Risk &
Opportunity
Oversight

Board Oversight of ESG

Our Board and each of its four standing committees oversee matters related to Regions’ ESG practices, performance, and disclosures. The Board and its committees receive regular updates on ESG progress, including stakeholder feedback, programmatic updates, and ratings assessed by various ESG data providers. The Board, as overseers of risk and stewards of long-term enterprise value, play an important oversight role in assessing our environmental and social risk management practices and understanding the potential impact of ESG issues on the Company’s operations and business.

The Board and its committees also oversee the Company’s ongoing efforts to provide our stakeholders with comparable and decision-useful ESG and sustainability disclosures that align with our strategic focus on Continuous Improvement. For example, Regions was one of the first U.S. regional banks to release disclosure using the SASB standards. Regions’ disclosure incorporates elements of the SASB industry-specific standards for Commercial Banks, Consumer Finance, and Mortgage Finance, each of which the Company has identified as being highly relevant to its operations and business.

Our response to the CDP Climate Change Questionnaire, our SASB Disclosure, and Environmental Sustainability Policy Statement and Goals are published on our website at ir.regions.com/governance.

Although the Company has made considerable progress on our ESG disclosures over the last few years, we recognize that ESG is a journey and that Regions benefits from continuously improving its ESG performance and reporting efforts. To that end, and acknowledging the societal need to confront climate change, Regions provided its first disclosure aligned with the Financial Stability Board’s TCFD Recommendations as a section of the 2020 Annual Review & ESG Report; we issued our first stand-alone TCFD Report in June of 2021. The Board believes that responsible and responsive corporate governance practices enable companies to generate consistent, sustainable, long-term performance and that enhanced disclosures provide our shareholders with a more transparent look at the Company.

• NCG Committee: Oversees the Company’s practices and reporting with respect to significant ESG matters; assists the Board in establishing and maintaining effective corporate governance policies and practices; and acts as the primary overseer of ESG.
• CHR Committee: Oversees effectiveness and continuous improvement of the Company’s strategies and policies regarding our human capital management function, including total rewards, corporate culture, talent management, management succession planning, diversity and inclusion (D&I) practices, and associate conduct.
• Risk Committee: Oversees the Company’s prudent pursuit of risk and reward through significant policies and practices, including those related to environmental and social risk.
• Audit Committee: Oversees the proper functioning of the Company’s controls and the disclosure of matters significant to the Company, including ESG-related matters.

ESG Data Governance

Regions recognizes that governing our ESG data collection and reporting processes so as to promote accuracy and transparency is critical to maintaining the trust between Regions and our shareholders and other stakeholders. Through accurate collection of year-over-year data, we are better able to track progress against both formal and informal goals and identify emerging trends.

To further enhance the quality and accuracy of our ESG disclosures, we follow rigorous internal control processes, and apply our “lines of defense” approach for our proxy statement and this report, the two documents that rely most on our ESG data.

This internal control process includes contributions and certifications provided by Regions’ internal subject-matter experts, who are the first line of defense; multiple rounds of drafting and revisions by associates who form a second line of defense to better ensure clarity of disclosures; and additional reviews by our internal Disclosure Review Committee, which is tasked with reviewing certain of Regions’ regulatory and non-regulatory disclosures for accuracy and clarity. Members from our Internal Audit group, a third line of defense, also participate in certain portions of this process.

Capital Planning Process

Effectively managing and deploying capital is essential to meeting our strategic and financial objectives, as well as the expectations of our stakeholders. Regions employs a robust and mature capital planning process (CPP) that is designed to ensure capital levels are commensurate with the risk inherent in the balance sheet and sufficient to allow the Company to extend credit and meet customer needs, including in periods of severe stress. Additionally, the CPP seeks to promote the efficient use of capital while maintaining a long-term approach to capital allocation and distribution consistent with stakeholders’ expectations and the Company’s strategic priorities. The CPP relies upon active participation by cross-functional groups throughout the Company, including Finance, Corporate Treasury, Risk Management, Internal Audit, and the various business groups, and is overseen by a governance committee structure that comprises a similarly broad cross-section of senior management as well as the Board. The governance structure is led by the senior management-level Asset-Liability Committee (ALCO) and involves several key CPP-focused sub-committees of the ALCO and other relevant senior management-level committees. These include the Scenario Design Committee, Operational Risk Committee, and Capital Management Committee. Lastly, Regions’ Board provides approval and oversight of all CPP activities, which flow from the capital plan and Capital Policy approved by the Board each year.

