Our Business Practices

We adhere to the highest standards of corporate governance and ethical conduct. We believe that accountability, transparency and good decision-making support our business, serve our customers and create value for our shareholders.

Discover Financial Services and Discover Bank

Risk Oversight Committee Charter

Amended and Restated as of July 31, 2024

Purpose

The Risk Oversight Committee (the "Committee") of Discover Financial Services (the "Parent") and Discover Bank (the "Bank," and together with the Parent, the "Company") is a committee of both boards of directors (collectively, the "Board") appointed to (a) periodically review and approve the Company's risk-management policies; (b) oversee the operation of an enterprise-wide risk-management framework; (c) oversee the Company's capital planning and liquidity risk-management activities; and (d) assist the Board in its oversight of the Company's compliance with certain legal and regulatory requirements. The Company's enterprise risks (including emerging risks) can be categorized into the following types: credit risk, market risk (including interest rate risk), liquidity risk, operational risk (including technology, information security, data security, business continuity, and third-party risks), compliance risk, legal risk, and strategic risk. The Committee shall have the authority to exercise and perform the duties and responsibilities provided in this Charter and may exercise and perform such other duties and responsibilities as are consistent with this Charter.

The Committee's primary responsibility is one of oversight. The Company's management is responsible for assessing and managing the Company's risks and for designing, implementing and maintaining an effective and appropriate enterprise-wide risk-management program, which is overseen by the Committee in accordance with its duties and responsibilities as set forth in this Charter.

Membership

  1. The Committee shall be comprised of at least three (3) Board members nominated by the Nominating, Governance and Public Responsibility Committee and appointed by the Board, including at least one (1) member having experience in identifying, assessing, and managing risk exposures of large, complex financial firms. Committee members shall serve at the pleasure of the Board and for such term as the Board determines. The Board shall designate one Committee member, which Committee member shall satisfy applicable independence standards, including any standards of the Federal Reserve, as the Committee's chair (the "Chair").
  2. Each member of the Committee shall be an independent director under applicable Securities and Exchange Commission regulations, New York Stock Exchange listing standards and the independence requirements of the Company. The membership of the Committee shall also satisfy any regulatory or legal requirements regarding experience, expertise or other qualifications that are or may become applicable to the Committee. Determinations of qualifications, including independence, shall be made by the Nominating, Governance and Public Responsibility Committee, using its business judgment.

Operations

  1. The Committee shall meet at least quarterly, or more frequently as the Committee Chair deems appropriate. Meetings may include any participants the Committee deems appropriate and shall be of sufficient duration and scheduled at such times as the Committee considers prudent to discharge properly its responsibilities.
  2. In the absence of the Chair at any meeting of the Committee, the members of the Committee may designate one of its members to serve as the Chair of the meeting.
  3. The Committee shall meet periodically in separate executive sessions with the Company's Chief Risk Officer and other members of management as it deems appropriate to carry out its responsibilities. The Committee may also meet in executive session without management present.
  4. The Committee shall report to the Board on a regular basis on the matters reviewed and actions taken at each Committee meeting. The Committee shall document and maintain records of its proceedings, including risk-management decisions, and make available to the Board minutes of all meetings. The Committee shall review with the full Board any issues arising with respect to the performance of the corporate risk-management function.
  5. The Committee may form and delegate to one or more subcommittees all or any portion of the Committee's authority, duties, and responsibilities, and may establish such rules as the Committee deems appropriate to discharge its responsibilities. The Committee shall report on any such delegation to the full Board.
  6. The Committee shall have direct access to, and have complete and open communication with, the Company's management, including the Chief Risk Officer and the Chief Compliance Officer, and may obtain advice and assistance from internal legal or other advisors. The Committee also may retain independent legal other advisors as it deems appropriate to assist it in fulfilling its responsibilities, without seeking the approval of management or the Board.
  7. The Company shall provide for appropriate funding, as determined by the Committee, for the payment of: (i) ordinary administrative expenses of the Committee that are necessary or appropriate in carrying out its duties and responsibilities; and (ii) compensation to independent legal, risk or other advisors retained by the Committee.
  8. The Committee shall review and evaluate annually its performance and report the results to the Board. The Committee shall review and assess annually the adequacy of this Charter and, if appropriate, recommend changes to the Board for approval.
  9. The Committee (which may act through the Chair for purposes of this paragraph) shall liaise and meet in joint session with the Audit Committee (or the Audit Committee Chair) as necessary or desirable to help ensure that the committees have received the information necessary to permit them to fulfill their duties and responsibilities with respect to oversight of risk-management matters.
  10. Except as set forth herein, the Committee is governed by the same rules regarding meetings (including meetings in person or by telephone or other similar communications equipment), action without meetings, notice, waiver of notice, and quorum and voting requirements as are applicable to the Board.

