Cybersecurity Risk Management and Strategy Disclosure	12 Months Ended
Dec. 31, 2025
Cybersecurity Risk Management, Strategy, and Governance [Line Items]
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]	We define information security and cybersecurity risk as the risk that the confidentiality, integrity or availability of our information and information systems are impacted by unauthorized or unintended access, use, disclosure, disruption, modification or destruction. Information security and cybersecurity risk is an operational risk under our enterprise risk taxonomy, which is measured and managed as part of our operational risk management framework. Operational risk is incorporated into our risk governance framework, which we use to identify, assess, control, measure & monitor and report & escalate risks. For more information on our risk governance framework, see “Risk Management” under “MD&A.” Our Technology Risk and Information Security (TRIS) program, which is our enterprise information security and cybersecurity program incorporated in our risk governance framework and led by our Chief Information Security Officer (CISO), is designed to (i) ensure the security, confidentiality, integrity and availability of our information and information systems; (ii) protect against any anticipated threats or hazards to the security, confidentiality, integrity or availability of such information and information systems; and (iii) protect against unauthorized access to or use of such information or information systems that could result in substantial harm or inconvenience to us, our colleagues or our customers. The TRIS program is built upon a foundation of advanced security technology, employs a highly trained team of experts and is designed to operate in alignment with global regulatory requirements. The program deploys multiple layers of controls, including embedding security into our technology investments, which are designed to identify, protect, detect, respond to and recover from information security and cybersecurity incidents. Those controls are measured and monitored by a combination of subject matter experts and a security operations center with integrated cyber detection, response and recovery capabilities. The TRIS program includes our Enterprise Incident Response Program, which manages information security incidents involving compromises of sensitive information, and our Cyber Crisis Response Plan, which provides a documented framework for handling critical security incidents and facilitates coordination across multiple parts of the Company to manage response efforts. We also routinely perform simulations and drills at both a technical and management level, and our colleagues receive annual cybersecurity awareness training. The TRIS program aligns with the standards developed by the Cyber Risk Institute Profile for the financial sector and global regulatory requirements and incorporates reviews and assessments by our independent Technical Risk Management Team (part of our second line of defense), our Internal Audit Group (our third line of defense) and external experts. In addition, we engage third parties to provide specialized services and capabilities, including vulnerability insights, operation of certain security controls and threat intelligence. We also collaborate with our peers in areas of threat intelligence, vulnerability management, incident response and drills, and are active participants in industry and government forums. Cybersecurity risks related to third parties are managed as part of our Third Party Management Policy, which sets forth the procurement, risk management and contracting framework for managing third-party relationships commensurate with their risk and complexity. Our Third Party Lifecycle Management (TLM) program sets guidelines for identifying, measuring, monitoring, and reporting the risks associated with third parties through the life cycle of the relationships, which includes planning, due diligence and third-party selection, contracting, ongoing monitoring and termination. Our TLM program includes the identification of third parties with risks related to information security. Third parties that access, process, collect, share, create, store, transmit or destroy our information or have access to our systems may have additional security requirements depending on the levels of risk, such as enhanced risk assessments and monitoring, and additional contractual controls.
Cybersecurity Risk Management Processes Integrated [Flag]	true
Cybersecurity Risk Management Processes Integrated [Text Block]	We define information security and cybersecurity risk as the risk that the confidentiality, integrity or availability of our information and information systems are impacted by unauthorized or unintended access, use, disclosure, disruption, modification or destruction. Information security and cybersecurity risk is an operational risk under our enterprise risk taxonomy, which is measured and managed as part of our operational risk management framework. Operational risk is incorporated into our risk governance framework, which we use to identify, assess, control, measure & monitor and report & escalate risks. For more information on our risk governance framework, see “Risk Management” under “MD&A.” Our Technology Risk and Information Security (TRIS) program, which is our enterprise information security and cybersecurity program incorporated in our risk governance framework and led by our Chief Information Security Officer (CISO), is designed to (i) ensure the security, confidentiality, integrity and availability of our information and information systems; (ii) protect against any anticipated threats or hazards to the security, confidentiality, integrity or availability of such information and information systems; and (iii) protect against unauthorized access to or use of such information or information systems that could result in substantial harm or inconvenience to us, our colleagues or our customers. The TRIS program is built upon a foundation of advanced security technology, employs a highly trained team of experts and is designed to operate in alignment with global regulatory requirements. The program deploys multiple layers of controls, including embedding security into our technology investments, which are designed to identify, protect, detect, respond to and recover from information security and cybersecurity incidents. Those controls are measured and monitored by a combination of subject matter experts and a security operations center with integrated cyber detection, response and recovery capabilities. The TRIS program includes our Enterprise Incident Response Program, which manages information security incidents involving compromises of sensitive information, and our Cyber Crisis Response Plan, which provides a documented framework for handling critical security incidents and facilitates coordination across multiple parts of the Company to manage response efforts. We also routinely perform simulations and drills at both a technical and management level, and our colleagues receive annual cybersecurity awareness training.