Regions’ annual capital plan is developed in accordance with our internal Capital Policy that, among other things, defines target capital levels and priorities for the deployment of capital generated organically in the form of earnings from our core operations.

Our current capital deployment priorities are:

1. Organic growth.
2. Sustainable growth in common stock dividend.
3. Strategic investments.
4. Common stock repurchases.

Prudent investment of capital to grow the Company is our number-one priority, as we believe this provides the greatest potential for long-term value creation for stakeholders, including the customers, associates, communities, and shareholders we serve.

The realities of a competitive market, however, naturally place limits on the opportunities available to prudently invest in the growth of the Company. As such, Regions must remain disciplined in the allocation of capital and ensure that returns are appropriate in the context of investment risk and the strategic objectives of the Company.

Our ability to distribute capital to shareholders in the form of dividends and share repurchases is critical to maintaining this discipline. Inefficient management of capital can lead to strategic risk, including underperformance relative to stakeholder expectations. Strategic investment, through bolt-on acquisition, has the potential to provide shareholder value through expanded product offerings and services for our clients, but must be considered in the context of appropriate risk-adjusted returns. Share repurchases provide an alternative use of capital when prudent investment opportunities are unavailable and prevent the Company from facing the losing trade-off between accepting suboptimal returns and outsized risk, versus inefficiently carrying idle capital.

As Regions develops its annual capital plan through the CPP, consistent with our capital deployment priorities, capital is allocated first to supporting expected available growth opportunities, and then to support sustainable growth in the common stock dividend and to appropriate strategic investment. Regions regularly evaluates dividend sustainability through the CPP and generally seeks to manage the common dividend at a level that can reasonably be expected to be maintained through a typical, post-World War II recession. Finally, unallocated capital may be directed to share repurchases, that generally represent the most flexible mechanism for deploying capital and, in this context, serve to ensure capital levels are managed in alignment with capital targets.

The CPP is subject to continuous and in-depth supervision by the Federal Reserve and other relevant regulatory bodies. In accordance with regulatory requirements, Regions’ capital plan is regularly submitted to the Federal Reserve upon our Board’s review and approval. Any capital distributions included in the annual capital plan are promptly disclosed following Board approval.

Regions, similar to other bank holding companies, is required to participate in the Federal Reserve’s Comprehensive Capital Analysis and Review (CCAR) exercise and may be subject to Federal Reserve-required constraints on capital distributions, as has been the case throughout the COVID-19 pandemic. The Federal Reserve restricted distributions during the pandemic, requiring that dividend payments and share repurchases be limited to an amount not in excess of average net income over the four preceding quarters, provided that dividend payments remain limited to the amount paid in the second quarter of 2020. These restrictions were in place through June 30, 2021.

Corporate Political Activity

Regions’ Statement on Political Contributions and Code of Conduct collectively govern and promote the highest standards of behavior by our Company and our associates with regard to political activities. These policies also support our compliance with all applicable federal and state campaign finance laws. Like most public companies, Regions recognizes that decisions made by governmental agencies and lawmakers can have a significant impact on our operations, customers, shareholders, and associates. Accordingly, we monitor and track issues that affect our business and express our views to lawmakers and regulators.

Regions may make corporate political contributions in states where doing so is permissible. These contributions may be directed to state party organizations and candidates for statewide offices, state legislatures, and, in rare instances, local offices. Also, where legally permitted, Regions may make independent expenditures or corporate contributions in connection with state and local ballot initiatives, and referenda on important policy issues likely to impact our business and our stakeholders. However, even when legally permissible, Regions does not make contributions to single-issue political entities organized under Section 527 of the Internal Revenue Code (IRC) or to special interest lobbying groups organized under Section 501(c)(4) of the IRC to support political activities.

