coverage for each depositor’s deposits is $250,000 per depository.

If an insured depository institution fails, insured and uninsured depositors, along with the FDIC, will be placed ahead of unsecured, nondeposit creditors, including the institution’s parent BHC and subordinated creditors, in order of priority of payment.

If an IDI fails, insured and uninsured depositors, along with the FDIC, will be placed ahead of unsecured, nondeposit creditors, including the institution’s parent BHC and subordinated creditors, in order of priority of payment.

On October 18, 2022, the FDIC adopted a final rule, applicable to all insured depository institutions (including KeyBank), to increase the initial base deposit insurance assessment rate schedules uniformly by two basis points consistent with the Amended Restoration Plan approved by the FDIC on June 21, 2022.

On October 18, 2022, the FDIC adopted a final rule, applicable to all IDIs (including KeyBank), to increase the initial base deposit insurance assessment rate schedules uniformly by two basis points consistent with the Amended Restoration Plan approved by the FDIC on June 21, 2022.

Kidik has been the Chief Risk Review Officer and General Auditor and an executive officer of KeyCorp since July 2022. Ms. Kidik previously served as Senior Deputy General Auditor from 2018 to 2022 and Deputy General Auditor from 2015 to 2018. Angela G. Mago (59) - Ms. Mago has served as the Chief Human Resources Officer since November 2023.

Kidik has been the Chief Auditor and an executive officer of KeyCorp since July 2022. Ms. Kidik previously served as Senior Deputy General Auditor from 2018 to 2022 and Deputy General Auditor from 2015 to 2018. Angela G. Mago (60) - Ms. Mago has served as the Chief Human Resources Officer since November 2023.

Capital planning and stress testing The Federal Reserve’s capital plan rule requires each U.S.-domiciled, top-tier BHC with total consolidated assets of at least $100 billion (like KeyCorp) to develop and maintain a written capital plan supported by a robust internal capital adequacy process.

Capital planning, stress testing, and stress capital buffer The Federal Reserve’s capital plan rule requires each U.S.-domiciled, top-tier BHC with total consolidated assets of at least $100 billion (like KeyCorp) to develop and maintain on an annual basis a written capital plan supported by a robust internal capital adequacy process.

Under the BHCA, BHCs generally may not directly or indirectly own or control more than 5% of the voting shares, or substantially all of the assets, of any bank, without prior approval from the Federal Reserve. In addition, BHCs are generally prohibited from engaging in commercial or industrial activities.

BHC acquisition rules and permissible activities Under the BHCA, BHCs generally may not directly or indirectly own or control more than 5% of the voting shares, or substantially all of the assets, of any bank, without prior approval from the Federal Reserve. In addition, BHCs are generally prohibited from engaging in commercial or industrial activities.

She previously served as Head of Commercial Bank from May 2019 to November 2023 and Co-Head of Key Corporate Bank from 2016 to May 2019. She became an executive officer of KeyCorp in 2016. 10 Table of contents Andrew J. Paine III (55) - Mr. Paine has been the Head of Institutional Bank since 2019.

She previously served as Head of Commercial Bank from May 2019 to November 2023 and Co-Head of Key Corporate Bank from 2016 to May 2019. She became an executive officer of KeyCorp in 2016. Andrew J. Paine III (56) - Mr. Paine has been the Head of Institutional Bank since 2019.

The Dodd-Frank Act created the FSOC to overlay the U.S. supervisory framework for BHCs, insured depository institutions, and other financial service providers, by serving as a systemic risk oversight body.

Supervisory framework The Dodd-Frank Act created the FSOC to overlay the U.S. supervisory framework for BHCs, IDIs, and other financial service providers, by serving as a systemic risk oversight body.

ITEM 1. BUSINESS Overview KeyCorp, organized in 1958 under the laws of the State of Ohio, is headquartered in Cleveland, Ohio. We are a BHC under the BHCA and one of the nation’s largest bank-based financial services companies, with consolidated total assets of approximately $187.2 billion at December 31, 2024.

The Revised PCA framework table below identifies the capital category threshold ratios for a “well capitalized” and an “adequately capitalized” institution under the Prompt Corrective Action Framework.

The revised PCA framework table below identifies the capital category threshold ratios for a “well capitalized” and an “adequately capitalized” institution under the PCA framework.

Prior to that time, he served in a variety of roles with Truist Financial Corporation, including Deputy Chief Risk Officer and Chief Credit Officer from January 2023 to January 2025 and Chief Business Unit Risk Officer from 2000 to 2023. James L. Waters (58) - Mr.

We also offer employees the opportunities to develop and enhance their skills through formal learning curricula and to obtain tuition reimbursement for eligible collegiate or post-collegiate education and relevant certifications. Key’s Workforce Key had an average of 16,753 full time equivalent employees in 2024 .

The FDIC must assess the premium based on an insured depository institution’s assessment base, calculated as its average consolidated total assets minus its average tangible equity. KeyBank’s current annualized premium assessments can range from $.025 to $.45 for each $100 of its assessment base.

The FDIC must assess the deposit insurance premium based on an IDI’s assessment base, calculated as its average consolidated total assets minus its average tangible equity. KeyBank’s current annualized premium assessments can range from $.025 to $.45 for each $100 of its assessment base.

As of December 31, 2024, a total of 17,406 full-time and part-time employees worked in the following regions, which are generally aligned to the regions Key uses for its retail branch banking network: Region Employee Count East 12,399 West 2,834 All Other 2,173 We invest significant time and resources in creating an attractive work environment and competitive total rewards package that attracts and retains top talent.

As of December 31, 2025, a total of 17,883 full-time and part-time employees worked in the following regions, which are generally aligned to the regions Key uses for its retail branch banking network: Region Employee Count East 12,534 West 2,927 All Other 2,422 We invest significant time and resources in creating an attractive work environment and competitive total rewards package that attracts and retains top talent.

Volcker Rule The Volcker Rule implements Section 619 of the Dodd-Frank Act, which prohibits “banking entities,” such as KeyCorp, KeyBank and their affiliates and subsidiaries, from owning, sponsoring, or having certain relationships with hedge funds and private equity funds (referred to as “covered funds”) and engaging in short-term proprietary trading of financial instruments, including securities, derivatives, commodity futures and options on these instruments.

Key is monitoring developments regarding this matter. 21 Table of contents Volcker Rule The Volcker Rule implements Section 619 of the Dodd-Frank Act, which prohibits “banking entities,” such as KeyCorp, KeyBank and their affiliates and subsidiaries, from owning, sponsoring, or having certain relationships with hedge funds and private equity funds (referred to as “covered funds”) and engaging in short-term proprietary trading of financial instruments, including securities, derivatives, commodity futures and options on these instruments.

Similarly, under the Regulatory Capital Rules, a banking organization that fails to satisfy the minimum capital conservation buffer requirement will be subject to certain limitations, which include restrictions on capital distributions. For more information about the payment of dividends by KeyBank to KeyCorp, please see Note 3 (“Restrictions on Cash, Dividends, and Lending Activities”) in this report.

Moreover, under the FDIA, an insured depository institution may not pay a dividend if the payment would cause it to be less than “adequately capitalized” under the prompt corrective action framework or if the institution is in default in the payment of an assessment due to the FDIC.

Moreover, under the FDIA, an IDI may not pay a dividend if the payment would cause it to be less than “adequately capitalized” under the PCA framework or if the institution is in default in the payment of an assessment due to the FDIC.

Key’s annualized rate for voluntary turnover as of December 31, 2024, was 13.2%, lower than our annualized voluntary turnover rate for 2023, which was 14.6%, and lower than our previous five-year historical average of 15.3%.

Key’s annualized rate for voluntary turnover as of December 31, 2025, was 12.7%, lower than our annualized voluntary turnover rate for 2024, which was 13.2%, and lower than our previous five-year historical average of 15.3%.

He previously served as Co-Head of Key Corporate Bank from 2016 to May 2019. He also serves as President of KeyBanc Capital Markets Inc., a role he has held since 2013. He became an executive officer of KeyCorp in 2016. Mohit Ramani (51) - Mr. Ramani became Chief Risk Officer and an executive officer of KeyCorp on January 23, 2025.

A banking organization’s total capital equals the sum of its tier 1 and tier 2 capital. The Basel Committee also developed a market risk capital framework (that also has been implemented in the United States) to address the substantial exposure to market risk faced by banking organizations with significant trading activity and augment the credit risk-based capital requirements described above.

The Basel Committee also developed a market risk capital framework (that also has been implemented in the United States) to address the substantial exposure to market risk faced by banking organizations with significant trading activity and augment the credit risk-based capital requirements described above.

Key does not anticipate that the proprietary trading or covered fund restrictions in the Volcker Rule will have a material impact on its business, but it was required to divest certain fund investments. Key has established monitoring programs to support compliance with the Volcker Rule’s restrictions.

Our securities brokerage and asset management subsidiaries are subject to supervision and regulation by the SEC, FINRA, and state securities regulators, and our insurance subsidiaries are subject to regulation by the insurance regulatory authorities of the states in which they operate.

Our securities brokerage and asset management subsidiaries are subject to supervision and regulation by the SEC, FINRA, and state securities regulators, and our insurance agency subsidiary is subject to regulation by the insurance regulatory authorities of the states in which it operates.

We also make available a summary of filings made with the SEC of statements of beneficial ownership of our equity securities filed by our directors and officers under Section 16 of the Exchange Act.

We also make available a summary of filings made with the SEC of statements of beneficial ownership of our equity securities filed by our directors and officers and persons who own more than 10% of a registered class of our equity securities under Section 16 of the Exchange Act.

Other Regulatory Requirements and Developments The Bank Secrecy Act The BSA requires all financial institutions (including banks and securities broker-dealers) to, among other things, maintain a risk-based system of internal controls reasonably designed to prevent money laundering and the financing of terrorism.

Comments on the proposal were due by December 18, 2025. 18 Table of contents Other Regulatory Requirements and Developments The Bank Secrecy Act The BSA requires all financial institutions (including banks and securities broker-dealers) to, among other things, maintain a risk-based system of internal controls reasonably designed to prevent money laundering and the financing of terrorism.

Comments on the proposal were due by January 16, 2024. 22 Table of contents Debit card interchange fee cap On October 25, 2023, the Federal Reserve issued for public comment a proposal to lower the maximum interchange fee that a debit card issuer with $10 billion or more in total consolidated assets (including KeyBank) can receive for a debit card transaction.

Debit card interchange fee cap On October 25, 2023, the Federal Reserve issued for public comment a proposal to lower the maximum interchange fee that a debit card issuer with $10 billion or more in total consolidated assets (including KeyBank) can receive for a debit card transaction.

Set forth below are the names and ages of the executive officers of KeyCorp as of December 31, 2024, the positions held by each at KeyCorp during the past five years, and the year each first became an executive officer of KeyCorp. On January 23, 2025, Mohit (Mo) Ramani became Chief Risk Officer.

Set forth below are the names and ages of the executive officers of KeyCorp as of December 31, 2025, the positions held by each at KeyCorp during the past five years, and the year each first became an executive officer of KeyCorp.

Long-term debt requirement On August 29, 2023, the federal banking agencies issued for public comment a proposal that would require certain large BHCs and certain large IDIs to issue and maintain minimum amounts of long-term debt (“LTD”).

KeyBank will be subject to any changes that are made to the CRA regulations. Long-term debt requirement On August 29, 2023, the federal banking agencies issued for public comment a proposal that would require certain large BHCs and certain large IDIs to issue and maintain minimum amounts of long-term debt (“LTD”).

The federal banking agencies indicated that the proposal would improve the resolvability of the covered entities in case of their failure, reduce costs to the DIF, and mitigate contagion and financial stability risks by reducing the risk of loss to uninsured depositors.

The federal banking agencies indicated that the proposal would improve the resolvability of the covered entities in case of their failure, 23 Table of contents reduce costs to the DIF, and mitigate contagion and financial stability risks by reducing the risk of loss to uninsured depositors. Comments on the proposal were due by January 16, 2024.

Final rules related to the implementation of EGRRCPA (“Tailoring Rules”) established four risk-based categories of banking organizations with $100 billion or more in total consolidated assets and applied tailored regulatory requirements to each respective category. KeyCorp falls within the least restrictive of those categories (“Category IV Firms”).

Final rules related to the implementation of EGRRCPA (“Tailoring Rules”) established four risk-based categories of BHCs and their bank subsidiaries with $100 billion or more in total consolidated assets and applied tailored regulatory requirements to each respective category. KeyCorp and KeyBank fall within the least restrictive of those categories (“Category IV”).

Competitive Rewards We make investments to hire and retain the people we need to serve our customers and communities and regularly review our pay practices to reflect changing market and economic conditions. We have steadily increased our starting minimum wage since 2015, and as of December 31, 2024, 93% of employees earned $20 or more per hour.

Competitive Rewards We make investments to hire and retain the people we need to serve our customers and communities and regularly review our pay practices to reflect changing market and economic conditions. As of December 31, 2025, 95% of employees earned $20 or more per hour.

The Federal Reserve and FDIC make available on their websites the public sections of resolution plans for the companies, including KeyCorp and KeyBank, that submitted plans. The public sections of the resolution plans of KeyCorp and KeyBank are available at http://www.federalreserve.gov/supervisionreg/resolution-plans.htm and https://www.fdic.gov/resolutions/fdic-and-financial-regulatory-reform-title-i-and-idi-resolution-planning/. KeyCorp’s last resolution plan was submitted in 2017, and KeyBank’s last resolution plan was submitted in 2022.

The public sections of the resolution plans of KeyCorp and KeyBank are available at http://www.federalreserve.gov/supervisionreg/resolution-plans.htm and https://www.fdic.gov/resolutions/fdic-and-financial-regulatory-reform-title-i-and-idi-resolution-planning/. KeyCorp’s last resolution plan was submitted in 2017, and KeyBank’s last resolution plan was submitted in 2025.

Regulatory capital requirements Background KeyCorp and KeyBank are subject to regulatory capital requirements that are based largely on the work of an international group of supervisors known as the Basel Committee on Banking Supervision (“Basel Committee”).

The requirements applicable to Category IV firms pursuant to the Tailoring Rules are discussed below. Regulatory Capital and Liquidity Requirements Background KeyCorp and KeyBank are subject to regulatory capital requirements that are based largely on the work of an international group of supervisors known as the Basel Committee on Banking Supervision (“Basel Committee”).

EGRRCPA gave the Federal Reserve the authority to continue to apply enhanced prudential standards to any BHCs having at least $100 billion but less than $250 billion in total consolidated assets (like KeyCorp) if it determines that the application of the standard is appropriate to prevent or mitigate risks to financial stability or to promote the safety and soundness of the BHC or BHCs, taking into consideration the BHC’s or BHCs’ capital structure, riskiness, complexity, financial activities, size, and other relevant factors.

The Economic Growth, Regulatory Relief, and Consumer Protection Act (“EGRRCPA”) raised the asset threshold above which the Federal Reserve is required to apply enhanced prudential standards to BHCs with at least $250 billion in total consolidated assets and gave the Federal Reserve the authority to apply enhanced prudential standards to BHCs with at least $100 billion in assets but less than $250 billion in assets (like KeyCorp) if it determines that the application of the enhanced prudential standards is appropriate to prevent or mitigate risks to financial stability or to promote the safety and soundness of the BHC or BHCs, taking into consideration the BHC’s or BHCs’ capital structure, riskiness, complexity, financial activities, size, and other relevant factors.

Victor B. Alexander (45) - Mr. Alexander has been KeyCorp’s Head of Consumer Bank and an executive officer of KeyCorp since January 2020. Prior to that time, he served as the Head of Home Lending from October 2018 to January 2020 and Treasurer from July 2017 to October 2018. Darrin L. Benhart (59) - On December 31, 2024, Mr.

Victor B. Alexander (46) - Mr. Alexander has been KeyCorp’s Head of Consumer Bank and an executive officer of KeyCorp since January 2020. Prior to that time, he served as the Head of Home Lending from October 2018 to January 2020 and Treasurer from July 2017 to October 2018. Amy G. Brady (59) - Ms.

As of December 31, 2024, these services were provided across the country through KeyBank’s 944 full-service retail banking branches and a network of 1,182 ATMs in 15 states, as well as additional offices, online and mobile banking capabilities, including our national digital brand, Laurel Road, and a telephone banking call center.

As of December 31, 2025, these services were provided across the country through KeyBank’s 940 full-service retail banking branches and a network of 1,120 ATMs in 15 states, as well as additional offices, online and mobile banking capabilities, and a telephone banking call center.

Minimum Capital Ratios and KeyCorp Ratios Under Regulatory Capital Rules Ratios (including stress capital buffer) Regulatory Minimum Requirement Stress Capital Buffer (b) Regulatory Minimum With Stress Capital Buffer KeyCorp December 31, 2024 (c) Common Equity Tier 1 4.50 % 3.10 % 7.60 % 11.92 % Tier 1 Capital 6.00 3.10 9.10 13.69 Total Capital 8.00 3.10 11.10 16.15 Leverage (a) 4.00 N/A 4.00 10.03 (a) As a standardized approach banking organization, KeyCorp is not subject to the 3% supplementary leverage ratio requirement, which became effective January 1, 2018.

