Risk Management and Compliance

Regions’ mission and business strategy are based on the concept of shared value — what we do as a business should benefit both our Company and our stakeholders. This commitment to shared value requires effective management of environmental and social risks and opportunities, which aligns with our long-held strategic priority to Enhance Risk Management.

Our risk management approach begins with a strong risk culture that is evidenced by a risk governance process, a clear “tone at the top,” associate ownership, escalation expectations and open communication, and in-depth training.

Our Risk Management Framework outlines our approach for managing risk, which includes four components:

• Collaborative Risk Culture: A strong, collaborative risk culture provides a focus on risks, including environmental and social risks, in all activities and encourages a mindset and behavior that enable effective risk management and promote sound risk-taking within the bounds of our risk appetite. Our risk culture dictates that risks be promptly identified, escalated and challenged, thereby benefiting our overall performance. This culture is demonstrated by our concept of clearly defined roles and responsibilities, which are critical to the effective management of risk.
• Sound Risk Appetite: Our Enterprise Risk Appetite Statement, which incorporates environmental and social risks, defines the types and levels of risk we are willing to take to achieve our strategic objectives and business plans. The risk appetite is also consistent with Regions’ mission and values.
• Sustainable Risk Processes: Effective risk management requires consistent processes and tools to effectively identify, measure, mitigate, monitor, and report environmental and social risks. Associates leverage this cycle to manage risk and thereby help protect the interests of our shareholders.
• Responsible Risk Governance: Governance serves as the foundation for comprehensive management of the risks that we face. It outlines clear responsibility and accountability for managing, monitoring, escalating, and reporting both existing and emerging risks. It also provides a robust challenge process that better allows us to reach our full potential as risk managers.

Clear Roles and Responsibilities

Clearly defined roles and responsibilities are critical to the effective management of risk. This approach is put into practice through the concept of the “three lines of defense.” Associates in the business groups, who deal with our customers daily, form the first line of defense.

They identify and address risks ranging from fraud to credit decisions. Risk Management forms the second line of defense, acting as coaches and guides to, and monitors and challengers of, the first line. Internal Audit, Model Risk, and Credit Review form the third line, providing an independent review of the work of the first two lines.

ESG Risks and Opportunities

ESG Oversight and Execution

At Regions, we strive to use our set of corporate values as a lens through which decisions should be made. The Board and management understand that good governance is the foundation of sustainable business and is necessary for creating shareholder value over the long term. Delivering on this commitment means that we have incorporated ESG considerations into the Company’s broader business and operations, including our strategic plan, our enterprise risk appetite, and the inventory of risks we assess. In doing so, we are able to apply our robust governance processes to our ESG decisioning on an ongoing basis, putting ESG into perspective for our internal experts who are responsible for carrying out various oversight and execution responsibilities.

In 2021, we made several advancements in our ESG governance approach:

• We established a cross-functional ESG Leadership Council that convenes regularly to consider, discuss, and provide guidance on initiatives aimed at ESG-related risks and opportunities from a variety of standpoints. The Council is overseen by the Executive Leadership Team, thus providing an additional layer of associate-level administration.
• We more intentionally incorporated ESG elements into both our enterprise-wide and business-level strategic planning processes to better enable a more strategic approach to ESG at both Board and management levels.
• More direct references to ESG-related risks were integrated into our Risk Library and enterprise-wide risk tolerance for management’s assessment and regular reporting to the Board.

As overseers of risk and stewards of long-term enterprise value, our Directors play an important role in assessing our ESG risks and opportunities and understanding the potential impact of ESG issues on the Company’s operations and business. To that end, our Board and each of its five standing committees oversee various aspects of Regions’ ESG policies, practices, and performance. To facilitate strong ESG governance, the areas of ESG oversight carried out by the Board and delegated to its committees are formalized through our Corporate Governance Principles and separate Committee Charters, respectively. This intentional distribution of responsibilities empowers different groups of Directors to consider subsets of ESG through the lens of their committee’s expertise.