Regions’ corporate political contributions are subject to a tiered approval process based on the amount of the anticipated contribution. The full Board receives a report on the Company’s annual corporate contributions and non-deductible portions of trade association dues. Reports are reviewed and certified to be in compliance with the Statement by Regions’ Chief Legal Officer.

The Company believes that transparency regarding our political contributions is important to our stakeholders. Since 2014, we have published Government Affairs Reports on a semi-annual basis that contain the Company’s Statement on Political Contributions and our related activities. In each report, we describe our oversight process for political contributions and a summary of independent expenditures and corporate political giving over the report’s covered period. The report also discloses trade associations to which Regions paid more than $25,000 in annual dues and the portion of those dues that were non-deductible under the IRC as attributable to lobbying expenses. The Company believes that these disclosures offer transparency with respect to the Company’s public policy advocacy, which benefits our shareholders, the Company, our associates, and our customers. Our Governmental Affairs Reports can be found under the “Company Values, Mission and Vision” page on regions.com/about-regions.

Risk Management & Compliance

Regions’ mission and business strategy are based on the concept of shared value—what we do as a business should benefit both our Company and our stakeholders. This commitment to shared value requires effective management of environmental and social risks and opportunities, which aligns with our long-held strategic priority to Enhance Risk Management.

Our risk management approach begins with a strong risk culture that is evidenced by a risk governance process, a clear “tone at the top,” associate ownership, escalation expectations and open communication, and in-depth training.

Our Risk Management Framework outlines our approach for managing risk, which includes four components:

• Collaborative Risk Culture: A strong, collaborative risk culture provides a focus on risks, including environmental and social risks, in all activities and encourages a mindset and behavior that enable effective risk management and promote sound risk-taking within the bounds of our risk appetite. Our risk culture dictates that risks be promptly identified, escalated and challenged, thereby benefiting our overall performance. This culture is demonstrated by our concept of clearly defined roles and responsibilities, which are critical to the effective management of risk.
• Sound Risk Appetite: Our Enterprise Risk Appetite Statement, which incorporates environmental and social risks, defines the types and levels of risk we are willing to take to achieve our strategic objectives and business plans. The risk appetite is also consistent with Regions’ mission and values.
• Sustainable Risk Processes: Effective risk management requires consistent processes and tools to effectively identify, measure, mitigate, monitor, and report environmental and social risks. Associates leverage this cycle to manage risk and thereby help protect the interests of our shareholders.
• Responsible Risk Governance: Governance serves as the foundation for comprehensive management of the risks that we face. It outlines clear responsibility and accountability for managing, monitoring, escalating, and reporting both existing and emerging risks. It also provides a robust challenge process which better allows us to reach our full potential as risk managers.

Clear Roles and Responsibilities

Clearly defined roles and responsibilities are critical to the effective management of risk. This approach is put into practice through the concept of the “three lines of defense.” Associates in the business groups, who deal with our customers daily, form the first line of defense.

They identify and address risks ranging from fraud to credit decisions. Risk Management forms the second line of defense, acting as coaches and guides to, and monitors and challengers of, the first line. Internal Audit, Model Validation, and Credit Review form the third line, providing an independent review of the work of the first two lines.

Environmental & Social Risk Management

Our Risk Management Framework is designed to promote environmentally sustainable and socially responsible business practices. As environmental and social risks continue to evolve, we are working to ensure that our Risk Management Framework properly captures and addresses these risks in line with our broader strategic goals.

Environmental and social risks are embedded throughout our Risk Inventory and are managed in accordance with our existing enterprise-wide framework of risk management tools and programs. The identification of existing and emerging environmental and social risks continues to shape our Risk Inventory and Risk Management Framework. For example, we have incorporated climate-related physical and transition risks into our risk library, as drivers of credit and operational risks.