Cybersecurity Risk Management Third Party Engaged [Flag]	true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]	true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]	false
Cybersecurity Risk Board of Directors Oversight [Text Block]	Under our cybersecurity governance framework, our Board and Risk Committee are primarily responsible for overseeing and governing the development, implementation and maintenance of our TRIS program, with our Board designating our Risk Committee to provide oversight and governance of technology and cybersecurity risks.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]	Under our cybersecurity governance framework, our Board and Risk Committee are primarily responsible for overseeing and governing the development, implementation and maintenance of our TRIS program, with our Board designating our Risk Committee to provide oversight and governance of technology and cybersecurity risks.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]	Our Board receives an update on cybersecurity at least once a year from our CISO or their designee. Our Risk Committee receives reports on cybersecurity at least twice a year, including in at least one joint meeting with our Audit and Compliance Committee, and our Board and these committees all receive ad hoc updates as needed. In addition, our Risk Committee annually approves our TRIS program.Our CISO leads the strategy, engineering and operations of cybersecurity across the Company and is responsible for providing annual updates to our Board, the ERMC and the TDRRC on our TRIS program, as well as ad hoc updates on information security and cybersecurity matters.
Cybersecurity Risk Role of Management [Text Block]	We have multiple internal management committees that are responsible for the oversight of cybersecurity risk. Our Technology, Data, Resiliency Risk Committee (TDRRC), co-chaired by our Chief Information Officer and the Head of Technical Risk Management, provides oversight and governance for our information security risk management activities, including those related to cybersecurity. This includes efforts to identify, assess, control, measure & monitor and report & escalate information security risks associated with our information and information systems and potential impacts to the American Express brand. The TDRRC escalates risks to our Enterprise Risk Management Committee (ERMC), co-chaired by our Chief Executive Officer and our Chief Risk Officer, or our Board based on the escalation criteria provided in our enterprise-wide risk appetite framework. Members of management with cybersecurity oversight responsibilities are informed about cybersecurity risks and incidents through a number of channels, including periodic and annual reports, with the annual report on our TRIS program also provided to our Risk Committee, the TDRRC and ERMC.
Cybersecurity Risk Management Positions or Committees Responsible [Flag]	true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block]	We have multiple internal management committees that are responsible for the oversight of cybersecurity risk. Our Technology, Data, Resiliency Risk Committee (TDRRC), co-chaired by our Chief Information Officer and the Head of Technical Risk Management, provides oversight and governance for our information security risk management activities, including those related to cybersecurity. This includes efforts to identify, assess, control, measure & monitor and report & escalate information security risks associated with our information and information systems and potential impacts to the American Express brand. The TDRRC escalates risks to our Enterprise Risk Management Committee (ERMC), co-chaired by our Chief Executive Officer and our Chief Risk Officer, or our Board based on the escalation criteria provided in our enterprise-wide risk appetite framework. Members of management with cybersecurity oversight responsibilities are informed about cybersecurity risks and incidents through a number of channels, including periodic and annual reports, with the annual report on our TRIS program also provided to our Risk Committee, the TDRRC and ERMC. Our CISO leads the strategy, engineering and operations of cybersecurity across the Company and is responsible for providing annual updates to our Board, the ERMC and the TDRRC on our TRIS program, as well as ad hoc updates on information security and cybersecurity matters.
Cybersecurity Risk Management Expertise of Management Responsible [Text Block]	Our current CISO has held a series of roles in telecommunications, networking and information security at American Express, including promotion to the CISO role in 2013, and is also responsible for technology risk management. Prior to joining American Express, our current CISO served in a variety of technology leadership roles at a public pharmaceutical and biotechnology company for 14 years. Our CISO reports to the Chief Information Officer, information about whom is included in “Information About Our Executive Officers” under “Business.”
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]	We have multiple internal management committees that are responsible for the oversight of cybersecurity risk. Our Technology, Data, Resiliency Risk Committee (TDRRC), co-chaired by our Chief Information Officer and the Head of Technical Risk Management, provides oversight and governance for our information security risk management activities, including those related to cybersecurity. This includes efforts to identify, assess, control, measure & monitor and report & escalate information security risks associated with our information and information systems and potential impacts to the American Express brand. The TDRRC escalates risks to our Enterprise Risk Management Committee (ERMC), co-chaired by our Chief Executive Officer and our Chief Risk Officer, or our Board based on the escalation criteria provided in our enterprise-wide risk appetite framework. Members of management with cybersecurity oversight responsibilities are informed about cybersecurity risks and incidents through a number of channels, including periodic and annual reports, with the annual report on our TRIS program also provided to our Risk Committee, the TDRRC and ERMC. Our CISO leads the strategy, engineering and operations of cybersecurity across the Company and is responsible for providing annual updates to our Board, the ERMC and the TDRRC on our TRIS program, as well as ad hoc updates on information security and cybersecurity matters.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]	true