• The Board of Directors reviews, approves, and oversees management’s creation and implementation of the Company’s short- and long-term strategic objectives as articulated through our strategic planning process. This process has developed to more intentionally incorporate ESG elements.
• The NCG Committee acts as the primary overseer of ESG at the Board level. It oversees the Company’s practices and reporting with respect to significant ESG matters and assists the Board in establishing and maintaining effective corporate governance policies and practices.
• The CHR Committee oversees the effectiveness and continuous improvement of the Company’s strategies and policies regarding our human capital management function, including total rewards, corporate culture, talent management, management succession planning, DEI, and associate conduct.
• The Risk Committee oversees the Company’s prudent pursuit of risk and reward through significant policies and practices, including those related to environmental and social risk. Importantly, it reviews and approves the Company’s risk tolerance parameters, which have been updated to incorporate more direct references to ESG-related risks.
• The Audit Committee oversees the proper functioning of the Company’s controls and the disclosure of matters significant to the Company, including ESG-related matters covered in our regulatory reporting.
• The Technology Committee, formed in February of 2022, oversees the role of technology in executing the Company’s business strategy, including information security, data privacy, and digital innovation.

ESG Oversight and Execution

2021 Board and Committee ESG Presentations/Discussions

Members of management help enable effective Board-level ESG oversight by providing the Board and its committees with regular updates on our ESG-related initiatives. Some of the ESG topics covered in Board and committee presentations in 2021 included:

Beyond these discussions, the Board, Committee, and individual Director evaluation program provides our Directors with valuable insight into the Board’s ESG-related efficacy. The self-evaluation process examines not only the Board’s and Directors’ performance over the past year, but also potential areas of focus going forward.

• The following provide examples of questions provided to the Directors during this year’s self-evaluation process:
  • CHR Committee: Looking forward, is the committee well positioned to ensure that it is appropriately overseeing ESG matters related to corporate culture; human capital and talent management; and diversity, equity, and inclusion?
  • NCG Committee: Looking forward, is the committee well positioned to ensure that it is overseeing its expanded areas of responsibility with respect to ESG?
• As a result of the 2021 year-end evaluations, the Board determined that it should continue building on its oversight of the Company’s ESG program and initiatives, supported by regular operational and educational updates.

Another critical consideration for the Board is the degree to which various skills, perspectives, and areas of expertise are represented within its membership. As part of the 2021 year-end Director Questionnaires, each Director is asked to assess their level of expertise in 13 different skills that we believe are inextricably linked to proper Board oversight of the Company.

Among the Board’s current membership, a majority of our 11 Directors have identified themselves as having “considerable” or “extensive” experience in the following key ESG areas:

Environmental and Social Risk Management

Regions recognizes the significance of climate-related, environmental and social risks and opportunities to our businesses, customers, associates, the communities we serve, and the financial industry at large. Our Risk Management Framework is designed to promote environmentally sustainable and socially responsible business practices. As environmental and social risks continue to evolve, we continue to see that our Risk Management Framework properly captures and addresses these risks in line with our broader strategic goals.

Environmental and social risks are embedded throughout our Risk Inventory and are managed in accordance with our existing enterprise-wide framework of risk management tools and programs. The identification of existing and emerging environmental and social risks continues to shape our Risk Inventory and Risk Management Framework. For example, we have incorporated climate-related physical and transition risks into our risk library, as drivers of credit and operational risks; and ESG risk as a driver of strategic and reputational risks.

The following serve as a few examples of our commitment to effective management of environmental and social risks:

• As referenced throughout this report, Regions puts strong focus on risk management practices and controls related to consumer protection, fair and responsible banking, human capital management, sales practices, financial crimes, use of AI models, data privacy and protection, and cybersecurity.
• Our credit policy identifies industries, products and transaction types that present increased credit risk, including environmental and/or social risks, which we address by instituting a limited credit appetite and elevated approval and exception tracking requirements. The Risk Committee of the Board of Directors reviews and approves our credit policy on an annual basis. Each section of the credit policy is reviewed according to a schedule approved annually by the Financial Risk Executive. Lending parameters and elevated approval requirements on coal mining and coal-related activities serve as an example of how we are tailoring our portfolio to address these risks. Our credit policy is expected to evolve over time as our research continues and our climate risk appetite and desired client profile matures alongside our strategy. For example, we recently strengthened our credit policy regarding the identification, assessment, and reporting of environmental and climate transition risks and risk concentrations in the business services portfolio.
• A dedicated risk industry team, the Energy and Natural Resources Group (ENRG), underwrites exposure to energy and natural resources clients. This focused effort includes expanded underwriting requirements and focused monitoring.
• A specialized Credit Portfolio Management team with a newly dedicated ESG credit portfolio manager serves as a second line of defense in Risk Management, assessing both systemic macroeconomic and idiosyncratic risk factors as well as other early warning indicators. This team has also established and oversees a robust concentration limit and risk measurement framework enterprise-wide that measures and monitors Bank performance on a monthly basis.
• A dedicated industry team, the Natural Resources and Real Estate (NRRE) department is responsible for the prudent and sustainable management of natural resources assets, such as timberland, held in a fiduciary capacity and/or owned by our customers.