Climate-Related Risks Incorporated Into Our Risk Framework

The following serve as a few examples of our commitment to effective management of environmental and social risks:

• As referenced throughout this report, Regions puts strong focus on risk management practices and controls related to consumer protection, fair and responsible banking, human capital management, sales practices, financial crimes, use of AI models, data privacy and protection, and cyber security.
• Our credit policy identifies industries, products, and transaction types that present increased risk, including consideration of environmental and social risks, which we address by instituting a limited credit appetite and elevated approval and exception tracking requirements. The Board’s Risk Committee reviews and approves our credit policy annually. Each section of the credit policy is reviewed according to a schedule approved annually by the Financial Risk Executive. Our credit policy is expected to evolve over time as our research continues and our climate risk appetite and desired client profile matures alongside our strategy.
• Lending parameters on coal mining and coal-related activities serve as an example of how we are tailoring our portfolio. This involves enhanced due diligence on high-risk loans, as defined by the Credit Risk Committee. Regions’ Energy and Natural Resources White Paper, an internal document that defines our risk appetite with respect to lending in this area, identifies many of the heightened environmental risks in lending to companies within certain industries, such as coal mining companies; for example, the document reflects Regions’ decision not to lend to companies that use mountaintop removal mining practices to extract more than five percent of their total annual tonnage. This document is subjected to periodic updates.
• A dedicated risk industry team, the Energy and Natural Resources Group (ENRG), underwrites exposure to energy and natural resources clients. This focused effort includes expanded underwriting requirements and focused monitoring.
• A specialized Credit Portfolio Management team serves as a second-line-of-defense function in Risk Management assessing both systemic macroeconomic and idiosyncratic risk factors as well as other early warning indicators. This team has also established and oversees a robust concentration limit and risk measurement framework enterprise-wide that measures and monitors Bank performance on a monthly basis.
• A dedicated industry team, the Natural Resources and Real Estate (NRRE) department is responsible for the prudent and sustainable management of natural resources assets, such as timberland, held in a fiduciary capacity and/or owned by our customers.

During 2020, we performed an assessment of climate change-related risks and opportunities, including physical and transition risks, based on a scenario analysis methodology. We assessed through geospatial analysis the long-term impact of physical acute and chronic risks on our business operations and real estate portfolios. We also performed industry analysis to explore vulnerabilities and opportunities to transition risks should a disruptive acceleration of the transition to a lower carbon economy occur. Details of this climate change assessment and risk management practices can be found in our recently released TCFD Report.

In 2020, we formed an Environmental and Social Risk Management (ESRM) Working Group composed of cross-functional leadership to oversee our environmental and social risk management practices and guide our approach to climate and social risk management within our enterprise risk framework. This ESRM Working Group meets monthly and reports to senior leadership.

We have also dedicated cross-functional resources to an ESRM program effort. In addition to internal education and risk framework considerations, a few efforts underway include:

• Socializing an enterprise-wide assessment of our environmental and social risk in lending practices.
• Defining “sustainable finance” and developing risk framework considerations.
• Developing feasible short- and longer-term goals through strategic initiatives designed to encourage sustainable finance investments in addition to our renewable energy financing activities. Examples of additional concepts under consideration include programs to finance mass transit, alternate fuel creation and delivery, carbon capture, carbon offsets (such as timberland), etc.
• Evaluating how we consider supplier alignment to environmental and social risk implications.
• Understanding impacts of climate risk and sea-level change for our assets and portfolio through geospatial analysis.
• Socializing results of climate change workshop analysis related to physical and transition risk considerations.
• Exploring methods for measuring loan portfolio Scope 3 greenhouse gas (GHG) emissions.

Reputational Risk Management

Regions manages social risk as part of the Reputational Risk component of Regions’ overall Risk Management Framework approved each year by the Board’s Risk Committee. Regions’ definition of reputational risk emphasizes that reputational risk management is the responsibility of all associates, who are expected to conduct themselves in a manner that reflects positively on Regions. Associates identify social and reputational risks and refer issues to our Reputation Management team (RM).

RM has primary responsibility for assessing and escalating matters as needed and providing effective challenge to the first-line units’ assessment of reputational and social risks. RM collaborates with enterprise partners to identify enterprise and industry trends and to respond to reputational and social risk events and issues. Depending on the issue, RM will participate in customer site visits and conduct other due diligence to develop an understanding of each identified problem. Quarterly, RM reports significant issues, events, and trends to the Board’s Risk Committee.