Minimum Capital Ratios and KeyCorp Ratios Under Regulatory Capital Rules Ratios (including stress capital buffer) Regulatory Minimum Requirement Stress Capital Buffer (b) Regulatory Minimum Stress Capital Buffer KeyCorp December 31, 2025 Common Equity Tier 1 4.50 % 3.20 % 7.70 % 11.78 % Tier 1 Capital 6.00 3.20 9.20 13.46 Total Capital 8.00 3.20 11.20 15.70 Leverage (a) 4.00 N/A 4.00 10.50 (a) As a standardized approach banking organization, KeyCorp is not subject to the 3% supplementary leverage ratio requirement.

KeyCorp and KeyBank are Category IV banking organizations. Under the proposal, Category III and IV banking organizations would be required to include most components of AOCI, including net unrealized gains and losses on available-for-sale securities, in regulatory capital.

Under the proposal, Category III and IV banking organizations would be required to include most components of AOCI, including net unrealized gains and losses on available-for-sale securities, in regulatory capital. Furthermore, all Large Banking Organizations would be subject to the supplementary leverage ratio and countercyclical capital buffer requirement.

Each banking organization subject to this regulatory capital framework is required to satisfy certain minimum risk-based capital measures (e.g., a tier 1 risk-based capital ratio requirement of tier 1 capital to total risk-weighted assets), and in the United States, a minimum leverage ratio requirement of tier 1 capital to average total on-balance sheet assets, which serves as a backstop to the risk-based measures. 12 Table of contents A capital instrument is assigned to one of two tiers based on the relative strength and ability of that instrument to absorb credit losses on a going concern basis.

(b) As a standardized approach banking organization, KeyBank is not subject to the 3% supplementary leverage ratio requirement, which became effective January 1, 2018.

(b) As a standardized approach banking organization, KeyBank is not subject to the 3% supplementary leverage ratio requirement, which became effective January 1, 2018. However, KeyBank will be subject to the supplementary leverage ratio if proposed revisions to the Regulatory Capital Rules are adopted.

The CRA requires the federal banking agencies to assess the record of each institution that they supervise in meeting the credit needs of its entire community, including LMI neighborhoods. 21 Table of contents On October 24, 2023, the federal banking agencies adopted a final rule to strengthen and modernize their regulations implementing the CRA to better achieve the purposes of the law, adapt to changes in the banking industry, and provide clarity and consistency in the application of their regulations.

Under the final rule, the FDIC would collect a special assessment from IDIs at an annual rate of approximately 13.4 basis points over eight quarterly assessment periods, starting with the first quarterly assessment period of 2024.

Under the final rule, the FDIC would collect a special assessment from IDIs at an annual rate of approximately 13.4 basis points (or 3.36 basis points per quarter) over eight quarterly assessment periods, starting with the first quarterly assessment period of 2024 (i.e., January 1, 2024 through March 31, 2024) with an invoice payment date of June 28, 2024.

Gavrity served as Head of Enterprise Payments from January 2019 to November 2023 and Head of Commercial Payments from 2016 to 2019. Stacy L. Gilbert (53) - Ms. Gilbert has been the Chief Accounting Officer and an executive officer of KeyCorp since March 2024. Prior to her appointment as Chief Accounting Officer, Ms.

Gavrity has been Head of Commercial Bank since November 2023 and became an executive officer of KeyCorp in May 2021. Prior to this, Mr. Gavrity served as Head of Enterprise Payments from January 2019 to November 2023 and Head of Commercial Payments from 2016 to 2019. Stacy L. Gilbert (54) - Ms.

A firm will be subject to limitations on capital distributions and discretionary bonus payments if it does not satisfy all minimum capital requirements and its stress capital buffer requirement.

A firm will be subject to limitations on capital distributions and discretionary bonus payments if it does not satisfy all minimum capital requirements and its stress capital buffer requirement. Under the Tailoring Rules, the portion of the stress capital buffer for a Category IV firm based on the Federal Reserve’s stress test will be calculated biennially.

The capital plan must be submitted to the Federal Reserve for supervisory review in connection with the BHC’s CCAR (described below). The supervisory review includes an assessment of many factors, including KeyCorp’s ability to maintain capital above each minimum regulatory capital ratio on a pro forma basis under expected and stressful conditions throughout the planning horizon.

The supervisory review includes an assessment of many factors, including KeyCorp’s ability to maintain capital above each minimum regulatory capital ratio on a pro forma basis under expected and stressful conditions throughout the planning horizon. 14 Table of contents The Federal Reserve’s CCAR is an intensive assessment of the capital adequacy of large U.S.

Treasury Secretary, who must conclude that the SIFI is in default or in danger of default and that the SIFI’s failure poses a risk to the stability of the U.S. financial system. This determination must come after supermajority recommendations by the Federal Reserve and the FDIC, and consultation between the U.S. Treasury Secretary and the President.

The determination that a SIFI should be placed into OLA receivership is made by the U.S. Treasury Secretary, who must conclude that the SIFI is in default or in danger of default and that the SIFI’s failure poses a risk to the stability of the U.S. financial system.

The FDIC updates these projections at least semiannually. Conservatorship and receivership of insured depository institutions Upon the insolvency of an insured depository institution, the FDIC will be appointed as receiver or, in rare circumstances, conservator for the insolvent institution under the FDIA.

Comments on the interim final rule were due by January 20, 2026. Conservatorship and receivership of insured depository institutions Upon the insolvency of an IDI, the FDIC will be appointed as receiver or, in rare circumstances, conservator for the insolvent institution under the FDIA.

Following the issuance of this rule, two trade associations and a national bank headquartered in Kentucky filed a lawsuit challenging the rule in the United States District Court for the Eastern District of Kentucky. In this lawsuit, the plaintiffs alleged that the CFPB exceeded its statutory authority in adopting the rule.

In adopting the rule, the CFPB said that the 1033 rule was a step towards bringing about an “open banking” system in the United States. Following the issuance of this rule, two trade associations and a national bank filed a lawsuit challenging the rule in the United States District Court for the Eastern District of Kentucky.

In their lawsuit, the trade associations argued that the federal banking agencies exceeded their authority in adopting the CRA final rule. On March 29, 2024, the court in that case issued a preliminary injunction barring the federal banking agencies from enforcing the CRA final rule against the plaintiffs pending the resolution of this lawsuit.

Various trade associations filed a lawsuit in the United States District Court for the Northern District of Texas seeking to invalidate the CRA final rule. On March 29, 2024, the court in that case issued a preliminary injunction barring the federal banking agencies from enforcing the CRA final rule pending the resolution of that lawsuit.

Certain provisions of the OLA were modified to reduce disparate treatment of creditors’ claims between the U.S. Bankruptcy Code and the OLA.

The powers of a receiver under the OLA are generally based on the FDIC’s powers as receiver for IDIs under the FDIA. Certain provisions of the OLA were modified to reduce disparate treatment of creditors’ claims between the U.S. Bankruptcy Code and the OLA.

Among other things, the final rule (i) requires IDIs with more than $100 billion in total assets that are affiliated with a U.S. G-SIB to submit full resolution plans every two years, (ii) requires IDIs with more than $100 billion in total assets that are not affiliated with a U.S.

Among other things, the final rule (i) enhances and clarifies the requirements for the content of resolution plan submissions (ii) requires IDIs with more than $100 billion in total assets that are not affiliated with a U.S.

KeyBank is subject to the OCC’s revised recovery planning guidelines. KeyBank is required to be in compliance with these guidelines by January 1, 2026 except that KeyBank’s compliance with the testing requirement is delayed until January 1, 2027.

KeyBank was required to be in compliance with these guidelines by January 1, 2026 except that KeyBank’s compliance with the testing requirement was delayed until January 1, 2027. On October 27, 2025, the OCC requested public comment on a proposal to rescind its recovery planning guidelines.

… 171 more changes not shown on this page.

Item 1A. Risk Factors

Risk Factors — what could go wrong, per management

93 edited+39 added−29 removed153 unchanged

2024 filing

2025 filing

Biggest changeRISK FACTORS Summary of Risk Factors The following is a summary of some of the material risks and uncertainties that could have an adverse effect on our business. • Credit Risk ◦ We have concentrated credit exposure in commercial and industrial loans, commercial real estate loans, and commercial leases. ◦ Should the fundamentals of the commercial real estate market deteriorate, our financial condition and results of operations could be adversely affected. ◦ We are subject to the risk of defaults by our loan clients and counterparties. ◦ Declining asset prices could adversely affect us. ◦ Various factors may cause our allowance for loan and lease losses to increase or to be inadequate. ◦ Geopolitical destabilization could adversely impact our loan portfolios. • Market Risk ◦ A worsening of the U.S. economy and volatile or recessionary conditions in the U.S. or abroad could negatively affect our business or our access to capital markets. ◦ We are subject to interest rate risk, which could adversely affect net interest income. ◦ Our profitability depends upon economic conditions in the geographic regions where we have significant operations and in certain market segments in which we conduct significant business. ◦ The soundness of other financial institutions could adversely affect us. • Liquidity Risk ◦ We are subject to liquidity risk, which could negatively affect our funding levels. ◦ Capital and liquidity requirements imposed by banking regulations require banks and BHCs to maintain more and higher quality capital and more and higher quality liquid assets. ◦ Federal agencies’ actions to ensure stability of the U.S. economy and financial system may have costly or disruptive effects on us. ◦ We rely on dividends by our subsidiaries for most of our funds. ◦ Our credit ratings affect our liquidity position. • Operational Risk ◦ We are subject to a variety of operational risks. ◦ We and third parties on which we rely (including their downstream service providers) may experience a cyberattack, technology failure, information system or security breach or interruption. ◦ We rely on third parties to perform significant operational services for us, and their failure to perform to our standards or other issues of concern with them could harm us. ◦ Our framework for managing risks and mitigating losses may not be effective. ◦ We are, and may in the future be, subject to claims, litigation, arbitration, investigations, and governmental proceedings, which could result in significant financial liability and/or reputational harm. ◦ Our controls and procedures may fail or be circumvented, and our methods of reducing risk exposure may not be effective. ◦ Our operations and financial performance could be adversely affected by severe weather and natural disasters exacerbated by climate change. ◦ Societal and governmental responses to climate change could adversely affect our business and performance, including indirectly through impacts on our customers. ◦ The increased use of remote work infrastructure has expanded potential attack vectors and resulted in increased operational risks. • Compliance Risk ◦ We are subject to extensive government regulation, supervision, and tax legislation. ◦ We are subject to complex and evolving laws and regulations regarding privacy and cybersecurity, which could limit our ability to pursue business initiatives, increase the cost of doing business and subject us to compliance risks and potential liability. 24 Table of contents • Strategic Risk ◦ We may not realize the expected benefits of our strategic initiatives. ◦ We operate in a highly competitive industry. ◦ Maintaining or increasing our market share depends upon our ability to adapt our products and services to evolving industry standards and consumer preferences, while maintaining competitive products and services. ◦ We may not be able to attract and retain skilled people. ◦ Acquisitions or strategic partnerships may disrupt our business and dilute shareholder value. ◦ Scotiabank holds a significant equity interest in our business and may exercise influence over us, including through its ability to designate up to two directors to our Board of Directors. • Reputation Risk ◦ Damage to our reputation could significantly impact our business and major stakeholders. ◦ Key is subject to corporate responsibility and sustainability efforts risks that could adversely affect our reputation and our business and results of operations. • Model Risk ◦ We rely on quantitative models to manage certain accounting, risk management, capital planning, and treasury functions. • Estimates and Assumptions Risk ◦ The preparation of our consolidated financial statements requires us to make subjective determinations and use estimates that may vary from actual results and materially impact our financial condition and results of operations. ◦ Changes in accounting policies, standards, and interpretations could materially affect how we report our financial condition and results of operations. ◦ Impairment of goodwill could require charges to earnings, which could result in a negative impact on our results of operations.

Biggest changeRISK FACTORS Summary of Risk Factors The following is a summary of some of the material risks and uncertainties that could have an adverse effect on our business. • Credit Risk ◦ We have concentrated credit exposure in commercial and industrial loans, commercial real estate loans, and commercial leases. ◦ Should the fundamentals of the commercial real estate market deteriorate, our financial condition and results of operations could be adversely affected. ◦ We are subject to the risk of defaults by our loan clients and counterparties. ◦ Declining asset prices could adversely affect us. ◦ Various factors may cause our allowance for loan and lease losses to increase or to be inadequate. ◦ Geopolitical destabilization could adversely impact our loan portfolios. • Market Risk ◦ A worsening of the U.S. economy and volatile or recessionary conditions in the U.S. or abroad could negatively affect our business or our access to capital markets. ◦ We are subject to interest rate risk, which could adversely affect net interest income. ◦ Our profitability depends upon economic conditions in the geographic regions where we have significant operations and in certain market segments in which we conduct significant business. ◦ The soundness of other financial institutions could adversely affect us. • Liquidity Risk ◦ We are subject to liquidity risk, which could negatively affect our funding levels. ◦ Capital and liquidity requirements imposed by banking regulators and the credit rating agencies may require banks and BHCs to maintain more and higher quality capital and more and higher quality liquid assets. ◦ Federal agencies’ actions to ensure stability of the U.S. economy and financial system may have costly or disruptive effects on us. ◦ We rely on dividends by our subsidiaries for most of our funds. ◦ Our credit ratings affect our liquidity position. ◦ A loss of customer deposits or an adverse change in deposit mix could increase our funding costs and/or impair our liquidity. • Operational Risk ◦ We are subject to a variety of operational risks. ◦ We and third parties on which we rely (including their downstream service providers) may experience a cyberattack, technology failure, information system or security breach or interruption. ◦ We rely on third parties to perform significant operational services for us, and their failure to perform to our standards or other issues of concern with them could harm us. ◦ Our framework for managing risks and mitigating losses may not be effective. ◦ We are, and may in the future be, subject to claims, litigation, arbitration, investigations, and governmental proceedings, which could result in significant financial liability and/or reputational harm. ◦ Our controls and procedures may fail or be circumvented, and our methods of reducing risk exposure may not be effective. ◦ Our operations and financial performance could be adversely affected by severe weather and natural disasters, both directly and as a result of impacts on our customers. ◦ Our development and use of AI, including through third parties, exposes us to inherent risks that may adversely impact KeyCorp. • Compliance Risk ◦ We are subject to extensive government regulation, supervision, and tax legislation. ◦ We are subject to complex and evolving laws and regulations regarding privacy and cybersecurity, which could limit our ability to pursue business initiatives, increase the cost of doing business and subject us to compliance risks and potential liability. 25 Table of contents • Strategic Risk ◦ We may not realize the expected benefits of our strategic initiatives. ◦ We operate in a highly competitive industry. ◦ Maintaining or increasing our market share depends upon our ability to adapt our products and services to evolving industry standards and consumer preferences, while maintaining competitive products and services. ◦ We may not be able to attract and retain skilled people. ◦ Acquisitions or strategic partnerships may disrupt our business and dilute shareholder value. ◦ Scotiabank holds a significant equity interest in our business and may exercise influence over us, including through its ability to designate up to two directors to our Board of Directors. ◦ Damage to our reputation could significantly impact our business and major stakeholders. ◦ Differing views on corporate responsibility and sustainability could adversely affect our reputation and our business and results of operations. • Model Risk ◦ We rely on quantitative models to manage certain accounting, risk management, capital planning, and treasury functions. • Estimates and Assumptions Risk ◦ The preparation of our consolidated financial statements requires us to make subjective determinations and use estimates that may vary from actual results and materially impact our financial condition and results of operations. ◦ Changes in accounting policies, standards, and interpretations could materially affect how we report our financial condition and results of operations. ◦ Impairment of goodwill could require charges to earnings, which could result in a negative impact on our results of operations.

Capital and long-term debt requirements require us to divert resources from otherwise profitable lending and investment opportunities to ensure compliance, which may be dilutive to shareholders or limit Key’s ability to buy back shares or pay dividends. The Federal Home Loan Bank (FHLB) system continues to be a source of funding.

Our success depends on our ability to attract, retain, motivate, and develop a high performing, inclusive, and collaborative workforce. Competition for talent in our business is strong and requires us to make investments to provide compensation and benefits at market levels. Rising wages, as well as inflation, may cause us to increase these investments.

Our success depends on our ability to attract, retain, motivate, and develop a high performing and collaborative workforce. Competition for talent in our business is strong and requires us to make investments to provide compensation and benefits at market levels. Rising wages, as well as inflation, may cause us to increase these investments.

Such security attacks can originate from a wide variety of sources/malicious actors, including, but not limited to, persons who constitute an insider threat, who are involved with organized crime, or who may be linked to terrorist organizations or hostile foreign governments.

Security attacks can originate from a wide variety of sources/malicious actors, including, but not limited to, persons who constitute an insider threat, who are involved with organized crime, or who may be linked to terrorist organizations or hostile foreign governments.

Although the risks are organized by headings and each risk is discussed separately, many are interrelated. The risks and uncertainties described below are not the only risks we face. Disclosures of risks should not be interpreted to imply that the risks have not already materialized.

Our ability to compete successfully depends on a number of factors, including: our ability to develop and execute strategic plans and initiatives; our ability to develop, maintain, and build long-term client relationships; our ability to develop and deliver competitive products and technologies expected by our customers, while maintaining safety and soundness, effective risk management practices, and high ethical standards; our ability to attract, retain, and develop an employee workforce with the required skills and expertise; and industry and economic trends.

Our ability to compete successfully depends on a number of factors, including: our ability to develop and execute strategic plans and initiatives; our ability to develop, maintain, and build long-term client relationships; our ability to develop and deliver competitive products and technologies expected by our customers, while maintaining safety and soundness, effective risk management practices, and high ethical standards; our ability to attract, retain, and develop a workforce with the required skills and expertise; and industry and economic trends.