Authority, Duties, and Responsibilities

The Committee shall with respect to the Company's risk management framework and risks:

Oversight of Risk-Management Policies and Enterprise-Wide Risk-Management Framework

  1. Annually review adherence to and the effectiveness of, and approve (or recommend to the Board for approval) changes to, the Company's
    1. enterprise-wide risk-management framework, enterprise risk management policy, global risk-management policies, compliance policy, and third-party risk management policy; and
    2. consumer compliance program and compliance vendor management program.
  2. Review and recommend to the Board, at least annually (or more frequently, as necessary, based on the size and volatility of risks and any material changes to the Company's business model, strategy, risk profile, or market conditions), changes to the Company's risk appetite statement. The review shall include an assessment of the adequacy of the risk appetite that has been established for each area of enterprise risk, and the Company's compliance with the risk appetite and limits.
  3. Oversee the operation of and review the effectiveness of the Company's policies and procedures establishing risk-management governance (including the management risk committee structure and the charter of the top-level management risk committee), risk-management procedures, risk appetite metrics and key risk indicators, and risk-control infrastructure. Review and approve changes to the management risk committee structure and the charter of the top-level management risk committee.
  4. Oversee the operation, effectiveness, and adherence to:
    • Processes and systems for identifying and reporting risks and risk-management deficiencies, including emerging risks, and for effectively and timely addressing such risks and risk-management deficiencies;
    • Processes and systems for establishing managerial and employee responsibility for risk management;
    • Processes and systems for ensuring the independence of the risk-management function;
    • Processes and systems for ensuring compliance with regulatory requirements; and
    • Processes and systems for integrating risk management and associated controls with management goals and the compensation structure.
  5. Receive and review reports, on not less than an annual basis, on the quality and effectiveness of the Company's technology security, information security, data privacy and disaster recovery capabilities.
  6. Receive and review reports, on not less than a quarterly basis, from the Company's Chief Risk Officer or delegate, on (a) operational and other risk exposures (including but not limited to third party, credit, market, legal, and regulatory risks); (b) risk-management deficiencies and emerging risks; (c) the status of remediation of any such identified deficiencies; and (d) the status of and changes to risk exposures, and the steps management has taken to monitor and control risk exposures and adherence to risk limits.
  7. Receive and review credit risk reports, on not less than an annual basis, on the independent assessment of asset quality, deficiencies in and adherence to credit-related policies, procedures and practices, and the steps management has taken to monitor and control credit risk exposure.
  8. Receive and review reports, on not less than an annual basis, on risk-management policies, procedures, and controls, including the Anti-Money Laundering/Bank Secrecy Act ("AML/BSA") program and related sanctions.
  9. Receive and review reports, on not less than an annual basis, on risks associated with the Company's strategic plans, and the alignment of such plans with the risk appetite and limits.
  10. Receive and review reports from the Company's Internal Audit function or a qualified third party, as appropriate, on adherence to and the effectiveness of the enterprise-wide risk management framework, consumer compliance program, and compliance vendor management program measured against industry standards and supervisory expectations. Oversee the timely implementation of appropriate modifications to the framework and programs based on the results of such reviews.
  11. Receive and review reports from the Company's Internal Audit function on the results of other risk-management reviews and assessments and oversee the timely implementation of appropriate modifications based on the results of such reviews.
  12. Approve the selection and, when and if appropriate, replacement of the Company's Chief Risk Officer, who shall report directly to the Committee and administratively to the Company's Chief Executive Officer. Review the qualifications and performance of, and approve the compensation of, the Chief Risk Officer on an annual basis.
  13. Provide input on the performance and compensation of the Company's Chief Compliance Officer on an annual basis.
  14. Annually review and discuss with the Company's Chief Risk Officer whether corporate risk management has the appropriate staffing and other resources, independence, and authority to fulfill its risk-management responsibilities.
  15. Annually review the (i) resources, experience, authority, independence and staffing levels of the Company's Compliance functions, including those pertaining to AML/BSA and the Office of Foreign Assets Control, and (ii) approve the Compliance department's budget.
  16. Perform such other duties and functions required of the Committee pursuant to regulations adopted by the Federal Reserve, Federal Deposit Insurance Corporation, Consumer Financial Protection Bureau, and other supervisory bodies from time to time that are applicable to the Company.
  17. Receive and review examination reports, as well as information regarding examinations and communications from regulators, to the extent that they relate to matters within the purview of the Committee.