Additionally, the Regions Human Rights Statement helps provide direction for managing social risk and reiterates our mission and values, which are the foundation of our conceptualization of reputational risk. It also states that we expect the entities with which we do business to respect individual human rights and conduct business free from human rights abuses.

Information Security, Business Resilience and Privacy

In a digitally connected world, information and cyber security present ongoing risks and threats to our capital markets and to companies operating in every industry. This is especially true in the financial services industry, where we deploy advanced technologies to collect and use data in both traditional and innovative ways. As technology further evolves into a new age of advanced automation and AI, organizations that effectively and appropriately manage and use data will continue to increase market power and revenue. We thereby treat the integrity and quality of our information security, business resilience, and privacy functions as core business imperatives targeted for continuous enhancement.

Information Security

As a company that deals with large volumes of sensitive customer information and financial transactions, we increasingly rely on the secure processing, transmission, and storage of information in our computer systems and networks. However, the same constantly evolving technological innovation, transformation, and interconnectedness that enable these capabilities also enable increasingly frequent, widespread, and sophisticated cyber threats and attacks. For that reason, we treat cyber and information security risk as a key operational risk. To mitigate this risk, and to honor our responsibilities to those whose data we safeguard, we have developed and implemented policies and procedures designed to permeate the systems, operations, and governance structures throughout the Company.

Ongoing awareness, continuous adaptation, and effective tools, processes and governance are all necessary to ensure that our data and information systems are protected. We continuously develop and enhance controls, processes, and systems to protect our networks, computers, systems, and data from attacks or unauthorized access. To manage information security risk, we have designed an expansive Information Security program. One integral component of the IS program is our Information Security Policy, which aligns with the National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity and NIST Special Publication 800-53. The Information Security Program includes layered controls of network intrusion detection and prevention, enterprise malware protection, advanced persistent threat monitoring, and data protection capabilities.

This program adopts the philosophy of least privileged, which is the practice for limiting access rights for users to the minimum permissions needed to perform work responsibilities. These controls provide comprehensive technical, administrative, and physical directives designed to ensure the security and confidentiality of our corporate, customer, and associate information and related information systems.

We regularly assess threats and vulnerabilities to our systems so that we can maintain an appropriate control environment to effectively mitigate these risks. We facilitate internal and external third-party assessments, multiple internal and external audits, network penetration testing, and regular vulnerability scans of both our internal and external cyber security controls to test our detection and response capabilities. We also conduct comprehensive due diligence and ongoing oversight of the Company’s third-party vendors. To bolster these practices, our insurance policies cover potential financial losses from cyber events. Additionally, we have placed a computer forensics firm and an industry-leading consulting firm on retainer in case of a breach event. Internally, we regularly provide our associates with cyber security training and education opportunities to ensure they can effectuate our internal controls and risk management efforts. Thanks to these efforts, our layered control environment has effectively responded to the increased number of cyber events we experienced during the COVID-19 pandemic and prevented any potential material impact to the Company.

Our Information Security organization operates under our Chief Operations and Technology Officer, who reports directly to our CEO, and is led by our Chief Information Security Officer (CISO). The CISO develops and executes an enterprise-wide information security strategy that helps protect our customers’ information, while also complying with applicable legal and regulatory standards. As part of this role, the CISO manages the development, implementation, and maintenance of the information security infrastructure; oversees the protection of Regions’ electronic assets by providing monitoring, detection, analysis, event handling, and containment of security incidents; monitors information security trends internally and externally; and reports to senior leadership and the Board about information security issues and activities affecting the company.

Business Resilience

Business interruptions can occur as a result of natural or human events and can range from minor to catastrophic. Regions is committed to supporting our customers and associates in times of crisis by providing essential business and technology services, minimizing disruptions of service, ensuring timely resumptions of service, and limiting related losses. To honor this commitment, we make business resilience and contingency planning integral components of our operations.