Cybersecurity Risk Management and Strategy Disclosure

12 Months Ended

Dec. 31, 2025

Cybersecurity Risk Management, Strategy, and Governance [Line Items]

Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

We define information security and cybersecurity risk as the risk that the confidentiality, integrity or availability of our information and information systems are impacted by unauthorized or unintended access, use, disclosure, disruption, modification or destruction. Information security and cybersecurity risk is an operational risk under our enterprise risk taxonomy, which is measured and managed as part of our operational risk management framework. Operational risk is incorporated into our risk governance framework, which we use to identify, assess, control, measure & monitor and report & escalate risks. For more information on our risk governance framework, see “Risk Management” under “MD&A.”

Our Technology Risk and Information Security (TRIS) program, which is our enterprise information security and cybersecurity program incorporated in our risk governance framework and led by our Chief Information Security Officer (CISO), is designed to (i) ensure the security, confidentiality, integrity and availability of our information and information systems; (ii) protect against any anticipated threats or hazards to the security, confidentiality, integrity or availability of such information and information systems; and (iii) protect against unauthorized access to or use of such information or information systems that could result in substantial harm or inconvenience to us, our colleagues or our customers. The TRIS program is built upon a foundation of advanced security technology, employs a highly trained team of experts and is designed to operate in alignment with global regulatory requirements. The program deploys multiple layers of controls, including embedding security into our technology investments, which are designed to identify, protect, detect, respond to and recover from information security and cybersecurity incidents. Those controls are measured and monitored by a combination of subject matter experts and a security operations center with integrated cyber detection, response and recovery capabilities. The TRIS program includes our Enterprise Incident Response Program, which manages information security incidents involving compromises of sensitive information, and our Cyber Crisis Response Plan, which provides a documented framework for handling critical security incidents and facilitates coordination across multiple parts of the Company to manage response efforts. We also routinely perform simulations and drills at both a technical and management level, and our colleagues receive annual cybersecurity awareness training.