During 2021, we performed an assessment of climate change-related risks and opportunities, including physical and transition risks, based on a scenario analysis methodology. We assessed through geospatial analysis the impact of physical acute and chronic risks on our business operations and real estate portfolios. We also performed industry analysis to explore vulnerabilities and opportunities to transition risks should a disruptive acceleration of the transition to a lower carbon economy occur. Details of this climate change assessment and risk management practices can be found in our recently released TCFD Report.

In 2021, we formed an ESRM Working Group composed of cross-functional leadership to oversee our environmental and social risk management practices and guide our approach to climate and social risk management within our enterprise risk framework. This ESRM Working Group meets monthly and reports to senior leadership.

We have also dedicated cross-functional resources to an ESRM program. In addition to internal education and risk framework considerations, a few efforts underway include:

• Refreshing, for the second year, and socializing an enterprise-wide assessment of our environmental and social risk in lending practices.
• Defining “sustainable finance” and evaluating current baseline measurements for future monitoring.
• Developing feasible short- and longer-term goals through strategic initiatives designed to encourage sustainable finance investments. Our current activities include but are not limited to renewable energy consumer and business financing; energy efficiency-related lending; green and social bonds; affordable housing investments and lending; and other financing to support the communities where we operate. Examples of additional concepts under consideration include programs to finance mass transit, alternate fuel creation and delivery, agriculture lending, carbon capture, and carbon offsets (such as timberland).
• Evaluating how we consider supplier alignment to environmental and social risk implications.
• Monitoring adoption of credit policy enhancements to strengthen physical and transition risk management underwriting and monitoring of individual obligors in higher-risk industries and in portfolio monitoring.
• Facilitating enhancements to our third-party data subscriptions to allow for improved insights on potential physical risk considerations of our customers and overall ESG evaluation as it pertains to credit and third-party risk management.
• Continuously improving our obligor-level climate risk assessment.
• Focusing upon increased awareness and internal education to elevate culture and expertise of environmental and social risks and opportunities.
• Enhancing our understanding of the impacts of climate risk and sea-level change for our assets and portfolio through geospatial analysis.
• Socializing results of our second annual climate change workshop analysis related to physical and transition risk considerations.
• Joining PCAF and establishing a cross-functional project operating model, which is beginning to measure portfolio Scope 3 greenhouse gas (GHG) emissions or “Financed Emissions.”

Social Risk Management

Regions manages social risk as part of the Reputational Risk component of the overall Risk Management Framework approved each year by the Board’s Risk Committee. Regions uses the themes and key issues cited within the Committee of Sponsoring Organizations’ (COSO) Framework for Environmental, Social and Governance Risks as a foundation for its management of social risk. We have reviewed Regions’ risk library and validated the relevance of numerous existing risks and risk drivers to the COSO Framework. Risks with a social risk component are tagged as related to social risk to drive enhanced ESG reporting through our existing risk management framework. Associates identify both social and reputational risks and refer issues to our Reputation Management team (RM).

While reputational risk and social risk overlap, reputational risk is much broader. Reputational risk arises from negative publicity regarding any of Regions’ business practices, as opposed to social risk’s select themes. Further, unlike reputational risk, social risk does not require negative publicity.

