Cybersecurity and customer privacy Our customers trust us with their valuable financial and personal information. • Data protection: Our Data Protection and Privacy Principles guide how we collect, use, store, share, transmit, delete, or otherwise process customers’ personal data. With cybersecurity threats on the rise, we continue to enhance our information security program. Our information security program is designed to identify risks and protect the confidentiality, integrity, and availability of our data, as well as our information systems. We also maintain an enterprise-wide incident response program. • Privacy: Our Privacy Statement describes how we collect, use, and share data when customers use our online or mobile products and services, and the choices they can make related to marketing, sharing, and targeted advertising. We inform our customers about the personal information we collect, and the choices they have related to the sharing of personal information, through product-specific privacy notices. Our website’s Privacy Center also provides US customers with transparent, simple-to-use resources. Merchants who used our Enhanced Authorization process to identify parties on the other end of a financial transaction typically saw fewer false positives and fraud reduction of up to 60%. We enhance our monitoring tools, controls, and policies for fraud detection and prevention with our “closed loop” relationships with Card Members and merchants. We have access to information at both ends of the card transaction and build algorithms and other analytical tools designed to identify and reduce fraud. Our integrated payments platform allows us to analyze information on Card Member spending while respecting Card Member preferences and protecting Card Member and merchant data in compliance with applicable policies and legal requirements. Continued advancement in fraud prevention American Express maintains industry-leading fraud rates among major card networks through practices that engage customers and merchants, respond to escalating threats, leverage new technologies, and more. We ran a Card Member Fraud Education campaign in 2020 and 2021 that used social media to teach customers how to stay vigilant against attempts to steal online login credentials, card details, and other personally identifiable information. For businesses, our wholly-owned subsidiary Accertify launched Refund Abuse Protection in 2021, which is designed to help merchants mitigate fraudulent refund requests. This complements and augments the capabilities of Digital Identity, which Accertify introduced in 2020 to help businesses address fraudulent online account openings and takeovers. Across payment channels, we continue to invest in more secure connections and authentication mechanisms. For our US customers, we deploy behavioral analytics that can help identify and stop fraud during the application process. Protecting our customers American Express has maintained the lowest US fraud rates among major card networks for the past 15 years, according to the February 2022 Nilson Report. 15 YEARS INTRODUCTION PROMOTING DE&I ADVANCING CLIMATE SOLUTIONS BUILDING FINANCIAL CONFIDENCE OUR ESG GOVERNANCE & OPERATING RESPONSIBLY SUPPORTING DATA OUR COMMITMENT TO ESG 67