Cybersecurity Risk Management and Strategy Disclosure	12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]	We define information security and cybersecurity risk as the risk that the confidentiality, integrity or availability of our information and information systems are impacted by unauthorized or unintended access, use, disclosure, disruption, modification or destruction. Information security and cybersecurity risk is an operational risk that is measured and managed as part of our operational risk framework. Operational risk is incorporated into our comprehensive Enterprise Risk Management (ERM) program, which we use to identify, aggregate, monitor, report and manage risks. For more information on our ERM program, see “Risk Management” under “MD&A.” Our Technology Risk and Information Security (TRIS) program, which is our enterprise information security and cybersecurity program incorporated in our ERM program and led by our Chief Information Security Officer (CISO), is designed to (i) ensure the security, confidentiality, integrity and availability of our information and information systems; (ii) protect against any anticipated threats or hazards to the security, confidentiality, integrity or availability of such information and information systems; and (iii) protect against unauthorized access to or use of such information or information systems that could result in substantial harm or inconvenience to us, our colleagues or our customers. The TRIS program is built upon a foundation of advanced security technology, employs a highly trained team of experts and is designed to operate in alignment with global regulatory requirements. The program deploys multiple layers of controls, including embedding security into our technology investments, designed to identify, protect, detect, respond to and recover from information security and cybersecurity incidents. Those controls are measured and monitored by a combination of subject matter experts and a security operations center with integrated cyber detection, response and recovery capabilities. The TRIS program includes our Enterprise Incident Response Program, which manages information security incidents involving compromises of sensitive information, and our Cyber Crisis Response Plan, which provides a documented framework for handling high-severity security incidents and facilitates coordination across multiple parts of the Company to manage response efforts. We also routinely perform simulations and drills at both a technical and management level, and our colleagues receive annual cybersecurity awareness training. In addition, we incorporate reviews by our Internal Audit Group and external expertise in our TRIS program, including an independent third-party assessment of our cybersecurity measures and controls and a third-party cyber maturity assessment of our TRIS program against the Cyber Risk Institute Profile standards for the financial sector. We also invest in threat intelligence, collaborate with our peers in areas of threat intelligence, vulnerability management, incident response and drills, and are active participants in industry and government forums. Cybersecurity risks related to third parties are managed as part of our Third Party Management Policy, which sets forth the procurement, risk management and contracting framework for managing third-party relationships commensurate with their risk and complexity. Our Third Party Lifecycle Management (TLM) program sets guidelines for identifying, measuring, monitoring, and reporting the risks associated with third parties through the life cycle of the relationships, which includes planning, due diligence and third-party selection, contracting, ongoing monitoring and termination. Our TLM program includes the identification of third parties with risks related to information security. Third parties that access, process, collect, share, create, store, transmit or destroy our information or have access to our systems may have additional security requirements depending on the levels of risk, such as enhanced risk assessments and monitoring, and additional contractual controls.
Cybersecurity Risk Management Processes Integrated [Flag]	true
Cybersecurity Risk Management Processes Integrated [Text Block]	We define information security and cybersecurity risk as the risk that the confidentiality, integrity or availability of our information and information systems are impacted by unauthorized or unintended access, use, disclosure, disruption, modification or destruction. Information security and cybersecurity risk is an operational risk that is measured and managed as part of our operational risk framework. Operational risk is incorporated into our comprehensive Enterprise Risk Management (ERM) program, which we use to identify, aggregate, monitor, report and manage risks. For more information on our ERM program, see “Risk Management” under “MD&A.” Our Technology Risk and Information Security (TRIS) program, which is our enterprise information security and cybersecurity program incorporated in our ERM program and led by our Chief Information Security Officer (CISO), is designed to (i) ensure the security, confidentiality, integrity and availability of our information and information systems; (ii) protect against any anticipated threats or hazards to the security, confidentiality, integrity or availability of such information and information systems; and (iii) protect against unauthorized access to or use of such information or information systems that could result in substantial harm or inconvenience to us, our colleagues or our customers. The TRIS program is built upon a foundation of advanced security technology, employs a highly trained team of experts and is designed to operate in alignment with global regulatory requirements. The program deploys multiple layers of controls, including embedding security into our technology investments, designed to identify, protect, detect, respond to and recover from information security and cybersecurity incidents. Those controls are measured and monitored by a combination of subject matter experts and a security operations center with integrated cyber detection, response and recovery capabilities. The TRIS program includes our Enterprise Incident Response Program, which manages information security incidents involving compromises of sensitive information, and our Cyber Crisis Response Plan, which provides a documented framework for handling high-severity security incidents and facilitates coordination across multiple parts of the Company to manage response efforts. We also routinely perform simulations and drills at both a technical and management level, and our colleagues receive annual cybersecurity awareness training.