Significant harm to our reputation can arise from various sources, including inappropriate behavior or misconduct of employees, actual or perceived unethical behavior, litigation or regulatory outcomes, inadequate or ineffective risk management practices, failing to deliver minimum or required standards of service and quality, corporate governance and regulatory compliance failures, disclosure of confidential information, significant or numerous failures, interruptions or breaches of our information systems, complex fraud threats, failure to meet external commitments and goals, including financial corporate responsibility and sustainability related commitments, the activities of our clients, customers and counterparties, including vendors, and actions taken by shareholder activists and community organizations.

Significant harm to our reputation can arise from various sources, including inappropriate behavior or misconduct of employees, actual or perceived unethical behavior, litigation or regulatory outcomes, inadequate or ineffective risk management practices, failing to deliver minimum or required standards of service and quality, failure to safeguard client information, corporate governance and regulatory compliance issues, disclosure of confidential information, significant or numerous failures, interruptions or breaches of our information systems, complex fraud threats, failure to meet external commitments and goals, including financial corporate responsibility and sustainability related commitments, the activities of our clients, customers and counterparties, including vendors, and actions taken by shareholder activists and community organizations.

Adverse conditions in a geographic region such as inflation, unemployment, recession, natural disasters, impact of public health crises, or other factors beyond our control could impact the ability of borrowers in these regions to repay their loans, decrease the value of collateral securing loans made in these regions, or affect the ability of our customers in these regions to continue conducting business with us.

Adverse conditions in a geographic region such as inflation, unemployment, recession, natural disasters, political instability, impact of public health crises, or other factors beyond our control could impact the ability of borrowers in these regions to repay their loans, decrease the value of collateral securing loans made in these regions, or affect the ability of our customers in these regions to continue conducting business with us.

Changes in any of these factors could impair our ability to maintain our current credit ratings. We may be unable to maintain our current ratings and our ratings may be downgraded again in the future.

Changes in any of these factors could impair our ability to maintain our current credit ratings. We may be unable to maintain our current ratings and our ratings may be downgraded in the future.

To the extent that the Federal Reserve’s policies around managing inflation fail to mitigate the volatility and uncertainty related to inflation and the effects of inflation, or to the extent conditions otherwise worsen or are exacerbated by policies enacted by the U.S. government, including the imposition of tariffs or other trade policies, we could experience adverse effects on our business, financial condition, and results of operations.

To the extent that the Federal Reserve’s policies around managing inflation fail to mitigate the volatility and uncertainty related to inflation and the effects of inflation, or to the extent conditions otherwise worsen or are exacerbated by policies enacted by the U.S. government, including the imposition of tariffs or other commercial policies, we could experience adverse effects on our business, financial condition, and results of operations.

Our risk management framework seeks to maintain safety and soundness and maximize profitability. We have established policies, processes, and procedures intended to identify, measure, monitor, report, and analyze the types of risk to which we are subject, including compliance, operational, liquidity, market, credit, model, reputational, and strategic risk, among others.

Our risk management framework seeks to maintain safety and soundness and maximize profitability. We have established policies, processes, and procedures intended to identify, measure, monitor, report, and analyze the types of risk to which we are subject, including compliance, operational, technology, liquidity, market, credit, model, and strategic risk, among others.

When the Federal Reserve raises or reduces interest rates, the behavior of national money market rate indices, the correlation of consumer deposit rates to financial market interest rates, and the setting of benchmark rates may not follow historical relationships, which could influence net interest income and net interest margin through basis and other risks.

When the Federal Reserve raises or reduces interest rates, the behavior of national money market rate indices, the correlation of consumer deposit rates to financial market interest rates, and the evolution of benchmark rates may not follow historical relationships, which could influence net interest income and net interest margin through basis and other risks.

In addition, our right to participate in a distribution of assets upon a subsidiary’s liquidation or reorganization is subject to the prior claims of the subsidiary’s creditors . 31 Table of contents Our credit ratings affect our liquidity position. The rating agencies regularly evaluate the securities issued by KeyCorp and KeyBank.

In addition, our right to participate in a distribution of assets upon a subsidiary’s liquidation or reorganization is subject to the prior claims of the subsidiary’s creditors. 32 Table of contents Our credit ratings affect our liquidity position. The rating agencies regularly evaluate the securities issued by KeyCorp and KeyBank.

The interests of Scotiabank with respect to matters potentially or actually involving or affecting us and our other shareholders, such as future acquisitions, financings, and other corporate opportunities and attempts to acquire us, may conflict with the interests of our other shareholders. VII. Reputation Risk Damage to our reputation could significantly impact our business and major stakeholders.

The interests of Scotiabank with respect to matters potentially or actually involving or affecting us and our other shareholders, such as future acquisitions, financings, and other corporate opportunities and attempts to acquire us, may conflict with the interests of our other shareholders. Damage to our reputation could significantly impact our business and major stakeholders.

Like similarly situated 36 Table of contents institutions, Key undergoes routine scrutiny from bank supervisors in the examination process and is subject to enforcement of regulations at the federal and state levels, particularly with respect to customer practices involving fair and responsible banking, fair lending, unfair, deceptive or abusive practices, and the Community Reinvestment Act, as well as compliance with AML, BSA and Office of Foreign Assets Control efforts.

Like similarly situated institutions, Key undergoes routine scrutiny from bank supervisors in the examination process and is subject to enforcement of regulations at the federal and state levels, particularly with respect to customer practices involving fair and responsible banking, fair lending, unfair, deceptive or abusive practices, and the Community Reinvestment Act, as well as compliance with AML, BSA and Office of Foreign Assets Control efforts.

Investors and other stakeholders, including U.S. institutional investors, are increasingly considering how corporations are incorporating corporate responsibility and sustainability matters, including climate-related financial risks, into their business strategy when analyzing the expected risk and return of potential investments.

Investors and other stakeholders, including U.S. institutional investors, are increasingly considering how corporations are (or are not) incorporating corporate responsibility and sustainability matters, including climate-related financial risks, into their business strategy when analyzing the expected risk and return of potential investments.

At December 31, 2024, the book value of our goodwill was $2.8 billion, substantially all of which was recorded at KeyBank. Any such write down of goodwill will reduce Key’s earnings, as well. See the “Critical Accounting Policies” section of Item 7.

At December 31, 2025, the book value of our goodwill was $2.8 billion, substantially all of which was recorded at KeyBank. Any such write down of goodwill will reduce Key’s earnings, as well. See the “Critical Accounting Policies” section of Item 7.

We incur basis risk to the extent that the relationship between different interest rate indices changes over time. Option risk is present in assets, liabilities or other financial instruments that allow a party to change the timing of interest or principal payments.

We incur basis risk to the extent that the relationship between different interest rate indices changes over time. Option risk is present in assets, liabilities or other financial instruments that allow a counterparty to change the timing of interest or principal payments.

Despite actions that we take to manage these risks, unanticipated changes in assets, liabilities, and off-balance sheet commitments under various economic conditions (including a reduced level of wholesale funding sources), a substantial, unexpected, or prolonged change in the level or cost of liquidity could have a material adverse effect on us.

Despite actions that we take to manage these risks, unanticipated changes in assets, liabilities, and off-balance sheet commitments under various economic conditions (reduced wholesale funding capacity), or a substantial, unexpected, or prolonged change in the level or cost of liquidity could have a material adverse effect on us.

These alternatives may include generating client deposits, securitizing or selling loans, extending the maturity of wholesale borrowings, borrowing under certain secured borrowing arrangements, using relationships developed with a variety of fixed income investors to access new funds or renegotiate the terms of outstanding debt, and further managing loan growth and investment opportunities.

Such investments cause compensation and benefits to represent our greatest expense. Additionally, we increasingly compete for talent outside of the core financial services industry. Non-financial institutions may be subject to different pay and hiring expectations than us, which may make it more difficult for us to attract qualified teammates.

For example, our risk management framework and measures that we take to mitigate risk may not be fully effective in identifying and mitigating our risk exposure in all 34 Table of contents market environments or against all types of risks, including risks that are unidentified or unanticipated, even if the frameworks for assessing risk are properly designed and implemented.

For example, our risk management framework and measures that we take to mitigate risk may not be fully effective in identifying and mitigating our risk exposure in all market environments or against all types of risks, including risks that are unidentified or unanticipated, even if the frameworks for assessing risk are properly designed and implemented.

We regularly evaluate merger and acquisition and strategic partnership opportunities and conduct due diligence activities related to possible transactions. As a result, mergers or acquisitions involving cash, debt or equity securities may occur at any time. Acquisitions may involve the payment of a premium over book and market values.

We regularly 40 Table of contents evaluate merger and acquisition and strategic partnership opportunities and conduct due diligence activities related to possible transactions. As a result, mergers or acquisitions involving cash, debt or equity securities may occur at any time. Acquisitions may involve the payment of a premium over book and market values.

Additionally, as businesses and markets evolve, our measurements may not accurately reflect this evolution. Models can also produce inadequate estimates due to errors in computer code, use of unsuitable data during development or input into the model during model use, or the use of a model for a purpose outside the scope of the model’s design.

Additionally, as businesses and markets evolve, our measurements may not accurately reflect this evolution. Models can also produce inadequate estimates due to errors in computer code, use of unsuitable data during model development or implementation, or the use of a model for a purpose outside the scope of the model’s design.

Further, regulatory guidance adopted by federal banking regulators related to how banks select, contract with, evaluate, engage with, and manage their third parties, including such third parties’ use of subcontractors and downstream service providers, impacts whether and how we work with such parties, as well as the cost of managing such relationships.

Further, regulatory guidance adopted by federal banking regulators related to how banks select, contract with, evaluate, engage with, and manage their third parties, including such third parties’ use of subcontractors and 35 Table of contents downstream service providers, impacts whether and how we work with such parties, as well as the cost of managing such relationships.

As new privacy-related laws and regulations, and judicially-created frameworks, are implemented in jurisdictions in which 37 Table of contents KeyBank operates, the time and resources needed for us to comply with such laws and regulations, as well as our potential liability for noncompliance and reporting obligations in the case of data breaches, may significantly increase.

As new privacy-related laws and regulations, and judicially-created frameworks, are implemented in jurisdictions in which KeyBank operates, the time and resources needed for us to comply with such laws and regulations, as well as our potential liability for noncompliance and reporting obligations in the case of data breaches, may significantly increase.

However, the bank regulatory environment evolves continually, and regulatory standards, expectations and 30 Table of contents requirements evolve along with that environment, raising the risk of increased compliance costs in the future. Moreover, often in response to industry or macroeconomic stress events, informal regulatory expectations of capital and liquidity management practices may exceed formal requirements.

However, the bank regulatory environment evolves continually, and regulatory standards, expectations and requirements evolve along with that environment, raising the risk of increased compliance costs in the future. Moreover, often in response to industry or macroeconomic stress events, informal regulatory expectations of capital and liquidity management practices may exceed formal requirements.

Increased competition in the financial services industry, or our failure to perform in any of these areas, could significantly weaken our competitive position, which could adversely affect our growth and profitability. Strategic risk may also be realized due to events or issues that materialize in other risk factor areas.

Increased competition 39 Table of contents in the financial services industry, or our failure to perform in any of these areas, could significantly weaken our competitive position, which could adversely affect our growth and profitability. Strategic risk may also be realized due to events or issues that materialize in other risk factor areas.

As a result of our necessary reliance on employees to perform these tasks and manage resulting risks, we are thus subject to human vulnerabilities. These range from innocent human error to misconduct or malfeasance, potentially leading to operational breakdowns or other failures.

As a result of our necessary reliance on employees to perform these tasks and manage resulting risks, we are thus 33 Table of contents subject to human vulnerabilities. These range from innocent human error to misconduct or malfeasance, potentially leading to operational breakdowns or other failures.

With the exception of cash that we may raise from debt and equity issuances, we receive substantially all of our funding from dividends by our subsidiaries. Dividends by our subsidiaries are the principal source of funds for the dividends we pay on our common and preferred stock and interest and principal payments on our debt.

The timing and effects of these climate-related physical risks are difficult to accurately predict, and the potential impact of such risks on our operations, employees, communities, and 35 Table of contents customers could have a material adverse effect on our business, financial position, and results of operations.

The timing and effects of these climate-related physical risks are difficult to accurately predict, and the potential impact of such risks on our operations, employees, communities, and customers could have a material adverse effect on our business, financial position, and results of operations.

In addition, the existence of a large shareholder may have the effect of deterring takeovers, delaying or preventing changes in control or changes in management, or limiting the ability of our other shareholders to approve transactions that they may deem to be in the best interests 39 Table of contents of our company.

The management of model risk includes independent validation and model governance, establishing and monitoring model control standards and model risk metrics, and completeness and accuracy of the inventory of models. Banking regulators continue to focus on the models used by banks and bank holding companies in their businesses.

The management of model risk includes independent validation and model 42 Table of contents governance, establishing and monitoring model control standards and model risk metrics, and completeness and accuracy of the inventory of models. Banking regulators continue to focus on the models used by banks and bank holding companies in their businesses.

Key also provides card transaction processing services to some merchant customers under agreements we have with payment networks. Under these agreements, we may be responsible for certain losses and penalties if one of our merchant customers suffers a data breach. We also face risks related to the increasing interdependence and interconnectivity of financial entities and technology systems.

Key also provides card transaction processing services to some merchant customers under agreements we have with payment networks. Under these agreements, we may be responsible for certain losses and penalties if one of our merchant customers suffers a data breach. 34 Table of contents We also face risks related to the interdependence and interconnectivity of financial entities and technology systems.

Our security systems, and those of the third-party service providers on which we rely, 33 Table of contents may not be able to protect our information systems or data from similar attacks due to the rapid evolution and creation of sophisticated cyberattacks.

Our security systems, and those of the third-party service providers on which we rely, may not be able to protect our information systems or data from similar attacks due to the rapid evolution and creation of sophisticated cyberattacks.

Additionally, the increasing use of third-party financial data aggregators and emerging technologies, including the use of automation, artificial intelligence and robotics, introduces new information security risks and exposure for us and for our third party service providers, and, additionally, such technologies may be used to identify vulnerabilities; such technologies have resulted in a substantial increase in the volume and sophistication of cyberattacks against financial and other institutions, including the use of generative artificial intelligence to conduct more sophisticated social engineering attacks.

Additionally, the increasing use of third-party financial data aggregators and emerging technologies, including the use of AI, introduces new information security risks and exposure for us and for our third party service providers, and, additionally, such technologies may be used to identify vulnerabilities; such technologies have resulted in a substantial increase in the volume and sophistication of cyberattacks against financial and other institutions, including the use of generative AI to conduct more sophisticated social engineering attacks.

The level of the allowance at December 31, 2024 represents management’s estimate of expected credit losses over the contractual life of our existing loan portfolio.

The level of the allowance at December 31, 2025 represents management’s estimate of expected credit losses over the contractual life of our existing loan portfolio.

Furthermore, the insurance we maintain may not be adequate to cover our losses resulting from any business interruption resulting from a natural disaster or other severe weather events. Recurring extreme weather events could also reduce the availability or increase the cost of insurance.

Furthermore, the insurance we maintain may not be adequate to cover our losses resulting from any business interruption resulting from a natural disaster or other severe weather events. Recurring extreme weather events could also reduce or eliminate the availability or increase the cost of insurance to Key and our customers.

The 38 Table of contents process of eliminating banks as intermediaries, known as “disintermediation,” could result in the loss of fee income, as well as the loss of customer loans and deposits and related income generated from those products.

The process of eliminating banks as intermediaries, known as “disintermediation,” could result in the loss of fee income, as well as the loss of customer loans and deposits and related income generated from those products.

Our credit risk may be affected when the collateral held by us cannot be realized or is liquidated at prices not sufficient to recover the full amount of our loan or derivatives exposure. There can be no assurance that any such losses would not adversely and materially affect our results of operations. 29 Table of contents III.

Our credit risk may be affected when the collateral held by us cannot be liquidated at prices sufficient to recover the full amount of our loan or derivatives exposure. There can be no assurance that any such losses would not adversely and materially affect our results of operations. III.

The impact of downgrades to KeyCorp's or KeyBank's credit ratings could adversely affect our access to liquidity and could significantly increase our cost of funds, trigger additional collateral or funding requirements, and decrease the number of investors and counterparties willing to lend to us, reducing our ability to generate income.

Downgrades to KeyCorp's or KeyBank's credit ratings could impair our access to liquidity and could significantly increase our cost of funds, trigger additional collateral or funding requirements, and decrease the number of investors and counterparties willing to lend to us, reducing our ability to generate income.

Management’s Discussion and Analysis of Financial Condition and Results of Operations in this report for additional information. 42 Table of contents

Management’s Discussion and Analysis of Financial Condition and Results of Operations in this report for additional information. 43 Table of contents

The failure or inadequacy of a model may result in increased regulatory scrutiny on us or may result in an enforcement action or proceeding against us by one of our regulators. 41 Table of contents IX.

The failure or inadequacy of a model may result in increased regulatory scrutiny on us or may result in an enforcement action or proceeding against us by one of our regulators. IX.