RM has primary responsibility for assessing and escalating matters as needed and providing effective challenge to the first-line-of-defense units’ assessment of reputational and social risks. RM collaborates with enterprise partners to identify enterprise-wide and industry trends and to respond to reputational and social risk events and issues. Depending on the issue, RM will participate in customer site visits and conduct other due diligence to develop an understanding of each identified problem. Quarterly, RM reports material issues, events, and trends to the Board’s Risk Committee.

Additionally, the Regions Human Rights Statement helps provide direction for managing social risk and reiterates our mission and values, which are the foundation of our conceptualization of reputational risk. It also states that we expect the entities with which we do business to respect individual human rights and conduct business free from human rights abuses. The Human Rights Statement is discussed further in the People section of this report.

ESG Data Governance

Regions recognizes that promoting accuracy and transparency is critical to maintaining the trust of our shareholders and other stakeholders. As such, we are constantly seeking ways to improve the quality of the information that we provide in our ESG disclosures. This acts as an investment in the value of our future disclosures by enabling our stakeholders to track our progress on the ESG goals and initiatives we have deemed most important to our organization.

Over the past several years, as the number and scope of our ESG disclosures have continued to grow, we have sought to improve the processes through which those various disclosures are compiled. For example, some of the controls we have applied to this current report include:

• Soliciting contributions and certifications from internal subject-matter experts on the topics covered throughout the report.
• Partnering with internal reporting experts to obtain documentation supportive of the report’s content.
• Subjecting the report to multiple rounds of review and revision by cross-functional groups of associates, including our newly formed ESG Leadership Council.
• Presenting the report to our Disclosure Review Committee, which is generally tasked with reviewing certain of Regions’ regulatory and non-regulatory disclosures for accuracy and clarity.
• Collaborating with our Internal Audit function to enhance the effectiveness of the review process.

In 2021, we began supplementing these internal efforts by obtaining independent third-party assurance for our 2020 GHG inventory. For enhanced transparency, we have made the verification opinion declaration available alongside our 2020 TCFD Report and our 2021 CDP Climate Change Questionnaire Response, both of which incorporate the verified data. For information about our 2021 GHG emissions data, please see the Planet section of this report and our 2021 TCFD Report.

Capital Planning Process

Regions employs a robust and mature Capital Planning Process (CPP) that is designed to ensure capital levels are commensurate with the risk inherent in the balance sheet and sufficient to allow the Company to extend credit and meet customer needs, including in periods of severe stress. Additionally, the CPP seeks to promote the efficient use of capital while maintaining a long-term approach to capital allocation and distribution consistent with stakeholders’ expectations and the Company’s strategic priorities. The CPP relies upon active participation by cross-functional groups throughout the Company, including Finance, Corporate Treasury, Risk Management, Internal Audit, and the various business groups, and is overseen by a governance committee structure composed of a similarly broad cross-section of senior management as well as the Board. The governance structure is led by the senior management-level Asset-Liability Committee (ALCO) and involves several key CPP-focused sub-committees of the ALCO and other relevant senior management-level committees. These include the Scenario Design Committee, Operational Risk Committee, Capital Management Committee, and Enterprise Risk Management Committee. Lastly, Regions’ Board provides approval and oversight of all CPP activities, which flow from the capital plan and Capital Policy approved by the Board each year.

Regions’ annual capital plan is developed in accordance with our internal Capital Policy that, among other things, defines operating objectives for capital and priorities for the deployment of capital generated organically in the form of earnings from our core operations. Our current capital deployment priorities are:

1. Growth and strategic investments.
2. Sustainable common stock dividend payout ratio.
3. Common stock repurchases.

Prudent investment of capital to grow the Company is our number one priority, as we believe this activity provides the greatest potential for long-term value creation for stakeholders, including the customers, associates, communities, and shareholders we serve.

The realities of a competitive market, however, naturally place limits on the opportunities available to prudently invest in the growth of the Company. As such, Regions must remain disciplined in the allocation of capital and ensure that returns are appropriate in the context of investment risk and the strategic objectives of the Company.

Our ability to distribute capital to shareholders in the form of dividends and share repurchases is critical to maintaining this discipline. Share repurchases provide an alternative use of capital when prudent investment opportunities are unavailable and prevent the Company from facing the losing trade-off between accepting suboptimal returns and outsized risk, versus inefficiently carrying idle capital. Inefficient management of capital can lead to strategic risk, including under-performance relative to stakeholder expectations.