Cybersecurity Risk Management Third Party Engaged [Flag]	true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]	true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]	false
Cybersecurity Risk Board of Directors Oversight [Text Block]	Under our cybersecurity governance framework, our Board and Risk Committee are primarily responsible for overseeing and governing the development, implementation and maintenance of our TRIS program, with our Board designating our Risk Committee to provide oversight and governance of technology and cybersecurity risks.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]	Under our cybersecurity governance framework, our Board and Risk Committee are primarily responsible for overseeing and governing the development, implementation and maintenance of our TRIS program, with our Board designating our Risk Committee to provide oversight and governance of technology and cybersecurity risks.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]	Our Board receives an update on cybersecurity at least once a year from our CISO or their designee. Our Risk Committee receives reports on cybersecurity at least twice a year, including in at least one joint meeting with our Audit and Compliance Committee, and our Board and these committees all receive ad hoc updates as needed. In addition, our Risk Committee annually approves our TRIS program.Our CISO leads the strategy, engineering and operations of cybersecurity across the Company and is responsible for providing annual updates to our Board, the ERMC and the ORMC on our TRIS program, as well as ad hoc updates on information security and cybersecurity matters.
Cybersecurity Risk Role of Management [Text Block]	We have multiple internal management committees that are responsible for the oversight of cybersecurity risk. Our Operational Risk Management Committee (ORMC), chaired by our Chief Operational Risk Officer, provides oversight and governance for our information security risk management activities, including those related to cybersecurity. This includes efforts to identify, measure, manage, monitor and report information security risks associated with our information and information systems and potential impacts to the American Express brand. The ORMC escalates risks to our Enterprise Risk Management Committee (ERMC), chaired by our Chief Risk Officer, or our Board based on the escalation criteria provided in our enterprise-wide risk appetite framework. Members of management with cybersecurity oversight responsibilities are informed about cybersecurity risks and incidents through a number of channels, including periodic and annual reports, with the annual report also provided to our Risk Committee, the ORMC and ERMC.
Cybersecurity Risk Management Positions or Committees Responsible [Flag]	true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block]	We have multiple internal management committees that are responsible for the oversight of cybersecurity risk. Our Operational Risk Management Committee (ORMC), chaired by our Chief Operational Risk Officer, provides oversight and governance for our information security risk management activities, including those related to cybersecurity. This includes efforts to identify, measure, manage, monitor and report information security risks associated with our information and information systems and potential impacts to the American Express brand. The ORMC escalates risks to our Enterprise Risk Management Committee (ERMC), chaired by our Chief Risk Officer, or our Board based on the escalation criteria provided in our enterprise-wide risk appetite framework. Members of management with cybersecurity oversight responsibilities are informed about cybersecurity risks and incidents through a number of channels, including periodic and annual reports, with the annual report also provided to our Risk Committee, the ORMC and ERMC. Our CISO leads the strategy, engineering and operations of cybersecurity across the Company and is responsible for providing annual updates to our Board, the ERMC and the ORMC on our TRIS program, as well as ad hoc updates on information security and cybersecurity matters.
Cybersecurity Risk Management Expertise of Management Responsible [Text Block]	Our current CISO has held a series of roles in telecommunications, networking and information security at American Express, including promotion to the CISO role in 2013, and is also responsible for technology risk management. Prior to joining American Express, our current CISO served in a variety of technology leadership roles at a public pharmaceutical and biotechnology company for 14 years. Our CISO reports to the Chief Information Officer, information about whom is included in “Information About Our Executive Officers” under “Business.”
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]	We have multiple internal management committees that are responsible for the oversight of cybersecurity risk. Our Operational Risk Management Committee (ORMC), chaired by our Chief Operational Risk Officer, provides oversight and governance for our information security risk management activities, including those related to cybersecurity. This includes efforts to identify, measure, manage, monitor and report information security risks associated with our information and information systems and potential impacts to the American Express brand. The ORMC escalates risks to our Enterprise Risk Management Committee (ERMC), chaired by our Chief Risk Officer, or our Board based on the escalation criteria provided in our enterprise-wide risk appetite framework. Members of management with cybersecurity oversight responsibilities are informed about cybersecurity risks and incidents through a number of channels, including periodic and annual reports, with the annual report also provided to our Risk Committee, the ORMC and ERMC. Our CISO leads the strategy, engineering and operations of cybersecurity across the Company and is responsible for providing annual updates to our Board, the ERMC and the ORMC on our TRIS program, as well as ad hoc updates on information security and cybersecurity matters.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]	true