Oversight of Capital Planning and Liquidity Risk-Management Activities

  1. Oversee the capital planning and stress testing process, including by periodically reviewing the risk infrastructure and significant capital resource and loss estimation methodologies, and highly critical inputs and assumptions; evaluating capital goals; and assessing the appropriateness of stress scenarios.
  2. Review and approve the acceptable level of liquidity risk that the Company may assume in connection with its operating strategies at least annually, taking into account the Company's capital structure, risk profile, complexity, activities and size.
  3. Receive and review reports from senior management on the Company's liquidity risk profile, liquidity risk management and liquidity risk tolerances at least quarterly (or more often, if changes in market conditions or the liquidity position, risk profile, or financial condition warrant); provided, however, that the Board shall receive and review at least semi-annually information provided by management with respect to liquidity stress testing and to determine whether the Company is operating in accordance with its liquidity risk tolerances.
  4. Review and approve the Company's strategies, policies, and procedures designed to effectively manage the risk that the Company's financial condition or safety and soundness would be adversely affected by its inability or the market's perception of its inability to meet its cash and collateral obligations.
  5. Receive written reports from the Company's independent review function on material liquidity risk-management issues for corrective action, as applicable and permitted by law.
  6. Review the Company's annual capital plan, including planned capital actions.
  7. Receive and review documentation regarding the Company's methodology for making cash flow projections, including any assumptions.
  8. Review and approve the Company's contingency funding plan at least annually and approve any material revisions of the plan prior to the implementation of such revisions.

Other Authority

  1. Coordinate with the Audit Committee, the Governance and Controls Committee, and management-level committees, as appropriate, concerning risk-management issues within the other committees' respective areas of responsibility, and coordinate with any other committees of the Board or subcommittees thereof as the Committee deems appropriate to fulfill the Committee's responsibilities.
  2. Make such recommendations with respect to any of the above and other matters as the Committee deems necessary or appropriate.
  3. Have such other authority, duties, and responsibilities as may be delegated to the Committee by the Board or as may be prescribed by any applicable law, rule, or regulation, including the rules and regulations of the Federal Reserve, the FDIC, or the Delaware Office of the State Banking Commissioner.

The Committee's authority, duties, and responsibilities are discharged through evaluating reports given to the Committee and presentations made to the Committee by the Company's Chief Risk Officer and other members of management and by other persons or organizations the Committee deems appropriate.

As Amended: July 31, 2024