In particular, we face the following risks, and other unforeseeable risks, in connection with a downturn in the economic and market environment or in the face of downside shocks or a recession, whether in the United States or internationally: • A loss of confidence in the financial services industry and the debt and equity markets by investors, placing pressure on the price of our common shares or decreasing the credit or liquidity available to Key, while also increasing the cost of such credit or liquidity; • A decrease in consumer and business confidence levels generally, decreasing credit usage and investment or increasing delinquencies and defaults; • A decrease in household or corporate incomes, reducing demand for our products and services; 27 Table of contents • A decrease in the value of collateral securing loans to our borrowers or a decrease in the quality of our loan portfolio, increasing loan charge-offs and reducing Key’s net income; • A decrease in our ability to liquidate financial positions at acceptable market prices; • An increase in competition or consolidation in the financial services industry; • Increased concern over and scrutiny of the capital and liquidity levels of financial institutions generally, and those of our transaction counterparties specifically with a corresponding increase in our cost of capital, liquidity and/or funding; • A decrease in confidence in the creditworthiness of the United States or other issuers whose securities we hold; and • An increase in limitations on or the regulation of financial services companies like Key.

In particular, we face the following risks, and other unforeseeable risks, in connection with a downturn in the macroeconomic and financial market environment or other such downside shocks, whether in the United States or internationally: • A loss of confidence in the financial services industry and the debt and equity markets by investors, placing pressure on the price of our common shares or decreasing the credit or liquidity available to Key, while also increasing the cost of such credit or liquidity; • A decrease in consumer and business confidence levels generally, decreasing credit usage and investment or increasing delinquencies and defaults and committed line draws; • A decrease in household or corporate incomes, reducing demand for our products and services; • A decrease in the value of collateral securing loans to our borrowers or a decrease in the quality of our loan portfolio, increasing loan charge-offs and reducing our net income; • A decrease in the value of collateral, or an increase in the haircuts on that collateral, that we pledge to secure funding and liquidity, reducing the quantum of that funding and/or liquidity; 28 Table of contents • An impairment in our ability to liquidate financial positions at acceptable market prices; • An increase in competition or consolidation in the financial services industry; • Increased concern over and scrutiny of the capital and liquidity levels of financial institutions generally, and those of our transaction counterparties specifically with a corresponding increase in our cost of capital, liquidity and/or funding; • A decrease in confidence in the creditworthiness of the United States or other issuers whose securities we hold; and • An increase in limitations on or the regulation of financial services companies like Key.

These risks include, but are not limited to: 26 Table of contents • A correction in equity or housing markets; • Supply chain issues such as closed factories and disrupted port activity, as well as the impact of the Russia-Ukraine war and the Israel-Hamas war on global transportation and the availability of materials; • Recessionary pressures on other major international economies, such as China, that may impact the broader global and our domestic economy; • Labor-supply constraints, including as a result of potential changes to U.S. immigration policies and laws, leading to slowing job growth and rising wages along with inflation (wage-price spiral); and • Negative real GDP growth, as a result of, in part, the Federal Reserve’s monetary policy to arrest inflationary pressures within the broader economy.

Present risks to stable asset prices include, but are not limited to: • A correction in equity or housing markets; • The imposition of further tariffs and other changes to U.S. or global trade policies; • Supply chain issues such as closed factories and disrupted port activity, as well as the impact of the Russia-Ukraine war and the Israel-Hamas war on global transportation and the availability of materials; • Recessionary pressures on other major international economies, such as China, that may impact the broader global and our domestic economy; 27 Table of contents • Labor-supply constraints, including as a result of further changes to U.S. immigration policies and laws and immigration enforcement, leading to slowing job growth and rising wages along with inflation (wage-price spiral); and • Negative real GDP growth, as a result of, in part, the Federal Reserve’s monetary policy to arrest inflationary pressures within the broader economy.

During periods of economic stress, the volatility and disruption that the capital and credit markets experience may reach, and have in the past reached, extreme levels. Market disruption may severely stress or even lead to the failure of financial institutions, which can cause further credit market constriction and further liquidation of assets, driving asset prices down even more.

During periods of macroeconomic or financial market stress, the volatility and disruption that the capital and credit markets experience may reach, and have in the past reached, extreme levels. Market disruption may severely stress or even lead to the failure of financial institutions, which can cause credit market constriction and liquidation of assets, driving down their prices.

These alternative means of funding may result in an increase in the overall cost of funds and may not be available under stressed conditions, which would cause us to liquidate a portion of our liquid asset portfolio to meet any funding needs.

These alternative means of funding would increase our overall cost of funds and they may not be available under stressed conditions, which may cause us to liquidate a portion of our liquid asset portfolio to meet any funding needs.

Negative coverage about Key published in traditional media or on social media websites, whether or not factually correct, may affect our reputation and our business prospects and impact our ability to attract and retain highly skilled employees.

Negative coverage about Key published in traditional media or on social media websites, whether or not factually 41 Table of contents correct, may affect our reputation and our business prospects and impact our ability to attract and retain highly skilled employees and customers.

Acquiring other banks, bank branches, or other businesses involves various risks commonly associated with acquisitions or partnerships, including exposure to unknown or contingent liabilities of the acquired company; diversion of our management’s time and attention; significant integration risk with respect to employees, accounting systems, and technology platforms; increased regulatory scrutiny; and the possible loss of key employees and customers of the acquired company.

Acquisitions of businesses, such as financial technology companies or investment banking firms, bank branches, or other banks involves various risks commonly associated with acquisitions or partnerships, including exposure to unknown or contingent liabilities of the acquired company; diversion of our management’s time and attention; significant integration risk with respect to employees, accounting systems, and technology platforms; increased regulatory scrutiny; and the possible loss of key employees and customers of the acquired company.

Despite recent announcements by the Federal Reserve declaring intent to increase transparency into capital stress tests and models, the results of these processes are difficult to predict due to, among other things, the Federal Reserve’s use of proprietary stress models that differ from our internal models.

Notwithstanding recent actions by the Federal Reserve to increase transparency into capital stress tests and models, the results of these processes are difficult to predict due to, among other things, the Federal Reserve’s use of proprietary stress models that differ from our internal models.

In addition, our ability to change deposit rates in response to changes in interest rates and other market and related factors is limited by client relationship considerations. 28 Table of contents Moreover, if the interest we pay on deposits and other borrowings increases at a faster rate than the interest we receive on loans and other investments, net interest income, and therefore our earnings, would be adversely affected.

In addition, our ability to change deposit rates in response to changes in interest rates and other market and related factors is limited by client relationships and competitive considerations. 29 Table of contents Moreover, if the interest we pay on deposits and other borrowings increases at a faster rate than the interest we receive on loans and other investments, net interest income, and therefore our earnings, would decline.

In addition, regulatory liquidity standards require us to hold high-quality liquid assets, which has caused us to change, and may in the future cause us to change, our mix of investments, and may impact future business relationships with certain customers.

In addition, regulatory liquidity standards require us to hold high-quality liquid assets, which has caused us to change, and may in the future cause us to change, our mix of investments in favor of lower-yielding securities, and may impact future business relationships with certain customers, both of which may reduce our profitability.

Our banking business is subject to four primary liquidity risks: contingency risk, mismatch risk, funding risk, and refinancing risk. Contingency risk arises from unexpected funding or liquidity needs occurring during challenging economic or financial market conditions. Mismatch risk may occur when illiquid assets are funded with less stable funding sources. Funding risk arises if funding sources become too concentrated.

Our banking business is subject to four primary liquidity risks: contingency risk, mismatch risk, funding risk, and refinancing risk. Contingency risk arises from unexpected funding or liquidity needs occurring during adverse systemic or idiosyncratic economic or financial conditions. Mismatch risk may occur when illiquid assets are funded with less stable funding sources.

Higher withdrawals can raise funding cost, which may reduce Key’s net interest margin and net interest income. In addition, many of our transactions with other financial institutions expose us to credit risk in the event of default of a counterparty or client.

Online and mobile banking have made it easier for customers to withdraw their deposits. Higher than customary withdrawals can raise funding cost, which may reduce Key’s net interest margin and net interest income. In addition, many of our transactions with other financial institutions expose us to credit risk in the event of default of a counterparty or client.

Capital and liquidity requirements imposed by banking regulations require banks and BHCs to maintain more and higher quality capital and more and higher quality liquid assets. Evolving capital standards resulting from the Dodd-Frank Act and the Regulatory Capital Rules adopted by our regulators have had and will continue to have a significant impact on banks and BHCs, including Key.

Evolving capital standards resulting from the Dodd-Frank Act and the Regulatory Capital Rules adopted by our regulators have had and will continue to have a significant impact on banks and BHCs, including Key.

Some models we use employ methodologies based on artificial intelligence (AI) or machine learning (ML). These models bring some unique complexities from those of traditional models, such as the need for large datasets for training, the potential for algorithmic bias, and the difficulty in interpreting model decisions.

Some models we use employ methodologies based on artificial intelligence or machine learning. Compared to traditional models, these models may involve some additional complexities, such as the need for large datasets for training, the potential for algorithmic bias, and difficulty in interpreting model outputs.

The outcome of regulatory matters as well as the timing of ultimate resolution are inherently difficult to predict, and the uncertain regulatory enforcement environment makes it difficult to estimate probable losses, which can lead to substantial disparities between legal reserves and actual settlements or penalties. 36 Table of contents Our controls and procedures may fail or be circumvented, and our methods of reducing risk exposure may not be effective.

These shifts in investing priorities may result in adverse effects on the trading price of our common stock if investors determine that Key has not made sufficient progress on corporate responsibility and sustainability matters or is not aligned with the investors’ priorities.

These considerations in investing priorities may result in adverse effects on the trading price of our common stock if investors determine that Key is not aligned with investors’ priorities.

Our credit risk may be exacerbated when the collateral held cannot be realized or is liquidated at prices insufficient to recover the full amount of the loan or derivative exposure due to us.

Many of our routine transactions expose us to credit risk, including the risk of default of our counterparties, which include other financial institutions, or clients. Our credit risk may be exacerbated when the collateral held cannot be realized or is liquidated at prices insufficient to recover the full amount of the loan or derivative exposure due to us.

The actual or perceived failure to adequately address conflicts of interest could affect the willingness of clients to deal with us, which could adversely affect our businesses, and could give rise to litigation or enforcement actions. Key is subject to corporate responsibility and sustainability efforts risks that could adversely affect our reputation and our business and results of operations.

For example, conflicts across the world, including the Russia-Ukraine war and the Israel-Hamas war, have proven to have a material impact on certain domestic commodity prices, impacting our borrowers' input costs and disrupting supply chains both domestically and abroad. These factors increase potential defaults in our loan portfolio and could ultimately increase loan losses. II.

For example, conflicts across the world, including the Russia-Ukraine war and the Israel-Hamas war, and recent military action in Venezuela, have proven to or may have a material impact on certain domestic commodity prices, impacting our borrowers' input costs and disrupting supply chains both domestically and abroad.

Companies are facing increasing scrutiny from customers, regulators, investors, and other stakeholders related to their corporate responsibility and sustainability practices and disclosures. We may face criticism or a loss of confidence, with accompanying reputational risk, from our perceived action or inaction to deliver on our corporate responsibility and sustainability-related commitments.

We may face criticism or a loss of confidence, with accompanying reputational risk, from our perceived action or inaction to deliver on our corporate responsibility and sustainability-related commitments.

In addition, collecting, measuring, and reporting corporate responsibility and sustainability information and metrics can be costly, difficult and time consuming, is subject to evolving and potentially conflicting reporting standards, and can present numerous operational, reputational, financial, legal, and other risks.

For instance, Category IV banks with assets between $100 billion and $250 billion, including Key, are not currently subject to certain capital and liquidity standards required of larger banks.

From time to time, federal banking regulators tailor the extent to which various categories of large banks are subject to certain capital, liquidity and other regulations. For instance, Category IV banks with assets between $100 billion and $250 billion, including Key, are not currently subject to certain capital and liquidity standards required of larger banks.

At the federal level, we are subject to the Gramm-Leach-Bliley Act of 1999, as amended, which requires financial institutions to, among other things, periodically disclose their privacy policies and practices relating to sharing personal information and, in some cases, enables customers to opt out of the sharing of certain non-public personal information with unaffiliated third parties.

Any mishandling or misuse of personal information by Key or our vendors or our failure to comply with notification requirements related to incidents relating to such personal information could expose us to litigation or regulatory fines, penalties, or other sanctions. 38 Table of contents At the federal level, we are subject to the Gramm-Leach-Bliley Act of 1999, as amended, which requires financial institutions to, among other things, periodically disclose their privacy policies and practices relating to sharing personal information and, in some cases, enables customers to opt out of the sharing of certain non-public personal information with unaffiliated third parties.

The deterioration of a larger loan or a group of loans in this category could cause an increase in criticized, classified, and nonperforming loans, which could result in lower earnings from these loans, additional provision for loan and lease losses, and ultimately an increase in loan losses. 25 Table of contents Should the fundamentals of the commercial real estate market deteriorate, our financial condition and results of operations could be adversely affected.

Liquidity Risk We are subject to liquidity risk, which could negatively affect our funding levels. Liquidity risk refers to our ability to fund liability maturities and deposit withdrawals, meet contractual obligations, or fund asset growth and new business initiatives at a reasonable cost, in a timely manner and without adverse consequences.

Liquidity Risk We are subject to liquidity risk, which could negatively affect our funding levels. 30 Table of contents Liquidity risk is the danger that a bank may not be able to meet near-term cash demands, such as funding liability maturities and deposit withdrawals, meeting contractual obligations, or funding asset growth and new business initiatives at a reasonable cost, in a timely manner and without adverse consequences.

Our controls and procedures may fail or be circumvented, and our methods of reducing risk exposure may not be effective. We regularly review and update our internal controls, disclosure controls and procedures, compliance monitoring activities, and corporate governance policies and procedures. We also maintain an ERM program designed to identify, measure, monitor, report, and analyze our risks.

We regularly review and update our internal controls, disclosure controls and procedures, compliance monitoring activities, and corporate governance policies and procedures. We also maintain an ERM program designed to identify, measure, monitor, report, and analyze our risks. Additionally, our internal audit function provides an independent assessment and testing of Key’s internal controls, policies, and procedures.

Asset price deterioration has a negative effect on the valuation of collateral and certain assets represented on our balance sheet and reduces our ability to sell assets at prices we deem acceptable. The most recent recession in the U.S., resulting from the impact of the COVID-19 pandemic, did not have significant lasting impact on collateral value.

Asset price deterioration has a negative effect on the valuation of collateral and certain assets represented on our balance sheet and reduces our ability to sell assets at prices we deem acceptable.

Hardware, software, or applications developed by Key or received from third parties may contain exploitable vulnerabilities, bugs, or defects in design, maintenance or manufacture or other issues that could unpredictably compromise information and cybersecurity. We depend on third party service providers and their downstream service providers to implement adequate controls and safeguards to protect against and report cyber incidents.

If KeyCorp’s or KeyBank's credit ratings fell below investment grade, it could also create obligations or liabilities under the terms of existing arrangements that could increase our costs and reduce our profitability. IV. Operational Risk We are subject to a variety of operational risks.

If KeyCorp’s or KeyBank's credit ratings fell below investment grade, it could also create obligations or liabilities under the terms of existing arrangements that could increase our costs and reduce our profitability. A loss of customer deposits or an adverse change in deposit mix could increase our funding costs and/or impair our liquidity.

Refinancing risk arises when a concentrated liability maturity profile creates near-term funding stress.

Funding risk arises if funding sources become too concentrated, raising the risk of higher borrowing costs. Refinancing risk arises when a concentrated liability maturity profile creates near-term funding stress.

Disruption within the financial markets, including negative news regarding the banking industry or perceived risks of a bank’s safety and soundness, can adversely impact the market price and volatility of our common stock or deposit runoff. Online and mobile banking have made it easier for customers to withdraw their deposits.

Banking is a confidence sensitive business, so disruption within the financial markets, including negative news, rumors, or misinformation regarding the banking industry or perceived risks of a bank’s safety and soundness, can adversely impact the market price and volatility of our common stock, cause deposit runoff or prompt the loss of important customers or counterparties.

As of December 31, 2024, approximately 69% of our loan portfolio consisted of commercial and industrial loans, commercial real estate loans, including commercial mortgage and construction loans, and commercial leases. These types of loans are typically larger than single family residential real estate loans and other types of consumer loans and have a different risk profile.

These types of loans are typically larger than single family residential real estate loans and other types of consumer loans and have a different risk profile.

In addition, our ability to extend protections to customers’ information to individual customer devices is limited, especially if the customers willingly provide third parties access to their devices or information. 32 Table of contents In the event of a failure, interruption, or breach of our information systems, or that of a third party that provides services to us or our customers, we may be unable to avoid impact to our customers.

In the event of a failure, interruption, or breach of our information systems, or that of a third party that provides services to us or our customers, we may be unable to avoid impact to our customers.

Such criticism directed at Key could generate dissatisfaction among our stakeholders. Additionally, however we respond to such criticism, we face the risk that current or potential clients may decline to do business with us or current or potential employees refuse to work with us.

Additionally, however we respond to such criticism, we face the risk that current or potential customers may decline to do business with us (or encourage others to do so) or current or potential employees refuse to work for us and could subject us to litigation or regulatory action.

Social media facilitates the rapid dissemination of information or misinformation, thereby increasing the potential for widespread dissemination of inaccurate, false, misleading, or other negative information that could damage our reputation. Negative public opinion can also adversely affect our ability to attract and maintain customer relationships and could subject us to litigation and regulatory action.

Social media facilitates the rapid dissemination of information or misinformation, thereby increasing the potential for widespread dissemination of inaccurate, false, misleading, or other negative information that could damage our reputation. There can be no assurance that such negative coverage will not damage our reputation and adversely affect our business.