Cybersecurity Risk Management and Strategy Disclosure

12 Months Ended

Dec. 31, 2024

Cybersecurity Risk Management, Strategy, and Governance [Line Items]

Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

We define information security and cybersecurity risk as the risk that the confidentiality, integrity or availability of our information and information systems are impacted by unauthorized or unintended access, use, disclosure, disruption, modification or destruction. Information security and cybersecurity risk is an operational risk that is measured and managed as part of our operational risk framework. Operational risk is incorporated into our comprehensive Enterprise Risk Management (ERM) program, which we use to identify, aggregate, monitor, report and manage risks. For more information on our ERM program, see “Risk Management” under “MD&A.”

Our Technology Risk and Information Security (TRIS) program, which is our enterprise information security and cybersecurity program incorporated in our ERM program and led by our Chief Information Security Officer (CISO), is designed to (i) ensure the security, confidentiality, integrity and availability of our information and information systems; (ii) protect against any anticipated threats or hazards to the security, confidentiality, integrity or availability of such information and information systems; and (iii) protect against unauthorized access to or use of such information or information systems that could result in substantial harm or inconvenience to us, our colleagues or our customers. The TRIS program is built upon a foundation of advanced security technology, employs a highly trained team of experts and is designed to operate in alignment with global regulatory requirements. The program deploys multiple layers of controls, including embedding security into our technology investments, designed to identify, protect, detect, respond to and recover from information security and cybersecurity incidents. Those controls are measured and monitored by a combination of subject matter experts and a security operations center with integrated cyber detection, response and recovery capabilities. The TRIS program includes our Enterprise Incident Response Program, which manages information security incidents involving compromises of sensitive information, and our Cyber Crisis Response Plan, which provides a documented framework for handling high-severity security incidents and facilitates coordination across multiple parts of the Company to manage response efforts. We also routinely perform simulations and drills at both a technical and management level, and our colleagues receive annual cybersecurity awareness training.

In addition, we incorporate reviews by our Internal Audit Group and external expertise in our TRIS program, including an independent third-party assessment of our cybersecurity measures and controls and a third-party cyber maturity assessment of our TRIS program against the Cyber Risk Institute Profile standards for the financial sector. We also invest in threat intelligence, collaborate with our peers in areas of threat intelligence, vulnerability management, incident response and drills, and are active participants in industry and government forums.

Cybersecurity risks related to third parties are managed as part of our Third Party Management Policy, which sets forth the procurement, risk management and contracting framework for managing third-party relationships commensurate with their risk and complexity. Our Third Party Lifecycle Management (TLM) program sets guidelines for identifying, measuring, monitoring, and reporting the risks associated with third parties through the life cycle of the relationships, which includes planning, due diligence and third-party selection, contracting, ongoing monitoring and termination. Our TLM program includes the identification of third parties with risks related to information security. Third parties that access, process, collect, share, create, store, transmit or destroy our information or have access to our systems may have additional security requirements depending on the levels of risk, such as enhanced risk assessments and monitoring, and additional contractual controls.

Cybersecurity Risk Management Processes Integrated [Flag]

true

Cybersecurity Risk Management Processes Integrated [Text Block]

Cybersecurity Risk Management Third Party Engaged [Flag]

true

Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]

true

Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]

false

Cybersecurity Risk Board of Directors Oversight [Text Block]

Under our cybersecurity governance framework, our Board and Risk Committee are primarily responsible for overseeing and governing the development, implementation and maintenance of our TRIS program, with our Board designating our Risk Committee to provide oversight and governance of technology and cybersecurity risks.

Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]

Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]

Our Board receives an update on cybersecurity at least once a year from our CISO or their designee. Our Risk Committee receives reports on cybersecurity at least twice a year, including in at least one joint meeting with our Audit and Compliance Committee, and our Board and these committees all receive ad hoc updates as needed. In addition, our Risk Committee annually approves our TRIS program.Our CISO leads the strategy, engineering and operations of cybersecurity across the Company and is responsible for providing annual updates to our Board, the ERMC and the ORMC on our TRIS program, as well as ad hoc updates on information security and cybersecurity matters.

Cybersecurity Risk Role of Management [Text Block]

We have multiple internal management committees that are responsible for the oversight of cybersecurity risk. Our Operational Risk Management Committee (ORMC), chaired by our Chief Operational Risk Officer, provides oversight and governance for our information security risk management activities, including those related to cybersecurity. This includes efforts to identify, measure, manage, monitor and report information security risks associated with our information and information systems and potential impacts to the American Express brand. The ORMC escalates risks to our Enterprise Risk Management Committee (ERMC), chaired by our Chief Risk Officer, or our Board based on the escalation criteria provided in our enterprise-wide risk appetite framework. Members of management with cybersecurity oversight responsibilities are informed about cybersecurity risks and incidents through a number of channels, including periodic and annual reports, with the annual report also provided to our Risk Committee, the ORMC and ERMC.

Cybersecurity Risk Management Positions or Committees Responsible [Flag]

true

Cybersecurity Risk Management Positions or Committees Responsible [Text Block]

Our CISO leads the strategy, engineering and operations of cybersecurity across the Company and is responsible for providing annual updates to our Board, the ERMC and the ORMC on our TRIS program, as well as ad hoc updates on information security and cybersecurity matters.

Cybersecurity Risk Management Expertise of Management Responsible [Text Block]

Our current CISO has held a series of roles in telecommunications, networking and information security at American Express, including promotion to the CISO role in 2013, and is also responsible for technology risk management. Prior to joining American Express, our current CISO served in a variety of technology leadership roles at a public pharmaceutical and biotechnology company for 14 years. Our CISO reports to the Chief Information Officer, information about whom is included in “Information About Our Executive Officers” under “Business.”

Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]

Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]

true