The TRIS program aligns with the standards developed by the Cyber Risk Institute Profile for the financial sector and global regulatory requirements and incorporates reviews and assessments by our independent Technical Risk Management Team (part of our second line of defense), our Internal Audit Group (our third line of defense) and external experts. In addition, we engage third parties to provide specialized services and capabilities, including vulnerability insights, operation of certain security controls and threat intelligence. We also collaborate with our peers in areas of threat intelligence, vulnerability management, incident response and drills, and are active participants in industry and government forums.

Cybersecurity risks related to third parties are managed as part of our Third Party Management Policy, which sets forth the procurement, risk management and contracting framework for managing third-party relationships commensurate with their risk and complexity. Our Third Party Lifecycle Management (TLM) program sets guidelines for identifying, measuring, monitoring, and reporting the risks associated with third parties through the life cycle of the relationships, which includes planning, due diligence and third-party selection, contracting, ongoing monitoring and termination. Our TLM program includes the identification of third parties with risks related to information security. Third parties that access, process, collect, share, create, store, transmit or destroy our information or have access to our systems may have additional security requirements depending on the levels of risk, such as enhanced risk assessments and monitoring, and additional contractual controls.

Cybersecurity Risk Management Processes Integrated [Flag]

true

Cybersecurity Risk Management Processes Integrated [Text Block]

Cybersecurity Risk Management Third Party Engaged [Flag]

true

Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]

true

Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]

false

Cybersecurity Risk Board of Directors Oversight [Text Block]

Under our cybersecurity governance framework, our Board and Risk Committee are primarily responsible for overseeing and governing the development, implementation and maintenance of our TRIS program, with our Board designating our Risk Committee to provide oversight and governance of technology and cybersecurity risks.

Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]

Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]

Our Board receives an update on cybersecurity at least once a year from our CISO or their designee. Our Risk Committee receives reports on cybersecurity at least twice a year, including in at least one joint meeting with our Audit and Compliance Committee, and our Board and these committees all receive ad hoc updates as needed. In addition, our Risk Committee annually approves our TRIS program.Our CISO leads the strategy, engineering and operations of cybersecurity across the Company and is responsible for providing annual updates to our Board, the ERMC and the TDRRC on our TRIS program, as well as ad hoc updates on information security and cybersecurity matters.

Cybersecurity Risk Role of Management [Text Block]

We have multiple internal management committees that are responsible for the oversight of cybersecurity risk. Our Technology, Data, Resiliency Risk Committee (TDRRC), co-chaired by our Chief Information Officer and the Head of Technical Risk Management, provides oversight and governance for our information security risk management activities, including those related to cybersecurity. This includes efforts to identify, assess, control, measure & monitor and report & escalate information security risks associated with our information and information systems and potential impacts to the American Express brand. The TDRRC escalates risks to our Enterprise Risk Management Committee (ERMC), co-chaired by our Chief Executive Officer and our Chief Risk Officer, or our Board based on the escalation criteria provided in our enterprise-wide risk appetite framework. Members of management with cybersecurity oversight responsibilities are informed about cybersecurity risks and incidents through a number of channels, including periodic and annual reports, with the annual report on our TRIS program also provided to our Risk Committee, the TDRRC and ERMC.

Cybersecurity Risk Management Positions or Committees Responsible [Flag]

true

Cybersecurity Risk Management Positions or Committees Responsible [Text Block]

Our CISO leads the strategy, engineering and operations of cybersecurity across the Company and is responsible for providing annual updates to our Board, the ERMC and the TDRRC on our TRIS program, as well as ad hoc updates on information security and cybersecurity matters.

Cybersecurity Risk Management Expertise of Management Responsible [Text Block]

Our current CISO has held a series of roles in telecommunications, networking and information security at American Express, including promotion to the CISO role in 2013, and is also responsible for technology risk management. Prior to joining American Express, our current CISO served in a variety of technology leadership roles at a public pharmaceutical and biotechnology company for 14 years. Our CISO reports to the Chief Information Officer, information about whom is included in “Information About Our Executive Officers” under “Business.”

Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]

Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]

true