We are subject to operational risk, which represents the risk of loss resulting from human error, inadequate or failed internal processes, internal controls, systems, and external events. Operational risk includes the risk of fraud by employees or others outside of Key, clerical and recordkeeping errors, nonperformance by vendors, threats from cyber activity, and computer/telecommunications malfunctions.

Operational Risk We are subject to a variety of operational risks. We are subject to operational risk, which represents the risk of loss resulting from human error, inadequate or failed internal processes, internal controls, systems, and external events.

In addition, technology has lowered barriers to entry and made it possible for nonbanks, including large technology companies, to offer products and services traditionally provided by banks. We expect the competitive landscape of the financial services industry to become even more intense as a result of legislative, regulatory, structural, customer preference, and technological changes.

We expect the competitive landscape of the financial services industry to become even more intense as a result of legislative, regulatory, structural, customer preference, and technological changes.

Additionally, our internal audit function provides an independent assessment and testing of Key’s internal controls, policies, and procedures. Any system of controls and any system to reduce risk exposure, however well designed, operated, and tested, is based in part on certain assumptions and can provide only reasonable, not absolute, assurances that the objectives of the system are met.

Any system of controls and any system to reduce risk exposure, however well designed, operated, and tested, is based in part on certain assumptions and can provide only reasonable, not absolute, assurances that the objectives of the system are met. The systems may not work as intended or be circumvented by employees, third parties, or others outside of Key.

… 81 more changes not shown on this page.

Item 1C. Cybersecurity

Cybersecurity — threats and controls disclosure

27 edited+5 added−3 removed17 unchanged

2024 filing

2025 filing

Biggest changeKey has implemented cybersecurity, privacy, and fraud education and awareness programs across the enterprise to educate teammates on how to identify and report cybersecurity and privacy concerns. Employees and contractors with access to assets or data owned or maintained by Key receive mandatory enterprise-wide cybersecurity, privacy, and fraud training on an annual basis.

Biggest changeEmployees and contractors with access to assets or data owned or maintained by Key receive mandatory enterprise-wide cybersecurity, privacy, and fraud training on an annual basis. In addition, our management team from time to time participates in cybersecurity tabletop exercises that simulate cybersecurity incidents.

He is licensed to practice law in the state of Ohio and has obtained the CIPP/US certification through the International Association of Privacy Professionals. The CPO and Privacy team have the authority to escalate privacy risks to the Board.

The CPO is licensed to practice law in the state of Ohio and has obtained the CIPP/US certification through the International Association of Privacy Professionals. The CPO and Privacy team have the authority to escalate privacy risks to the Board.

Technology risks are evaluated in areas including cybersecurity and information security, data control, acquisition and development, delivery and support, business continuity, and information technology governance. RRG shares the results of its audits with the LOB management, Key’s Operational and Compliance Risk Management Groups, the Board’s Audit Committee, and banking regulators.

Technology risks are evaluated in areas including cybersecurity and information security, data control, acquisition and development, delivery and support, business continuity, and information technology governance. IA shares the results of its audits with the LOB management, Key’s Operational and Compliance Risk Management Groups, the Board’s Audit Committee, and banking regulators.

He holds a bachelor’s degree in Finance and Management Information Systems and an MBA. The CISO reports to Key’s Chief Information Officer who oversees all of Key’s shared services for technology, operations, data, servicing, cyber and physical security, and corporate real estate solutions.

The Deputy CISO holds a bachelor’s degree in Finance and Management Information Systems and an MBA. The CISO reports to Key’s Chief Information Officer who oversees all of Key’s shared services for technology, operations, data, servicing, cyber and physical security, and corporate real estate solutions.

The Deputy CISO has over 17 years of cybersecurity and technology risk management experience across financial services and retail, previously served as the Head of Information Security Governance within KeyCorp’s Corporate Information Security group, as well as the Head of Cybersecurity and Technology Risk Oversight within KeyCorp’s Risk Management group.

The Deputy CISO has over 18 years of cybersecurity and technology risk management experience across financial services and retail, previously served as the Head of Information Security Governance within KeyCorp’s Corporate Information Security group, as well as the Head of Cybersecurity and Technology Risk Oversight within KeyCorp’s Risk Management group.

Risk Factors of this report. Key maintains an Information Security Program (the “IS Program”) to support the management of information security risk, including cybersecurity risk, across the organization. The IS Program is designed to protect Key’s clients, employees, third parties, and assets from threats by managing the confidentiality, availability, and integrity of Key’s information assets.

Key maintains an Information Security Program (the “IS Program”) to support the management of information security risk, including cybersecurity risk, across the organization. The IS Program is designed to protect Key’s clients, employees, third parties, and assets from threats by managing the confidentiality, availability, and integrity of Key’s information assets.

Operational Risk Management performs review and challenge of controls, monitors the operational risk profile, and ensures Key operates within its operational risk appetite. Compliance Risk Management provides an independent, enterprise-wide function that focuses on compliance with laws, rules, regulations, and guidance applicable to Key.

Operational Risk Management performs review and challenge of controls, monitors the operational and technology risk profiles, and ensures Key operates within its operational and technology risk appetite. Compliance Risk Management provides an independent, enterprise-wide function that focuses on compliance with laws, rules, regulations, and guidance applicable to Key.

Assessing, identifying, and managing cybersecurity risk across the organization in support of the IS Program is a cross-functional effort that requires collaboration and direction from all lines of defense – the lines of business and support functions (First Line of Defense), Risk Management (Second Line of Defense), and the Risk Review Group (RRG), Key’s internal audit function (Third Line of Defense): • First Line of Defense – Lines of Business and Support Functions.

Assessing, identifying, and managing cybersecurity risk across the organization in support of the IS Program is a cross-functional effort that requires collaboration and direction from all lines of defense – the lines of business and support functions (First Line of Defense), Risk Management (Second Line of Defense), and Key’s Internal Audit (IA) function (Third Line of Defense): • First Line of Defense – Lines of Business and Support Functions.

As discussed above in “Cybersecurity Risk Management,” the RRG shares the results of its independent internal audits of security activities at Key and the effectiveness of the IS Program with the line of business management, Key’s Operational and Compliance Risk Management Groups, the Board’s Audit Committee, and banking regulators.

As discussed above in “Cybersecurity Risk Management,” Internal Audit shares the results of its independent internal audits of security activities at Key and the effectiveness of the IS Program with the line of business management, Key’s Operational and Compliance Risk Management Groups, the Board’s Audit Committee, and 46 Table of contents banking regulators.

The RRG reviews and evaluates the scope and breadth of security activities throughout Key and the effectiveness of the IS Program. RRG conducts independent internal 43 Table of contents audits on Key’s LOBs, operations, information systems, and technologies. These internal audits provide an independent perspective on Key’s processes and risks.

IA reviews and evaluates the scope and breadth of security activities throughout Key and the effectiveness of the IS Program. IA conducts independent internal audits on Key’s 44 Table of contents LOBs, operations, information systems, and technologies. These internal audits provide an independent perspective on Key’s processes and risks.

Key employs a variety of security practices and controls to protect information and assets, including, but not limited to, access controls, vulnerability scans, network monitoring, internal and external penetration testing, monitoring of vendor vulnerability notices and patch releases, scanning of systems and emails for malware and other vulnerabilities, firewalls and intrusion detection and prevention systems, and dedicated security personnel.

Key employs a variety of security practices and controls to protect information and assets, including, but not limited to, access controls, vulnerability scans, network monitoring, internal and external penetration testing, monitoring of vendor vulnerability notices and patch releases, firewalls and intrusion detection and prevention systems, and dedicated security personnel.

Privacy Compliance, which sits within Compliance Risk Management, provides advisory support, governance, and oversight of privacy-related statutes, regulations, and risks related to Key’s customers, employees, and other individuals from who Key collects personally identifiable information. • Third Line of Defense – Risk Review Group (RRG).

Risk-based due diligence can also include an assessment of the strength of certain control areas, including, but not limited to, information security management, physical security, network security, platform security, application security, cloud security, encryption management, business resiliency, and privacy.

Key’s third party onboarding process includes risk-based due diligence and security-relevant contract language. Risk-based due diligence can also include an assessment of the strength of certain control areas, including, but not limited to, information security management, physical security, network security, platform security, application security, cloud security, encryption management, business resiliency, and privacy.

Any identified gaps are risk rated, issued a due date for remediation, and tracked through completion of remediation. Remediation is then verified by the RRG. 45 Table of contents

Any identified gaps are risk rated, issued a due date for remediation, and tracked through completion of remediation. Remediation is then verified by IA.

The CISO provides updates to the Audit Committee on cybersecurity matters at each regularly scheduled Committee meeting (six times in 2024). The CISO’s update to the Committee generally address the cybersecurity threat landscape, information security trends, strategic initiatives related to information security, and cybersecurity program reviews.

The CISO provides regular updates on cybersecurity matters to the Audit Committee (six times in 2025). These updates typically address the cybersecurity threat landscape, information security trends, strategic initiatives related to information security, and cybersecurity program reviews.

The CISO provides updates to the Board as needs arise and from time to time. 44 Table of contents Key’s Deputy CISO leads the Corporate Information Security function, including the Cyber Defense Center, Identity & Access Management Operations, Information Security Governance and Data Protection, and Security Architecture, Engineering and Platform Operations.

Key’s Deputy CISO leads the Corporate Information Security function, including Cyber Defense, Identity & Access Management, Information Security Governance and Data Protection, and Security Architecture, Engineering and Platform Operations.

We have also incurred, and may continue to incur, expenses to enhance our systems or processes to protect against cyber or other security incidents. For more information, see “Risk Factors—We and third parties on which we rely (including their downstream service providers) may experience a cyberattack, technology failure, information system or security breach or interruption” in Item 1A.

For more information, see “Risk Factors—We and third parties on which we rely (including their downstream service providers) may experience a cyberattack, technology failure, information system or security breach or interruption” in Item 1A. Risk Factors of this report.

Key also engages external advisors periodically to perform security posture assessments of our environment to proactively identify weakness within our security policy and/or configurations. Summary level results from these assessments are shared to internal stakeholders through Key’s Risk Governance committee structure. Key is also subject to cybersecurity and privacy regulatory exams, as required by law for financial institutions.

We also engage external providers periodically to perform a maturity assessment of the IS Program against industry cybersecurity frameworks and to perform security posture assessments of our environment to proactively identify weakness within our security policy and/or configurations. Summary level results from these assessments are shared to internal stakeholders through Key’s Risk Governance committee structure.

To date, Key has not experienced material disruption to our operations, or material harm to our client base, from cyberattacks. However, we have incurred, and may again incur, expenses related to the investigation of cybersecurity incidents involving third-party providers or related to the protection of our clients from identity theft as a result of such incidents.

However, we have incurred, and may again incur, expenses related to the investigation of cybersecurity incidents involving third-party providers or related to the protection of our clients from identity theft as a result of such incidents. We have also incurred, and may continue to incur, expenses to enhance our systems or processes to protect against cyber or other security incidents.

At the management level, our Enterprise Risk Management (ERM) Committee, chaired by the Chief Executive Officer and comprising other senior level executives, including the Chief Information Officer, reports to the Board’s Risk Committee and is responsible for managing risk, including cybersecurity risk.

At the management level, our ERM Committee, chaired by the Chief Risk Officer and comprising other senior level executives, including the Chief Information Officer, reports to the Board’s Risk Committee and supports the management of all risks by providing governance, direction, oversight and high-level management of risk.

The Board’s Risk Committee exercises primary oversight over enterprise-wide risk at Key, including operational risk, which includes cybersecurity risk, and provides oversight of management’s activities related to cybersecurity risk. The Board’s Audit Committee monitors and exercises oversight over cybersecurity risk as part of its joint oversight of operational risk with the Risk Committee.

The Board’s Risk Committee exercises primary oversight over enterprise-wide risk at Key, including technology risk, which includes (but is not limited to) cybersecurity, business resiliency, and other technology-related risks, and provides oversight of management’s activities related to the same.

As part of its cybersecurity risk management strategy, Key regularly reviews its security and privacy controls in the context of industry standard practices, frameworks, evolving laws, and changing client expectations. Key engages external providers periodically to perform a maturity assessment of the IS Program against industry cybersecurity frameworks.

As part of its cybersecurity risk management strategy, Key regularly reviews its security and privacy controls in the context of industry standard practices, frameworks, evolving laws, and changing client expectations. Annually, we benchmark ourselves against industry-leading frameworks, such as the National Institute of Standards and Technology Cybersecurity Framework and the Cyber Risk Institute Profile.

Risks and exposures related to cybersecurity incidents are expected to remain high for the foreseeable future due to the rapidly evolving nature and sophistication of cybersecurity threats and geopolitical events, as well as due to the expanding use of Internet and mobile banking and other technology-based products and services utilized by us and our clients, including products and services that utilize the cloud and artificial intelligence (AI), among other emerging technologies.

Risks and exposures related to cybersecurity incidents are expected to remain high for the foreseeable future due to the rapidly evolving nature and increasing sophistication of cybersecurity threats and geopolitical events, as well as the fact that threat actors frequently target technologies and systems commonly used by us and our clients.

The CISO also updates the Risk Committee on cybersecurity matters and on Key’s compliance with the Gramm-Leach-Bliley Act on an annual basis and presents the Information Security Policy for approval. The CISO, along with Key’s Deputy CISO, also report annually to the Technology Committee to obtain approval on Key’s Cyber Strategy and Investment Plan.

The CISO also provides regular updates to the Risk Committee on cybersecurity matters as well as Key’s compliance with the Gramm-Leach-Bliley Act (at least 45 Table of contents annually) and presents the Information Security Policy for Risk Committee approval.

The Board’s Technology Committee provides additional oversight of management’s activities related to Key’s technology strategic investment plan, cybersecurity investments, and major technology vendor relationships and is expected to escalate to the Risk Committee on certain risk management issues.

The Board’s Technology Committee, in consultation with the Risk Committee, provides additional oversight of the technology-related risks listed above, and is expected to escalate to the Risk Committee on certain risk management issues.

The ERM Committee directly oversees the Operational Risk Committee, which provides governance, direction, oversight, and high-level management of operational risk, including cybersecurity risk, and includes senior management representation from the LOB and support areas. The CISO is a voting member of the Operational Risk Committee.

The ERM Committee serves as a senior level forum for review and discussion of material risk issues, including cybersecurity risk. The Operational Risk Committee also reports to the Board’s Risk Committee and provides governance, direction, and oversight of operational risks, including technology risks, and includes senior management representation from the LOB and support areas.

With respect to third party service providers, Key maintains a third party management program that is designed to identify, review, monitor, escalate, and, if necessary, remediate third party information security risks. Key’s third party onboarding process includes risk-based due diligence and security-relevant contract language.

These exercises are intended to test our response to potential incidents and assess the procedures outlined in our incident response playbooks. With respect to third party service providers, Key maintains a third party management program that is designed to identify, review, monitor, escalate, and, if necessary, remediate third party information security risks.

Removed

In addition, our management team from time to time participates in cybersecurity tabletop exercises that simulate cybersecurity incidents. These exercises are intended to test our response to potential incidents and assess the procedures outlined in our incident response playbooks.

Added

In addition, our use of emerging technology-based products and services, including cloud computing and artificial intelligence may introduce new and evolving cybersecurity risks and may create additional avenues for exploitation by threat actors. To date, Key has not experienced material disruption to our operations, or material harm to our client base, from cyberattacks.

Removed

The ERM Committee serves as a senior level forum for review and discussion of material operational risk issues, including cybersecurity risk, and receives regular updates from the CISO regarding cybersecurity risk.

Added

Key is also subject to cybersecurity and privacy regulatory exams, as required by law for financial institutions operating in the U.S. Key has implemented cybersecurity, privacy, and fraud education and awareness programs across the enterprise to educate teammates on how to identify and report cybersecurity and privacy concerns.

Removed

The Operational Risk Committee also includes subcommittees which, among other things, address security issues and concerns, pursue security-related program enhancements, address fraud trends, provide input on fraud strategy, weigh the impacts of fraud risk on customers, business clients, and the LOB, and cascades awareness of fraud risks across Key.

Added

The Technology Committee also oversees major technology investments supporting Key’s strategic objectives in areas such as cybersecurity, fraud and data, project management, technology strategy, technology innovation, and emerging technology trends. The Board’s Audit Committee also shares in oversight of cybersecurity risk.

Added

In addition, the CISO, together with Key’s Deputy CISO, reports annually to the Technology Committee to seek approval of Key’s Cyber Strategy and Investment Plan. The CISO provides additional updates to the Board and its committees as circumstances warrant.

Added

The Chief Information Officer is a voting member of the Operational Risk Committee. The Operational Risk Committee also includes subcommittees, including the Security & Technology Committee (the “SecTec Committee”). The SecTec Committee is responsible for ensuring a cohesive and coordinated approach to security and technology risk management and provides an enterprise-wide perspective of security and technology risk management.

Item 2. Properties

Properties — owned and leased real estate

2 edited+0 added−0 removed2 unchanged

2024 filing

2025 filing

Biggest changeIn addition, Key owned two buildings in Brooklyn, Ohio, with office space that it operated from and totaling 584,930 square feet at December 31, 2024. Our office space is used by all of our segments. As of the same date, KeyBank owned 410 branches and leased 534 branches.

Biggest changeIn addition, Key owns two buildings in Brooklyn, Ohio, with office space that it operated from and totaling 584,930 square feet at December 31, 2025. Our office space is used by all of our segments. As of the same date, KeyBank owned 408 branches and leased 532 branches.