As Regions develops its annual capital plan through the CPP, consistent with our capital deployment priorities, capital is allocated first to supporting expected available growth opportunities, and then to supporting a sustainable common dividend payout ratio. Regions regularly evaluates dividend sustainability through the CPP and generally seeks to manage the common dividend at a level that can reasonably be expected to be maintained through a typical, post-World War II recession. Finally, unallocated capital may be directed to share repurchases, which generally represent the most flexible mechanism for deploying capital and, in this context, serve to ensure capital levels are managed in alignment with capital targets.

The CPP is subject to continuous and in-depth supervision by the Federal Reserve and other relevant regulatory bodies. In accordance with regulatory requirements, Regions’ capital plan is regularly submitted to the Federal Reserve upon our Board’s review and approval. Any capital distributions included in the annual capital plan are promptly disclosed following Board approval.

Like other bank holding companies, Regions is required to participate in Supervisory Stress Testing, and may be subject to Federal Reserve required constraints on capital distributions through the application of the Stress Capital Buffer framework, which requires Regions to maintain a firm-specific capital buffer established by the Federal Reserve or face increasing restrictions on capital distributions. Additionally, the Federal Reserve may, from time to time, place additional restrictions on capital distributions.

For more information on Regions’ Capital Planning and Stress Testing Framework, please see our Annual Report on Form 10-K for the year ended December 31, 2021, dated February 24, 2022.

Corporate Political Activity

Regions’ Statement on Political Contributions and Code of Conduct collectively govern and promote the highest standards of behavior by our Company and our associates with regard to political activities. These policies also support our compliance with all applicable federal and state campaign finance laws. Like most public companies, Regions recognizes that decisions made by governmental agencies and lawmakers can have a significant impact on our operations, customers, shareholders, and associates. Accordingly, we monitor and track issues that affect our business and express our views to lawmakers and regulators.

Regions may make corporate political contributions in states where doing so is permissible. These contributions may be directed to state party organizations and candidates for statewide offices, state legislatures, and, in rare instances, local offices. Also, where legally permitted, Regions may make independent expenditures or corporate contributions in connection with state and local ballot initiatives, and referenda on important policy issues likely to impact our business and our stakeholders. However, even when legally permissible, Regions does not make contributions to single-issue political entities organized under Section 527 of the Internal Revenue Code (IRC) or to special interest lobbying groups organized under Section 501(c)(4) of the IRC to support political activities.

Regions’ corporate political contributions are subject to a tiered approval process based on the amount of the anticipated contribution. The full Board receives a report on the Company’s annual corporate contributions and non-deductible portions of trade association dues. Reports are reviewed and certified to be in compliance with the Statement by Regions’ Chief Legal Officer.

The Company believes that transparency regarding our political contributions is important to our stakeholders. Since 2014, we have published Government Affairs Reports on a semi-annual basis that contain the Company’s Statement on Political Contributions and our related activities. In each report, we describe our oversight process for political contributions and a summary of independent expenditures and corporate political giving over the report’s covered period. The report also discloses trade associations to which Regions paid more than $25,000 in annual dues and the portion of those dues that were non-deductible under the IRC as attributable to lobbying expenses.

The Company believes that these disclosures offer transparency with respect to the Company’s public policy advocacy, which benefits our shareholders, the Company, our associates, and our customers. Our Governmental Affairs Reports can be found under the “Company Values, Mission and Vision” page on regions.com/about-regions.

Information Security, Business Resilience, and Data Privacy

Information Security

As a company that deals with large volumes of sensitive customer information and financial transactions, we increasingly rely on the secure processing, transmission, and storage of information in our computer systems and networks. For that reason, we treat cybersecurity risk as a key operational risk within our enterprise-wide risk management framework. To manage information security risk, we have designed an expansive Information Security Program. One integral component of the program is our Information Security Policy, which aligns with standards promulgated by the National Institute of Standards and Technology (NIST). The Information Security Policy establishes technical, administrative, and physical control directives to protect our informational assets from reasonably foreseeable risks and threats. The program is supplemented by security operations that protect the integrity and availability of our information systems.