Regions’ Business Resilience Program (BR Program) facilitates a process that aligns with regulatory requirements of the Federal Financial Institutions Examination Council, as well as leading industry standards from NIST and the International Organization for Standardization (ISO). The BR Program is supported by our Business Resilience Policy, which provides for resilience planning and emergency management, as well as our Pandemic Response Guide, which seeks to protect associates, customers, facilities, systems, property, and operations by maintaining normal operations whenever possible. As a part of this effort, the Crisis Management team under the CISO develops and implements Regions’ approach to managing internal business resilience risk, including a formal Cyber Incident Response Plan that helps us effectively respond to potential data breaches.

The team also assists Regions’ business units in developing and maintaining their own business continuity plans. It is a critical responsibility of business unit management to prepare for crises and react appropriately should they occur.

Because of this preparation, we were able to implement an alternative work location strategy early in the COVID-19 pandemic that enabled a significant number of our associates to quickly transition to a remote work location. Planning also facilitated distributing on-site associates across physical locations to allow for proper social distancing. Through these changes we were able to maintain a stable and productive operating environment.

Privacy

Data privacy is a critical component as we operationalize advanced technologies that collect increasing amounts of data and use our customers’ and associates’ personal information for conventional business purposes, such as processing transactions, as well as those enabled by innovative technologies. While consumer and regulatory expectations around acceptable data use and management evolve over time, and can vary by country, state and sector, a proliferation of privacy and data protection laws emerging around the world imposes complex compliance requirements on organizations. Failure to collect and process information globally, effectively, and in compliance with increasingly complex global privacy regulations could threaten business survival.

Our Privacy Policy governs all business groups and associates and states our commitment to controlling and mitigating privacy risks. This commitment is an important part of Regions’ dedication to promoting the highest standards of behavior in all aspects of our practices. The Privacy Policy is reviewed annually by the Compliance Risk Management Committee, and all associates and third-party vendors must adhere to this policy.

In addition, the Regions Privacy Pledge, also referred to as the privacy notice, is provided to all customers upon establishing a new consumer relationship or account with Regions. It explains how we collect, use and share information. The Privacy Pledge also provides customers with instructions on how they can limit certain types of information-sharing. We post the Privacy Pledge, along with other helpful privacy, security, and fraud prevention resources, on our website.

The Privacy Policy and Privacy Pledge, and accompanying practices and procedures, are managed by the Enterprise Privacy Compliance Office. The Chief Privacy Officer, who leads the office, is responsible for ensuring that:

• Associate training is effective and administered annually to all associates.
• Policies and standards reflect legal and regulatory requirements.
• Privacy risk tolerance and control environments are established as part of day-to-day operations.
• Procedural and transactional reviews and testing of business units are performed routinely to ensure the Bank is compliant with our policies and processes.
• Privacy issues, trends or incidents are escalated for prompt attention and resolution.

Regions understands our customers’ awareness of the collection and use of their personal data, as well as their rights regarding access and control of such data. Regions is committed to continuously enhancing its privacy program to further develop a holistic principles-based approach that aligns strategic business objectives and customer expectations in a rapidly evolving regulatory environment.

Governance

Our system of internal controls incorporates organization-wide reporting and escalation of information security matters to management and the Board. Our Board’s Risk Committee provides primary oversight of our cyber and information security, business resilience and data privacy efforts. As part of its oversight responsibilities, the Risk Committee annually reviews the Information Security Policy, Business Resilience Policy, Pandemic Response Guide, and Privacy Policy. It also directly oversees information technology and information security activities and risks through regular reports from management on information technology, cyber security, and related risk assessments. In addition, on a regular basis, the Audit Committee reviews our cyber security risk management practices, primarily by receiving reports on our cyber security management program. These reports are prepared not only by the CISO but also by our Risk Management and Internal Audit functions.

Beyond the Risk and Audit Committees, our Board considers cyber and information security, along with related risk considerations and mitigation efforts, as part of its annual review of the Company’s strategic plan. The Board considers cyber and information security as part of its annual self-evaluation, and several of our Directors have considerable cyber security experience.