At December 31, 2024, Key leased approximately 375,414 square feet of the complex, encompassing the first floor branch, the 2nd, 3rd and 5th through 9th office floors, the 12th floor, and the 54th through 56th floors of the 57-story Key Center.

At December 31, 2025, Key leased approximately 375,414 square feet of the complex, encompassing the first floor branch, the 2nd, 3rd and 5th through 9th office floors, the 12th floor, and the 54th through 56th floors of the 57-story Key Center.

Item 5. Market for Registrant's Common Equity

Market for Common Equity — stock, dividends, buybacks

3 edited+6 added−4 removed2 unchanged

2024 filing

2025 filing

Biggest changeFrom time to time, KeyCorp or its principal subsidiary, KeyBank, may seek to retire, repurchase, or exchange outstanding debt of KeyCorp or KeyBank, and capital securities or preferred stock of KeyCorp, through cash purchase, privately negotiated transactions, or otherwise. Such transactions, if any, depend on prevailing market conditions, our liquidity and capital requirements, contractual restrictions, and other factors.

Biggest changeSuch transactions, if any, depend on prevailing market conditions, our liquidity and capital requirements, contractual restrictions, and other factors. The amounts involved may be material.

Management’s Discussion and Analysis of Financial Condition and Results of Operations are incorporated herein by reference: Page(s) Discussion of dividends in the section captioned “Capital — Dividends” 73 Discussion of our common shares, shareholder information, and repurchase activities in the section captioned “Capital — Common Shares outstanding” 73 The following graph compares the price performance of our Common Shares (based on an initial investment of $100 on December 31, 2019, and assuming reinvestment of dividends) with that of the S&P 500 Index and a group of other banks that constitute our peer group.

Management’s Discussion and Analysis of Financial Condition and Results of Operations are incorporated herein by reference: Page(s) Discussion of dividends in the section captioned “Capital — Dividends” 71 Discussion of our common shares, shareholder information, and repurchase activities in the section captioned “Capital — Common Shares outstanding” 71 The following graph compares the price performance of our Common Shares (based on an initial investment of $100 on December 31, 2020, and assuming reinvestment of dividends) with that of the S&P 500 Index and a group of other banks that constitute our peer group.

See Note 24 (“Shareholders' Equity”) for more information regarding share repurchases. 47 Table of contents Calendar month Total number of shares repurchased (a) Average price paid per share Total number of shares purchased as part of publicly announced plans or programs Dollar value of shares that may yet be purchased as part of publicly announced plans or programs (b) October 1 - 31 236 $ 17.21 — $ — November 1 - 30 103,712 19.49 — — December 1 -30 262 18.84 — — Total 104,210 $ 19.48 — (a) Includes Common Shares deemed surrendered by employees in connection with our stock compensation and benefit plans to satisfy tax obligations.

Calendar month Total number of shares repurchased (a) Average price paid per share Total number of shares purchased as part of publicly announced plans or programs Dollar value of shares that may yet be purchased as part of publicly announced plans or programs October 1 - 31 3,862,365 $ 17.51 3,862,365 $ 932,387,436 November 1 - 30 4,936,115 17.53 4,935,995 845,836,562 December 1 - 31 2,311,170 20.19 2,310,402 799,200,798 Total 11,109,650 $ 18.08 11,108,762 (a) Includes Common Shares deemed surrendered by employees in connection with our stock compensation and benefit plans to satisfy tax obligations.

Removed

The amounts involved may be material. We did not complete any open market share repurchases in 2024, and have no Board-approved repurchase authorizations outstanding. During 2024, Key repurchased $28 million of shares related to equity compensation programs.

Added

Assumes $100 investment at close of market on December 31, 2020, and reinvestment of dividends.

Removed

On August 30, 2024, KeyCorp issued 47,829,359 Common Shares for approximately $821 million in gross proceeds to Scotiabank pursuant to the first closing under the Investment Agreement. On December 27, 2024, Scotiabank completed the second and final purchase of 115,042,316 Common Shares under the Investment Agreement with an investment of approximately $2.0 billion in gross proceeds.

Added

Total return = price change Base Period 2021 2022 2023 2024 2025 5-year compound growth rate KeyCorp $ 100 $ 145.92 $ 114.27 $ 101.10 $ 126.73 $ 159.96 12.85 % S&P 500 100 128.71 105.40 133.10 166.40 196.16 15.96 % Peer Companies 100 133.52 110.70 109.38 138.10 161.52 11.69 % From time to time, KeyCorp or its principal subsidiary, KeyBank, may seek to retire, repurchase, or exchange outstanding debt of KeyCorp or KeyBank, and capital securities or preferred stock of KeyCorp, through cash purchase, privately negotiated transactions, or otherwise.

Removed

These acquisitions were exempt from registration under the Securities Act of 1933, as amended (“Securities Act”), by virtue of the exemption provided by Section 4(a)(s) of the Securities Act. The following table summarizes our repurchases of our Common Shares for the three months ended December 31, 2024.

Added

On March 13, 2025, our Board of Directors authorized a share repurchase program pursuant to which we may purchase up to $1.0 billion of KeyCorp common shares, in the open market or in privately negotiated transactions. During the fourth quarter of 2025, we began repurchasing shares under the share repurchase program.

Removed

We did not complete any open market share repurchases in the fourth quarter of 2024.

Added

The timing and price of repurchases as well as the actual number of shares repurchased under the program will be at the discretion of KeyCorp and will depend on a variety of factors, including general market conditions, the stock price, regulatory requirements and limitations, corporate liquidity requirements, and other factors. 48 Table of contents As contemplated by the Investment Agreement, dated as of August 12, 2024, between KeyCorp and Scotiabank, in February 2025, we entered into an agreement with Scotiabank to permit Scotiabank to participate, through a periodic “true-up” right, in any repurchase by KeyCorp of its common stock on a pro rata basis.

Added

In the fourth quarter of 2025, Key completed $200 million, or approximately 11.1 million shares, in share repurchases including $17 million, or approximately 0.9 million shares, from Scotiabank pursuant to our repurchase agreement described above. We repurchased less than $1 million of shares related to equity compensation programs in the fourth quarter of 2025.

Added

During 2025, Key repurchased $35 million of shares related to equity compensation programs. The following table summarizes our repurchases of our common shares for the three months ended December 31, 2025. See Note 21 (“Shareholders' Equity”) for more information regarding share repurchases.

Item 7. Management's Discussion & Analysis

Management's Discussion & Analysis (MD&A) — revenue / margin commentary

211 edited+60 added−78 removed109 unchanged

2024 filing

2025 filing

Biggest changeThe table below depicts our risk management hierarchy and associated responsibilities and activities of each group. 77 Table of contents Group Overview and Responsibilities Activities Board of Directors – Oversight capacity – Oversees that Key’s risks are managed in a manner that is effective and balanced – Fiduciary duty to Key’s shareholders – Understands Key's risk philosophy – Approves the risk appetite – Inquires about risk practices – Reviews the portfolio of risks – Compares the actual risks to the risk appetite – Is apprised of significant risks, both actual and emerging, and determines whether management is responding appropriately – Challenges management and promotes accountability Board of Directors Audit Committee (a) – Assists the Board in oversight of financial statement integrity, regulatory and legal requirements, independent auditors’ qualifications and independence, and the performance of the internal audit function and independent auditors – Assists the Board in oversight of financial reporting, legal matters, and fraud risk – Meets with management and approves significant policies relating to the risk areas overseen by the Audit Committee – Receives reports on enterprise risk – Meets bi-monthly – Convenes to discuss the content of our financial disclosures and quarterly earnings releases Board of Directors Risk Committee (a) – Assists the Board in oversight of strategies, policies, procedures, and practices relating to the assessment and management of enterprise-wide risk, including credit, market, liquidity, model, operational, compliance, reputation, and strategic risks – Assists the Board in overseeing risks related to capital adequacy, capital planning, and capital actions – Reviews and provides oversight of management’s activities related to the enterprise-wide risk management framework, which includes an annual review of the ERM Policy, including the Risk Appetite Statement, and management and ERM reports – Approves any material changes to the charter of the ERM Committee and significant policies relating to risk management, including corporate risk tolerances for major risk categories ERM Committee – Chaired by the Chief Executive Officer and comprising the Chief Risk Officer and other senior level executives – Manage risk and ensure that the corporate risk profile is managed in a manner consistent with our risk appetite – Oversees the ERM Program, which encompasses our risk philosophy, policy, framework, and governance structure for the management of risks across the entire company – Approves and manages the risk-adjusted capital framework we use to manage risks Disclosure Committee – Includes representatives from each of the Three Lines of Defense – Meets quarterly to review recent internal and external events to determine whether all appropriate disclosures have been made in reports filed with the SEC – Convenes quarterly to discuss the content of our 10-Q and 10-K Tier 2 Risk Governance Committees – Includes attendees from each of the Three Lines of Defense – The First Line of Defense is the line of business primarily responsible to accept, own, proactively identify, monitor, and manage risk – The Second Line of Defense comprises Risk Management representatives who provide independent, centralized oversight over all risk categories by aggregating, analyzing, and reporting risk information – Risk Review, our internal audit function, provides the Third Line of Defense.

Biggest changeThe table below depicts our risk management hierarchy and associated responsibilities and activities of each group. 75 Table of contents Group Overview and Responsibilities Activities Board of Directors • Oversight capacity • Oversees that Key’s risks are managed in a manner that is effective and balanced • Fiduciary duty to Key’s shareholders • Understands Key's risk philosophy • Approves the risk appetite • Inquires about risk practices • Reviews the portfolio of risks • Compares the actual risks to the risk appetite • Is apprised of significant risks, both actual and emerging, and determines whether management is responding appropriately • Challenges management and promotes accountability Board of Directors Risk Committee (a) • Assists the Board in oversight of strategies, policies, procedures, and practices relating to the assessment and management of enterprise-wide risk, including credit, market, liquidity, model, operational, compliance, strategic, and technology risks • Assists the Board in overseeing risks related to capital adequacy, capital planning, and capital actions • Reviews and provides oversight of management’s activities related to the enterprise-wide risk management framework, which includes an annual review of the ERM Policy, including the Risk Appetite Statement, and management and ERM reports • Approves any material changes to Executive Level (Level II) Risk Governance Committee charters and significant policies relating to risk management, including corporate risk metrics for major risk categories Board of Directors Compensation & Organization Committee (a) • Assists the Board in oversight of compensation policies and practices to support Key’s efforts to attract, retain, develop, motivate, and reward a high performing and collaborative workforce to achieve its business objectives • Oversees compensation for Key’s Board-Reported Executives, talent management and organizational development, including succession planning, leadership development and strategic hiring objectives Board of Directors Nominating & Corporate Governance Committee (a) • Assists the Board with oversight of corporate governance matters and Key’s policies and practices on significant issues of corporate responsibility • Oversees the evaluation of the Board, the directors, and the Lead Director • Provides guidance on Board-related matters, including director candidates, director compensation, director independence, the Board committee structure, and succession planning matters • Reviews the Corporate Governance Guidelines • Provides oversight with respect to community investment strategy Board of Directors Technology Committee (a) • Assists the Board with oversight of major technology investments and technology risks • Supports Key’s strategic objectives in areas such as cybersecurity, fraud, and data, project management, technology strategy, technology innovation, and emerging technology trends • In consultation with the Risk Committee, oversees technology-related risks including (but not limited to) cybersecurity, business resiliency, and other technology-related risks as necessary and appropriate Board of Directors Audit Committee (a) • Assists the Board in oversight of financial statement integrity, regulatory and legal requirements, independent auditors’ qualifications and independence, and the performance of the internal audit function and independent auditors • Assists the Board in oversight of financial reporting, legal matters, and fraud risk • Meets with management and approves significant policies relating to the risk areas overseen by the Audit Committee • Receives reports on enterprise risk • Convenes to discuss the content of our financial disclosures and quarterly earnings releases Executive Level (Level II) Risk Governance Committees • Includes ERM Committee, Asset Liability Committee, Capital Committee, Credit Risk Committee, Compliance Risk Committee, and Operational Risk Committee, as well as the Compensation & Benefits Oversight Committee and the Disclosure Committee.

Our non-owner-occupied portfolio is focused on operators of commercial real estate who not only utilize our loan products, but also our broader industry-focused products and services and provide consistent pipelines into our agency, CMBS, and other long-term market take out products.

Our non-owner-occupied portfolio is focused on operators of commercial real estate who not only utilize our loan products, but also utilize our broader industry-focused products and services and provide consistent pipelines into our agency, CMBS, and other long-term market take out products.

The difference between these two scenarios would have driven an increase of approximately 1.6x for commercial and 1.7x for the consumer modeled allowance results. Similarly, deteriorating conditions for portfolio factors were also considered by moderately stressing key portfolio drivers, relative to the baseline portfolio conditions.

The difference between these two scenarios would have driven an increase of approximately 1.7x for commercial and 1.6x for the consumer modeled allowance results. Similarly, deteriorating conditions for portfolio factors were also considered by moderately stressing key portfolio drivers, relative to the baseline portfolio conditions.

As changes occur to both the configuration of the balance sheet and the outlook for the economy, management proactively evaluates hedging opportunities that may change our interest rate risk profile. Simulations are also conducted that measure the effect of changes in market interest rates in the second and third years of a three-year horizon.

As changes occur to both the configuration of the balance sheet and the outlook for the economy, management proactively evaluates hedging opportunities that may change the interest rate risk profile. Simulations are also conducted that measure the effect of changes in market interest rates in the second and third years of a three-year horizon.

The committees mentioned above regularly review liquidity and funding summaries, liquidity trends, peer comparisons, variance analyses, liquidity projections, internal liquidity stress tests, and goal tracking reports. The reviews generate a discussion of positions, trends, and directives on liquidity risk and shape a number of our decisions.

These committees mentioned above regularly review liquidity and funding summaries, liquidity trends, peer comparisons, variance analyses, liquidity projections, internal liquidity stress tests, and goal tracking reports. The reviews generate a discussion of positions, trends, and directives on liquidity risk and shape a number of our decisions.

Risk Review reports the results of reviews on internal controls and systems to senior management and the Audit Committee and updates the Risk Committee, as appropriate, on matters related to the oversight of these controls. Cybersecurity For information on our cybersecurity risk management and governance practices, please see Item 1C. Cybersecurity of this report.

Internal Audit reports the results of reviews on internal controls and systems to senior management and the Audit Committee and updates the Risk Committee, as appropriate, on matters related to the oversight of these controls. Cybersecurity For information on our cybersecurity risk management and governance practices, please see Item 1C. Cybersecurity of this report.

The tax benefit recorded and increased effective tax rate for the year resulted primarily from the $1.8 billion loss on the sales of securities incurred as part of a strategic repositioning of our securities portfolio.

The tax benefit recorded and increased effective tax rate for the 2024 year resulted primarily from the $1.8 billion loss on the sales of securities incurred as part of a strategic repositioning of our securities portfolio.

Regardless of the lien position, credit metrics are refreshed quarterly, including recent FICO scores as well as updated loan-to-value ratios. This information is used in establishing the ALLL. Our methodology is described in Note 1 (“Summary of Significant Accounting Policies”) under the heading “Allowance for Loan and Lease Losses”. Figure 11 presents our consumer loans by geography. Figure 11.

Regardless of the lien position, credit metrics are refreshed quarterly, including recent FICO scores as well as updated loan-to-value ratios. This information is used in establishing the ALLL. Our methodology is described in Note 1 (“Summary of Significant Accounting Policies”) under the heading “Allowance for Loan and Lease Losses”. Figure 12 presents our consumer loans by geography. Figure 12.

These are primarily associated with commercial real estate loans administered or serviced. Additional information about this recourse arrangement is included in Note 22 (“Commitments, Contingent Liabilities, and Guarantees”) under the heading “Recourse agreement with FNMA.” We derive income from several sources when retaining the right to administer or service loans that are sold.

These are primarily associated with commercial real estate loans administered or serviced. Additional information about this recourse arrangement is included in Note 19 (“Commitments, Contingent Liabilities, and Guarantees”) under the heading “Recourse agreement with FNMA.” We derive income from several sources when retaining the right to administer or service loans that are sold.

Key concluded it was not more likely than not that goodwill was impaired as of October 1, 2024, our annual testing date. Additionally, we monitored events and circumstances during the period from October 1, 2024 through December 31, 2024, including macroeconomic and market factors, industry and banking sector events, Key specific performance indicators, and updated management forecasts.

Key concluded it was not more likely than not that goodwill was impaired as of October 1, 2025, our annual testing date. Additionally, we monitored events and circumstances during the period from October 1, 2025 through December 31, 2025, including macroeconomic and market factors, industry and banking sector events, Key specific performance indicators, and updated management forecasts.

Market risk weighted assets, including the specific risk calculations, are run quarterly by MTRM in accordance with the Market Risk Rule, and approved by the Chief Market Risk Officer.

Market risk weighted assets, including the specific risk calculations, are run quarterly by MTRM in accordance with the Market Risk Rule, and approved by the Chief Market & Treasury Risk Officer.

For example, an operational event database tracks the amounts and sources of 90 Table of contents operational risk and losses. This tracking mechanism helps to identify weaknesses and to highlight the need to take corrective action. We also rely upon software programs designed to assist in assessing operational risk and monitoring our control processes.

For example, an operational event database tracks the amounts and sources of operational risk and losses. This tracking mechanism helps to identify weaknesses and to highlight the need to take corrective action. We also rely upon software programs designed to assist in assessing operational risk and 89 Table of contents monitoring our control processes.