To effectuate the goals articulated in our policies and programs, we invest heavily in our technology, tools, people, and security processes. Information Security leverages technology innovation to enhance security while improving the customer experience. We perform comprehensive security analytics, assess and manage vulnerabilities, and establish strong layered cyber defenses. We continuously develop and enhance controls, processes, and systems to protect our networks, computers, systems, and data from attacks or unauthorized access. We facilitate internal and external third-party assessments, network penetration testing, and regular vulnerability scans both internally and externally. We also conduct comprehensive due diligence and ongoing oversight of the Company’s third-party vendors. Internally, we regularly provide our associates with cyber security training, education, and awareness (e.g., phishing simulations).

From a response perspective, we maintain a Cyber Incident Response Plan, which is part of our broader business continuity planning and Crisis Management Program, to help us effectively respond to a possible data breach. We keep a computer forensics firm and an industry-leading consulting firm on retainer in case of a breach event. Other vendors provide us with denial-of-service mitigation and other resources necessary to support Regions in the event of an attack.

Lastly, we recognize the growing risk associated with highly sophisticated actors targeting corporations, and we have procured insurance policies that cover potential financial losses from cyber events.

Thanks to these efforts, our layered control environment has effectively responded to the increased number of cyber events we experienced during the COVID-19 pandemic and prevented potential material impact to the Company.

Business Resilience

Business resilience and contingency planning are integral components of our operations. Regions is committed to supporting our customers and associates by providing essential business and technology services, minimizing disruptions of service, ensuring timely resumptions of service, and limiting related losses in times of crisis.

Regions’ Business Resilience Program facilitates a process that aligns with regulatory requirements of the Federal Financial Institutions Examination Council, as well as leading industry standards from NIST and the International Organization for Standardization (ISO). The program is supported by our: (i) Business Resilience Policy, which provides for resilience planning and emergency management (i.e., planning to continue operations during a loss of associates, facilities, critical systems, and key third parties), and (ii) Pandemic Response Guide, which seeks to protect associates and customers during a pandemic, while maintaining normal operations whenever possible. Our Crisis Management Team ensures efficient triage (i.e., evaluation, communication, mitigation, and response) to significant events and incidents that could impact the Company or our customers. The crisis team is supported by the Crisis Management Guide.

The program, Business Resilience Policy and Pandemic Response Guide, and the work of the Crisis Management Team are all overseen by the Board’s Risk Committee.

Because of this preparation, we were able to implement an alternative work location strategy early in the COVID-19 pandemic that enabled a significant number of our associates to quickly transition to a remote work location. Planning also facilitated distributing on-site associates across physical locations to allow for proper social distancing. Through these changes we were able to maintain a stable and productive operating environment.

In addition to enterprise-wide efforts, all Regions business units are responsible for developing and maintaining their own business continuity plans protecting critical business functions in the face of business interruptions related to local events such as weather. The Business Resilience team within Information Security assists these business units in developing their business unit-specific continuity plans. The team also coordinates with application system owners to ensure that plans are developed for recovering Regions’ systems. Yearly testing is performed to ensure these systems can recover to Regions’ secondary data center.

Data Privacy

Data privacy is critical to operationalizing advanced technologies that collect increasing amounts of data and use our customers’ and associates’ personal information for conventional business purposes, such as processing transactions, as well as those enabled by innovative technologies. Failure to collect and process information effectively, and in compliance with increasingly complex privacy regulations, could threaten business survival.

Our Privacy Policy states our commitment to controlling and mitigating privacy risks, and all associates and third-party vendors must adhere to the policy. In addition, the Regions Privacy Pledge (or “privacy notice”) is provided to all customers upon establishing a new consumer relationship or account with Regions. It explains how we collect, use, and share information. The Privacy Pledge also provides customers with instructions on how they can limit certain types of information-sharing. We post the Privacy Pledge, along with other helpful privacy, security, and fraud prevention resources, on our website.

These privacy programs and policies are overseen by the Corporate Privacy Compliance Office. The Office’s main objectives include effective, annual associate training; adherence to legal and regulatory requirements in policies and standards; establishment of privacy risk tolerance and control environments in daily operations; formalized procedural and transactional reviews; and prompt escalation of privacy issues, trends, and incidents for attention and resolution.