SASB Topic Accounting Metric Code Response Data Privacy and Freedom of Expression Description of policies and practices relating to behavioral advertising and user privacy TC-SI-220a.1 2021–2022 ESG Report: • Protecting Our Customers on page 67 • Data Protection and Privacy on page 84 • Supporting Data: Key Policies on page 101 The Privacy Center and Security Center on our website Data Security (1) Number of data breaches, (2) percentage involving personally identifiable information (PII), (3) number of account holders affected FN-CF-230a.1 FN-CB-230a.1 TC-SI-230a.1 American Express’ information and cybersecurity program is designed to identify risks and protect the confidentiality, integrity, and availability of our data, and our information systems. It is built upon a foundation of advanced security technology, a well-staffed and highly-trained team of experts, and robust operations based on the National Institute of Standards and Technology Cybersecurity Framework. This consists of controls designed to identify, protect, detect, respond, and recover from information and cybersecurity incidents. American Express does not report a metric on the bases specified in the standard, but information on cybersecurity regulation, risks, and risk management can be found in Form 10-K on pages 18, 24–25, 27, 33, 71 and 2021–2022 ESG Report: Data Protection and Privacy on page 84. Card-related fraud losses from (1) card-not-present fraud and (2) card-present and other fraud FN-CF-230a.2 C Card Member and merchant-related fraud losses are included within Other Expenses, the details for which are provided in Form 10-K on page 141: Note 18: Other Fees and Commissions and Other Expenses. Description of approach to identifying and addressing data security risks FN-CF-230a.3 FN-CB-230a.2 TC-SI-230a.2 ESG Report: Data Protection and Privacy on page 84, American Express Privacy Disclosures on our website, 2022 Proxy on page 22 Environmental Footprint of Hardware Infrastructure (1) Total energy consumed, (2) percentage grid electricity, (3) percentage renewable TC-SI-330a.4 2021–2022 ESG Report: Supporting Data: Environmental Performance Data Summary on page 96 1) Total energy consumed: 269,898 MWh 2) Total Percentage Grid Electricity: 75% 3) Percentage renewable electricity: 100%, Percentage of renewable energy: 75% Discussion of the integration of environmental considerations into strategic planning for data center needs TC-SI-330a.5 2021-2022 ESG Report: • Minimizing Our Climate Impact on page 41 • Renewable Energy and Increasing Energy Efficiency at Our Data Centers on page 45 INTRODUCTION PROMOTING DE&I ADVANCING CLIMATE SOLUTIONS BUILDING FINANCIAL CONFIDENCE OUR ESG GOVERNANCE & OPERATING RESPONSIBLY SUPPORTING DATA OUR COMMITMENT TO ESG 111