To make it easier to compare both the results among several periods and the yields on various types of earning assets (some taxable, some not), we present net interest income in this discussion on a “TE basis” (i.e., as if all income were taxable and at the same rate).

To make it easier to compare both the results across several periods and the yields on various types of earning assets (some taxable, some not), we present net interest income in this discussion on a “TE basis” (i.e., as if all income were taxable and at the same rate).

Business Segment Results This section summarizes the financial performance of our two major business segments (operating segments): Consumer Bank and Commercial Bank. Note 25 (“Business Segment Reporting”) describes the products and services offered by each of these business segments and provides more detailed financial information pertaining to the segments. Dollars in the charts are presented in millions.

Business Segment Results This section summarizes the financial performance of our two major business segments (operating segments): Consumer Bank and Commercial Bank. Note 23 (“Business Segment Reporting”) describes the products and services offered by each of these business segments and provides more detailed financial information pertaining to the segments. Dollars in the charts are presented in millions.

(b) Weighted-average yields are calculated based on amortized cost. Such yields have been adjusted to a TE basis using the statutory federal income tax rate in effect that calendar year. 71 Table of contents Deposits and other sources of funds Figure 18.

(b) Weighted-average yields are calculated based on amortized cost. Such yields have been adjusted to a TE basis using the statutory federal income tax rate in effect that calendar year. 69 Table of contents Deposits and other sources of funds Figure 18.

The primary components of interest rate risk exposure consist of reprice risk, yield curve risk, option risk, and basis risk. • “Reprice risk ” is the exposure to changes in the level of interest rates and occurs when the volume of interest-bearing liabilities and the volume of interest-earning assets they fund (e.g., deposits used to fund loans) do not mature or reprice at the same time. • “Yield curve risk” is the exposure to non-parallel changes in the slope of the yield curve (where the yield curve depicts the relationship between the yield on a particular type of security and its term to maturity) and occurs when interest-bearing liabilities and the interest-earning assets that they fund do not price or reprice to the same term point on the yield curve. • “Option risk” is the exposure to a customer or counterparty’s ability to take advantage of the interest rate environment and terminate or reprice one of our assets, liabilities, or off-balance sheet instruments prior to contractual maturity.

The primary components of interest rate risk exposure consist of reprice risk, basis risk, yield curve risk, and option risk. • “Reprice risk” is the exposure to changes in the level of interest rates and occurs when the volume of interest-bearing liabilities and the volume of interest-earning assets they fund (e.g., deposits used to fund loans) do not mature or reprice at the same time. • “Yield curve risk” is the exposure to nonparallel changes in the slope of the yield curve (where the yield curve depicts the relationship between the yield on a particular type of security and its term to maturity) and occurs when interest-bearing liabilities and the interest-earning assets that they fund do not price or reprice to the same term point on the yield curve. • “Option risk” is the exposure to a customer or counterparty’s ability to take advantage of the interest rate environment and terminate or reprice one of our assets, liabilities, or off-balance sheet instruments prior to contractual maturity.

This approach considers the funding sources available to each entity, as well as each entity’s capacity to manage through adverse conditions. The management of consolidated liquidity risk is centralized within Corporate Treasury. Oversight and governance is provided by the Board, the ERM Committee, the ALCO, the TROC, and the Chief Risk Officer.

Liquidity management involves maintaining sufficient and diverse sources of funding to accommodate planned, as well as unanticipated, changes in assets and liabilities under both normal and adverse conditions. Governance structure We manage liquidity for all of our affiliates on a consolidated basis.

Liquidity management involves maintaining sufficient and diverse sources of funding to accommodate planned, as well as unanticipated, changes in cash flows of assets and liabilities under both normal and adverse conditions. Governance structure We manage liquidity for all of our affiliates on a consolidated basis.

(b) See Figure 9 and the accompanying discussion in the “Loans and loans held for sale” section for more information related to our commercial loan portfolio. (c) Included in “accrued expense and other liabilities” on the balance sheet. Nonperforming assets Figure 33 shows the composition of our nonperforming assets.

(b) See Figure 10 and the accompanying discussion in the “Loans and loans held for sale” section for more information related to our commercial loan portfolio. (c) Included in “accrued expense and other liabilities” on the balance sheet. Nonperforming assets Figure 33 shows the composition of our nonperforming assets.

Our commercial real estate portfolio includes project loans primarily focused in market-rate and affordable multi-family housing loans, owner-occupied commercial and industrial operating company buildings, and community center grocer-anchored retail centers. These three commercial real estate segments make up 75% of our commercial real estate portfolio.

Regular stress tests and sensitivity analyses are performed on the model inputs that could materially change the resulting risk assessments. Assessments are performed using different yield curve shapes, including steepenings or flattenings of the curve, immediate changes in market interest rates, and changes in the relationship of money market interest rates.

Regular sensitivity analyses are performed on the model inputs that could materially change the resulting risk assessments. Assessments are performed using different yield curve shapes, including steepenings or flattenings of the curve, immediate changes in market interest rates, and changes in the relationship of money market interest rates.

Figure 19 presents estimated uninsured deposits for the noted periods which reflect amounts disclosed in KeyBank’s Call Report adjusted for intercompany deposits, which are not customer facing and are eliminated in consolidation, and accrued interest. 72 Table of contents Figure 19.

Federal banking law limits the amount of capital distributions that a bank can make to its holding company without prior regulatory approval. A national bank’s dividend-paying capacity is affected by several factors, including net profits (as defined by statute) for the two previous calendar years and for the current year, up to the date of dividend declaration.

Further information about our loan commitments at December 31, 2024, is presented in Note 22 (“Commitments, Contingent Liabilities, and Guarantees”) under the heading “Commitments to Extend Credit or Funding.” Other off-balance sheet arrangements Other off-balance sheet arrangements include financial instruments that do not meet the definition of a guarantee in accordance with the applicable accounting guidance, and other relationships, such as liquidity support provided to asset-backed commercial paper conduits, indemnification agreements and intercompany guarantees.

Further information about our loan commitments at December 31, 2025, is presented in Note 19 (“Commitments, Contingent Liabilities, and Guarantees”) under the heading “Commitments to Extend Credit or Funding.” Other off-balance sheet arrangements Other off-balance sheet arrangements include financial instruments that do not meet the definition of a guarantee in accordance with the applicable accounting guidance, and other relationships, such as liquidity support provided to asset-backed commercial paper conduits, indemnification agreements and intercompany guarantees.

Future cash 95 Table of contents flows are based on multi-year forecasts for each reporting unit and include inputs and assumptions such as net interest margin, expected credit losses, noninterest income, noninterest expense, and required capital. A terminal growth rate is estimated for each reporting unit based on market expectations of inflation and economic conditions in the financial services industry.

Future cash flows are based on multi-year forecasts for each reporting unit and include inputs and assumptions such as net interest margin, expected credit losses, noninterest income, noninterest expense, and required capital. A terminal growth rate is estimated for each reporting unit based on market expectations of inflation and economic conditions in the financial services industry.

While we believe these credit ratings, under normal conditions in the capital markets, will enable KeyCorp or KeyBank to issue fixed income securities to investors, downgrades in our credit ratings could increase our cost of funds, trigger additional collateral or funding requirements, and decrease the number of investors and counterparties willing to lend to us. Figure 27.

Figure 23 summarizes our VaR at the 99% confidence level with a one day holding period for significant portfolios of covered positions for the three months ended December 31, 2024, and December 31, 2023. Figure 23.

Figure 23 summarizes our VaR at the 99% confidence level with a one day holding period for significant portfolios of covered positions for the three months ended December 31, 2025, and December 31, 2024. Figure 23.

Corporate Treasury discretionary activities related to funding, investing, and hedging may also change as a result of changes in customer business flows or changes in management’s desired interest rate risk positioning.

Corporate Treasury’s discretionary activities related to funding, investing, and hedging may also change as a result of changes in customer business flows or changes in management’s desired interest rate risk positioning.

Additional information regarding the nature of VIEs and our involvement with them is included in Note 1 (“Summary of Significant Accounting Policies”) under the heading “Principles of Consolidation and Basis of Presentation” and in Note 13 (“Variable Interest Entities”). 75 Table of contents Commitments to extend credit or funding Loan commitments provide for financing on predetermined terms as long as the client continues to meet specified criteria.

Additional information regarding the nature of VIEs and our involvement with them is included in Note 1 (“Summary of Significant Accounting Policies”) under the heading “Principles of Consolidation and Basis of Presentation” and in Note 12 (“Variable Interest Entities”). 73 Table of contents Commitments to extend credit or funding Loan commitments provide for financing on predetermined terms as long as the client continues to meet specified criteria.

These committees and the Operational Risk Management and Compliance Risk Management functions are an integral part of our ERM Program. Our Risk Review function regularly assesses the overall effectiveness of our Operational Risk Management and Compliance Risk Management Programs and our system of internal controls.

These committees and the Operational Risk Management and Compliance Risk Management functions are an integral part of our ERM Program. Our Internal Audit function regularly assesses the overall effectiveness of our Operational Risk Management and Compliance Risk Management Programs and our system of internal controls.

Stressing risk ratings by two ratings for commercial loans generates a 1.5x increase in the commercial modeled allowance results. Stressing FICO by ten points, and LTV and utilization by 10% for consumer loans generates a 1.2x increase in the consumer modeled allowance results.

Stressing risk ratings by two ratings for commercial loans generates a 1.5x increase in the commercial modeled allowance results. Stressing FICO by ten points, and LTV and utilization by 10% for consumer loans generates a 1.1x increase in the consumer modeled allowance results.

We generally issue term debt to supplement dividends from KeyBank to manage our liquidity position at or above our targeted levels. The parent company generally maintains cash and short-term investments in an amount sufficient to meet projected debt maturities over at least the next 24 months.

For individual obligors, we employ a sliding scale of exposure, known as hold limits, which is dictated by the type of loan and strength of the borrower. Allowance for loan and lease losses We estimate the appropriate level of the ALLL on at least a quarterly basis.

For individual obligors, we employ a sliding scale of exposure, known as hold limits, which is dictated by the type of loan and strength of the borrower. 85 Table of contents Allowance for loan and lease losses We estimate the appropriate level of the ALLL on at least a quarterly basis.

Management believes adjusting for the selected items provide investors with useful information to gain a better understanding of ongoing operations and enhance comparability of results with prior periods, as well as demonstrate the effects of the financial impacts related to those selected items.

Management believes adjusting for significant or unusual items provide investors with useful information to gain a better understanding of ongoing operations and enhance comparability of results with prior periods, as well as demonstrate the effects of the financial impacts related to those selected items.

We continue to be recognized by multiple organizations for our dedication to creating an environment where all employees are treated with respect and empowered to bring their authentic selves to work. Business Outlook Consistent with the forward guidance we provided on January 21, 2025, we expect these results for full year 2025 versus full year 2024.

We continue to be recognized by multiple organizations for our dedication to creating an environment where all employees are treated with respect and empowered to bring their authentic selves to work. Business Outlook Consistent with the forward guidance we provided on January 20, 2026, we expect these results for full year 2026 versus full year 2025.

In 2024, our federal tax expense and effective tax rate differ from the amount that would be calculated using the federal statutory tax rate primarily due to investments in tax-advantaged assets, such as corporate-owned life insurance, and tax credits associated with low-income housing investments, and periodic adjustments to our tax reserves as described in Note 14 (“Income Taxes”).

In 2025, our federal tax expense and effective tax rate differ from the amount that would be calculated using the federal statutory tax rate primarily due to investments in tax-advantaged assets, such as corporate-owned life insurance, and tax credits associated with low-income housing investments, and periodic adjustments to our tax reserves as described in Note 13 (“Income Taxes”).

EVE policy limits are measured against a +/-200 basis point scenario subject to a floor on market interest rates at zero. This analysis is highly dependent 82 Table of contents upon assumptions applied to assets and liabilities with non-contractual maturities. Those assumptions are based on historical behaviors, as well as forward expectations.

EVE policy limits are measured against a +/-200 basis point scenario subject to a floor on market interest rates at zero. This analysis is highly dependent upon assumptions applied to assets and liabilities with non-contractual maturities. Those assumptions are based on historical behaviors, as well as forward expectations.

The aggregate market value of the securitization positions as defined by the Market Risk Rule was $24 million at December 31, 2024, all of which were mortgage-backed security positions. Specific risk is the price risk of individual financial instruments, which is not accounted for by changes in broad market risk factors and is measured through a standardized approach.

The aggregate market value of the securitization positions as defined by the Market Risk Rule was $19 million at December 31, 2025, all of which were mortgage-backed security positions. Specific risk is the price risk of individual financial instruments, which is not accounted for by changes in broad market risk factors and is measured through a standardized approach.

See Note 1 under the heading “Fair Value Measurements” and Note 6 (“Fair Value Measurements”) for a detailed discussion of determining fair value, including pricing validation processes.

See Note 1 under the heading “Fair Value Measurements” and Note 5 (“Fair Value Measurements”) for a detailed discussion of determining fair value, including pricing validation processes.

VaR for Significant Portfolios of Covered Positions 2024 2023 Three months ended December 31, Three months ended December 31, Dollars in millions High Low Mean December 31, High Low Mean December 31, Trading account assets: Fixed income $ 1.3 $ .4 $ .9 $ .8 $ 1.3 $ .7 $ 1.1 $ 1.1 Derivatives: Interest rate $ .6 $ .4 $ .5 $ .5 $ .5 $ .3 $ .4 $ .4 Stressed VaR is calculated by running the portfolios through a predetermined stress period which is approved by the Market Risk Committee and is calculated at the 99% confidence level using the same model and assumptions used for general VaR.

VaR for Significant Portfolios of Covered Positions 2025 2024 Three months ended December 31, Three months ended December 31, Dollars in millions High Low Mean December 31, High Low Mean December 31, Trading account assets: Fixed income $ 1.3 $ .6 $ .9 $ .7 $ 1.3 $ .4 $ .9 $ .8 Derivatives: Interest rate $ .2 $ .1 $ .1 $ .1 $ .6 $ .4 $ .5 $ .5 78 Table of contents Stressed VaR is calculated by running the portfolios through a predetermined stress period which is approved by the Market Risk Committee and is calculated at the 99% confidence level using the same model and assumptions used for general VaR.

It is not unusual to make exceptions to established policies when mitigating circumstances dictate, however, a corporate level tolerance has been established to keep exceptions at an acceptable level based upon portfolio and economic considerations. 86 Table of contents Our credit risk management team uses risk models to evaluate consumer loans.

It is not unusual to make exceptions to established policies when mitigating circumstances dictate, however, a corporate level tolerance has been established to keep exceptions at an acceptable level based upon portfolio and economic considerations. Our credit risk management team uses risk models to evaluate consumer loans.

(b) Excluded from the amortized cost of securities available for sale are basis adjustments for securities designated in active fair value hedges. Basis adjustments totaled $(6) million and $140 million as of December 31, 2024 and December 31, 2023, respectively. The securities being hedged are primarily U.S Treasuries, Agency RMBS, and Agency CMBS.

(b) Excluded from the amortized cost of securities available for sale are basis adjustments for securities designated in active fair value hedges. Basis adjustments totaled $99 million and $(6) million as of December 31, 2025 and December 31, 2024, respectively. The securities being hedged are primarily U.S Treasuries, Agency RMBS, and Agency CMBS.

Yield based on the fair value of securities available for sale was 3.08% and 2.10% for the twelve months ended December 31, 2024, and December 31, 2023, respectively. (f) A portion of long-term debt and the related interest expense is allocated to discontinued liabilities as a result of applying our matched funds transfer pricing methodology to discontinued operations.

Yield based on the fair value of securities available for sale was 3.99% and 3.08% for the twelve months ended December 31, 2025, and December 31, 2024, respectively. (f) A portion of long-term debt and the related interest expense is allocated to discontinued liabilities as a result of applying our matched funds transfer pricing methodology to discontinued operations.

We performed an annual qualitative impairment test for all three of our reporting units as of October 1, 2024. This test involved reviewing updated internal forecasts, evaluating market data, assessing reasonableness of critical assumptions used in the last quantitative goodwill impairment test and considering recent transactions and events that could impact the goodwill at each reporting unit.

We performed an annual qualitative impairment test for all three of our reporting units as of October 1, 2025. This test involved reviewing updated internal forecasts, evaluating market data, assessing reasonableness of critical assumptions used in the last quantitative goodwill impairment test and considering recent transactions and events that could impact the fair value of each reporting unit.

To review our financial condition and results of operations for 2022 and a comparison between the 2022 and 2023 results, see Item 7. Management’s Discussion and Analysis of Financial Condition and Results of Operations of our 2023 Form 10-K filed with the SEC on February 22, 2024, which discussion is incorporated herein by reference.

To review our financial condition and results of operations for 2023 and a comparison between the 2023 and 2024 results, see Item 7. Management’s Discussion and Analysis of Financial Condition and Results of Operations of our 2024 Form 10-K filed with the SEC on February 21, 2025, which discussion is incorporated herein by reference.

If fixed-rate assets increase by $1 billion, or fixed-rate liabilities decrease by $1 billion, then the potential benefit to declining rates would increase by approximately 23 basis points. A five percentage point increase or decrease in the interest-bearing deposit beta assumption changes the current simulation results by approximately 120 basis points.

If fixed-rate assets increase by $1 billion, or fixed-rate liabilities decrease by $1 billion, then the potential benefit to declining rates would increase by approximately 21 basis points. A five percentage point increase or decrease in the interest-bearing deposit beta assumption changes the current simulation results by approximately 97 basis points.

(c) For purposes of these computations, nonaccrual loans are included in average loan balances. (d) Commercial and industrial average loan balances include $215 million, $196 million, and $157 million of assets from commercial credit cards for the years ended December 31, 2024, December 31, 2023, and December 31, 2022, respectively.

(c) For purposes of these computations, nonaccrual loans are included in average loan balances. (d) Commercial and industrial average loan balances include $214 million, $196 million, and $157 million of assets from commercial credit cards for the years ended December 31, 2025, December 31, 2024, and December 31, 2023, respectively.

When liquidity pressure is elevated, positions are monitored more closely and reporting is more intensive. 83 Table of contents To ensure that emerging issues are identified, we monitor an extensive set of systematic and idiosyncratic early warning indicators daily. Factors affecting liquidity Our liquidity could be adversely affected by both direct and indirect events.

When liquidity pressure is elevated, positions are monitored more closely and reporting is more intensive. To ensure that emerging issues are identified, we monitor an extensive set of systemic and idiosyncratic early warning indicators daily. Factors affecting liquidity Our liquidity could be adversely affected by both direct and indirect events.

Additional consideration is given to the risk factors to estimate the exposures that contain optionality features, such as options and cancellable provisions. VaR is calculated using daily observations over a one-year time horizon, and approximates a 95% confidence level.

Additional consideration is given to the risk factors to estimate the exposures that contain optionality features, such as options and cancellable provisions. VaR is calculated using daily observations over a one-year lookback period and approximates a 95% confidence level.

As shown in Figure 10, our commercial real estate loan portfolio includes various property types and geographic locations of the underlying collateral. These loans include commercial mortgage and construction loans in both Consumer Bank and Commercial Bank. 65 Table of contents Figure 10.

As shown in Figure 11, our commercial real estate loan portfolio includes various property types and geographic locations of the underlying collateral. These loans include commercial mortgage and construction loans in both Consumer Bank and Commercial Bank. 64 Table of contents Figure 11.

Year ended December 31, Dollars in millions 2024 2023 2022 Adjusted noninterest expense Noninterest expense (GAAP) $ 4,545 $ 4,734 $ 4,410 Adjustments: Efficiency related expenses — (131) — Pension settlement (other expense) — (18) — FDIC special assessment (other expense) (25) (190) — Adjusted noninterest expense (non-GAAP) $ 4,520 $ 4,395 $ 4,410 Adjusted noninterest income Noninterest income (GAAP) $ 809 $ 2,470 $ 2,718 Adjustments: Loss on sale of securities for securities repositioning 1,833 — — Scotiabank investment agreement valuation (other income) 3 — — Adjusted noninterest income (non-GAAP) $ 2,645 $ 2,470 $ 2,718 Critical Accounting Policies and Estimates Our business is dynamic and complex.

Year ended December 31, Dollars in millions 2025 2024 2023 Adjusted noninterest expense Noninterest expense (GAAP) $ 4,703 $ 4,545 $ 4,734 Adjustments: Efficiency related expenses — — (131) Pension settlement (other expense) — — (18) FDIC special assessment (other expense) 26 (25) (190) Adjusted noninterest expense (non-GAAP) $ 4,729 $ 4,520 $ 4,395 Adjusted noninterest income Noninterest income (GAAP) $ 2,842 $ 809 $ 2,470 Adjustments: Loss on sale of securities for securities repositioning — 1,833 — Scotiabank investment agreement valuation (other income) — 3 — Adjusted noninterest income (non-GAAP) $ 2,842 $ 2,645 $ 2,470 Critical Accounting Policies and Estimates Our business is dynamic and complex.

Stressed VaR for Significant Portfolios of Covered Positions 2024 2023 Three months ended December 31, Three months ended December 31, Dollars in millions High Low Mean December 31, High Low Mean December 31, Trading account assets: Fixed income $ 5.2 $ 1.3 $ 3.3 $ 4.8 $ 4.7 $ 1.9 $ 3.1 $ 3.6 Derivatives: Interest rate $ .4 $ .2 $ .3 $ .3 $ .4 $ .2 $ .3 $ .3 80 Table of contents Market risk is a component of our internal capital adequacy assessment.

Stressed VaR for Significant Portfolios of Covered Positions 2025 2024 Three months ended December 31, Three months ended December 31, Dollars in millions High Low Mean December 31, High Low Mean December 31, Trading account assets: Fixed income $ 2.3 $ .9 $ 1.6 $ 2.3 $ 5.2 $ 1.3 $ 3.3 $ 4.8 Derivatives: Interest rate $ .3 $ .1 $ .2 $ .2 $ .4 $ .2 $ .3 $ .3 Market risk is a component of our internal capital adequacy assessment.

Breakdown of Deposits at December 31, 2024 The following presents the breakdown of our deposits by product for the noted periods.

Breakdown of Deposits at December 31, 2025 The following presents the breakdown of our deposits by product for the noted periods.

The aggregate stressed VaR for all covered positions was $5.2 million at December 31, 2024, and $4.0 million at December 31, 2023. Figure 24 summarizes our stressed VaR at the 99% confidence level with a one day holding period for significant portfolios of covered positions for the three months ended December 31, 2024, and December 31, 2023.

The aggregate stressed VaR for all covered positions was $2.6 million at December 31, 2025, and $5.2 million at December 31, 2024. Figure 24 summarizes our stressed VaR at the 99% confidence level with a one day holding period for significant portfolios of covered positions for the three months ended December 31, 2025, and December 31, 2024.

At December 31, 2024, we did not have any re-securitization positions. We maintain modest trading inventories to facilitate customer flow, make markets in securities, and hedge certain risks including but not limited to credit risk and interest rate risk. The risks associated with these activities are mitigated in accordance with the Market Risk hedging policy.

At December 31, 2025, we did not have any re-securitization positions. We maintain modest trading inventories to facilitate customer flow, make markets in securities, and hedge certain risks including but not limited to credit spread risk and interest rate risk. The risks associated with these activities are mitigated in accordance with the Market Risk policies.

Construction loans provide a stream of funding for properties not fully leased at origination to support debt service payments over the term of the contract or project. As of December 31, 2024, 82% of our construction portfolio are multi-family project loans. Our office exposure only represents 5% of commercial real estate loans at period end.

Construction loans provide a stream of funding for properties not fully leased at origination to support debt service payments over the term of the contract or project. As of December 31, 2025, 76% of our construction portfolio are multi-family project loans. Our office exposure only represents 4% of commercial real estate loans at period end.

Figure 5 gives a breakdown of our major categories of noninterest expense as a percentage of total noninterest expense for the twelve months ended December 31, 2024. 58 Table of contents The following discussion explains the composition of certain elements of our noninterest expense and the factors that caused those elements to change. Figure 5.

Figure 5 gives a breakdown of our major categories of noninterest expense as a percentage of total noninterest expense for the twelve months ended December 31, 2025. The following discussion explains the composition of certain elements of our noninterest expense and the factors that caused those elements to change. Figure 5.

Tolerance levels for risk management require the development of remediation plans to maintain residual risk within tolerance if simulation modeling demonstrates that a gradual, parallel 200 basis point increase or 200 basis point decrease in interest rates over the next 12 months would adversely affect net interest income over the same period by more than 5.5%.

(e) Yield presented is calculated on the basis of amortized cost excluding fair value hedge basis adjustments. The average amortized cost for securities available for sale was $42.2 billion and $44.0 billion for the twelve months ended December 31, 2024, and December 31, 2023, respectively.

(e) Yield presented is calculated on the basis of amortized cost excluding fair value hedge basis adjustments. The average amortized cost for securities available for sale was $42.9 billion and $42.2 billion for the twelve months ended December 31, 2025, and December 31, 2024, respectively.

Other noninterest income decreased $1.8 billion in 2024 compared to 2023, primarily attributable to approximately $1.8 billion in losses on the sales of securities available for sale as part of portfolio repositioning activity during the third and fourth quarters of 2024.

Other noninterest income increased $1.9 billion in 2025 compared to 2024, primarily attributable to approximately $1.8 billion in losses on the sales of securities available for sale as part of portfolio repositioning activity during the third and fourth quarters of 2024.

Similarly, market speculation, or rumors about us or the banking industry in general, may adversely affect the cost and availability of normal funding sources. Our credit ratings at December 31, 2024, are shown in Figure 27.

Interest excludes the interest associated with the liabilities referred to in (g) below, calculated using a matched funds transfer pricing methodology. (b) Interest income on tax-exempt securities and loans has been adjusted to a taxabale-equivalent basis using the statutory federal income tax rate in effect that calendar year.

Interest excludes the interest associated with the liabilities referred to in (f) below, calculated using a matched funds transfer pricing methodology. (b) Interest income on tax-exempt securities and loans has been adjusted to a taxable-equivalent basis using the statutory federal income tax rate of 21% in effect that calendar year.

This focus ensures our relationship clients foster and build portfolios with stable, recurring cash flows, with adequate, balanced cash reserves to support our balance sheet exposures through the economic cycle. At December 31, 2024, commercial real estate loans totaled $16.2 billion, which includes $13.3 billion of mortgage loans and $2.9 billion of construction loans.

This focus ensures our relationship clients foster and build portfolios with stable, recurring cash flows, with adequate, balanced cash reserves to support our balance sheet exposures through the economic cycle. At December 31, 2025, commercial real estate loans totaled $16.6 billion, which includes $13.7 billion of mortgage loans and $2.8 billion of construction loans.

The quantitative test estimates the fair value of the reporting units using the income approach (weighted 50%) and two market based approaches: the publicly traded company approach (weighted 25%) and the recent transactions approach (weighted 25%).

Key’s quantitative test estimates the fair value of the reporting units using the income approach (weighted 50%) and two market based approaches: the publicly traded company approach (weighted 25%) and the recent transactions 94 Table of contents approach (weighted 25%).

We use the loan-to-deposit ratio as a metric to monitor these strategies. Our target loan-to-deposit ratio is around 80% (at December 31, 2024, our loan-to-deposit ratio was 70.3%), which we calculate as the sum of total loans, loans held for sale, and nonsecuritized discontinued loans divided by deposits.

We use the loan-to-deposit ratio as a metric to monitor these strategies. Our target loan-to-deposit ratio is around 80% (at December 31, 2025, our loan-to-deposit ratio was 72.5%), which we calculate as the sum of total loans, loans held for sale, and nonsecuritized discontinued loans divided by deposits.

Following this two year period in which supportable forecasts can be generated, for all modeled loan portfolios, we revert expected credit losses to a level that is consistent with our historical information by reverting the macroeconomic variables (model inputs) to their long run average. We revert to historical loss rates for less complex estimation methods for smaller portfolios.

A significant portion of our trust and investment services income depends on the value and mix of assets under management. At December 31, 2024, our bank, trust, and registered investment advisory subsidiaries had assets under management or administration of $61.4 billion, compared to $54.9 billion at December 31, 2023.

A significant portion of our trust and investment services income depends on the value and mix of assets under management. At December 31, 2025, our bank, trust, and registered investment advisory subsidiaries had assets under management or administration of $70.0 billion, compared to $61.4 billion at December 31, 2024.

Commercial and industrial loans are the largest component of our loan portfolio, representing 51% of our total loan portfolio at December 31, 2024, and 50% at December 31, 2023. This portfolio is approximately 89% variable rate and consists of loans primarily to large corporate, middle market, and small business clients.

Commercial and industrial loans are the largest component of our loan portfolio, representing 54% of our total loan portfolio at December 31, 2025, and 51% at December 31, 2024. This portfolio is approximately 92% variable rate and consists of loans primarily to large corporate, middle market, and small business clients.

This is followed by our home equity portfolio comprising approximately 20% of consumer loans outstanding at year end. 66 Table of contents We held the first lien position for approximately 65% of the home equity portfolio at December 31, 2024, and 64% at December 31, 2023. For loans with real estate collateral, we track borrower performance monthly.

This is followed by our home equity portfolio comprising approximately 19% of consumer loans outstanding at year end. 65 Table of contents We held the first lien position for approximately 63% of the home equity portfolio at December 31, 2025, and 65% at December 31, 2024. For loans with real estate collateral, we track borrower performance monthly.

For more information about how interest rate swaps are used to manage our risk profile, see Note 8 (“Derivatives and Hedging Activities”). Figure 26.

For more information about how interest rate swaps are used to manage the risk profile, see Note 7 (“Derivatives and Hedging Activities”). Figure 26.

Figure 22 represents the details of our regulatory capital positions at December 31, 2024, and December 31, 2023, under the Regulatory Capital Rules. Information regarding the regulatory capital ratios of KeyCorp’s banking subsidiaries is presented in Note 24 (“Shareholders' Equity”). 74 Table of contents Figure 22.

Figure 22 represents the details of our regulatory capital positions at December 31, 2025, and December 31, 2024, under the Regulatory Capital Rules. Information regarding the regulatory capital ratios of KeyCorp’s banking subsidiaries is presented in Note 21 (“Shareholders' Equity”). 72 Table of contents Figure 22.

Remediation plans are similarly developed if this analysis indicates that our EVE will decrease by more than 15% in response to an immediate increase or decrease in interest rates. The position is within these guidelines as of December 31, 2024. Management of interest rate exposure.

Remediation plans are similarly developed if the analysis indicates that the EVE will decrease by 15% or more in response to an instantaneous increase or decrease in interest rates. The position is within these guidelines as of December 31, 2025. Management of interest rate exposure.

Statistically, this means that we would expect to incur losses greater than VaR, on average, five out of 100 trading days, or three to four times each quarter. We also calculate VaR and stressed VaR at a 99% confidence level. The VaR model is an effective tool in estimating ranges of possible gains and losses on our positions.

Statistically, this means that we would expect to incur losses greater than VaR, on average, five out of 100 trading days, or three to four times each quarter. The VaR model is an effective tool in estimating ranges of possible gains and losses on our positions.

The ALLL includes $13 million and $16 million of allowance classified as “discontinued assets” on the balance sheet at December 31, 2024, and December 31, 2023, respectively.

The ALLL includes $11 million and $13 million of allowance classified as “discontinued assets” on the balance sheet at December 31, 2025, and December 31, 2024, respectively.

As shown in Figure 33, nonperforming assets increased $181 million during 2024. See Note 1 (“Summary of Significant Accounting Policies”) under the headings “Nonperforming Loans,” “Impaired Loans,” and “Allowance for Loan and Lease Losses” for a summary of our nonaccrual and charge-off policies. 89 Table of contents Figure 33.

As shown in Figure 33, nonperforming assets decreased $145 million during 2025. See Note 1 (“Summary of Significant Accounting Policies”) under the headings “Nonperforming Loans,” “Impaired Loans,” and “Allowance for Loan and Lease Losses” for a summary of our nonaccrual and charge-off policies. 88 Table of contents Figure 33.

MTRM calculates VaR and stressed VaR at 79 Table of contents various confidence levels and the results are closely monitored. VaR and stressed VaR results are also provided to our regulators and utilized in regulatory capital calculations.

MTRM calculates VaR and stressed VaR at various confidence levels daily, and the results are closely monitored. VaR and stressed VaR results are also provided to our regulators and utilized in regulatory capital calculations.

The maximum difference in the quarterly macroeconomic variables between the base and downside scenarios over the two year reasonable and supportable period includes an approximate 5 percentage point decline in GDP annualized growth and an approximate 4 percentage point increase in the U.S. unemployment rate.

The maximum difference in the quarterly macroeconomic variables as of December 31, 2025, between the base and downside scenarios over the two year reasonable and supportable period includes an approximate 6 percentage point decline in GDP annualized growth and an approximate 4 percentage point increase in the U.S. unemployment rate.

Simulated Change in Net Interest Income December 31, 2024 December 31, 2023 Basis point change assumption -200 200 -200 200 Tolerance level (5.50) % (5.50) % (5.50) % (5.50) % Interest rate risk assessment 0.15 % (0.39) % (0.01) % (2.08) % Simulation analyses produce an estimate of interest rate exposure based on assumption inputs within the model.

Simulated Change in Net Interest Income December 31, 2025 December 31, 2024 Basis point change assumption -200 +200 -200 +200 Tolerance level (5.00) % (5.00) % (5.50) % (5.50) % Interest rate risk assessment (0.35) % 0.41 % 0.15 % (0.39) % Simulation analyses produce an estimate of interest rate exposure based on assumption inputs within the model.

Adjusted noninterest expense and adjusted noninterest income are non-GAAP measures in that they are adjusted to exclude the impact of certain items.

Adjusted noninterest expense and adjusted noninterest income are non-GAAP measures in that they are adjusted to exclude the impact of significant or unusual items.

For example, $100 of tax-exempt income would be presented as $126, an amount that, if taxed at the statutory federal income tax rate of 21%, would yield $100. 53 Table of contents Net interest income (TE) for 2024 was $3.8 billion, and the net interest margin was 2.16%.

For example, $100 of tax-exempt income would be presented as $126, an amount that, if taxed at the statutory federal income tax rate of 21%, would yield $100. 53 Table of contents Net interest income (TE) for 2025 was $4.7 billion, and the net interest margin was 2.69%.

… 269 more changes not shown on this page.

Top changes in KeyCorp's 2025 10-K

Item 1. Business

Item 1A. Risk Factors

Item 1C. Cybersecurity

Item 2. Properties

Item 5. Market for Registrant's Common Equity

Item 7. Management's Discussion & Analysis

Other KEY 10-K year-over-year comparisons