The following serve as a few examples of our commitment to effective management of environmental and social risks:
- As referenced throughout this report, Regions puts strong focus on risk management practices and controls related to consumer protection, fair and responsible banking, human capital management, sales practices, financial crimes, use of AI models, data privacy and protection, and cybersecurity.
- Our credit policy identifies industries, products and transaction types that present increased credit risk, including environmental and/or social risks, which we address by instituting a limited credit appetite and elevated approval and exception tracking requirements. The Risk Committee of the Board of Directors reviews and approves our credit policy on an annual basis. Each section of the credit policy is reviewed according to a schedule approved annually by the Financial Risk Executive. Lending parameters and elevated approval requirements on coal mining and coal-related activities serve as an example of how we are tailoring our portfolio to address these risks. Our credit policy is expected to evolve over time as our research continues and our climate risk appetite and desired client profile matures alongside our strategy. For example, we recently strengthened our credit policy regarding the identification, assessment, and reporting of environmental and climate transition risks and risk concentrations in the business services portfolio.
- A dedicated risk industry team, the Energy and Natural Resources Group (ENRG), underwrites exposure to energy and natural resources clients. This focused effort includes expanded underwriting requirements and focused monitoring.
- A specialized Credit Portfolio Management team with a newly dedicated ESG credit portfolio manager serves as a second line of defense in Risk Management, assessing both systemic macroeconomic and idiosyncratic risk factors as well as other early warning indicators. This team has also established and oversees a robust concentration limit and risk measurement framework enterprise-wide that measures and monitors Bank performance on a monthly basis.
- A dedicated industry team, the Natural Resources and Real Estate (NRRE) department is responsible for the prudent and sustainable management of natural resources assets, such as timberland, held in a fiduciary capacity and/or owned by our customers.
During 2021, we performed an assessment of climate change-related risks and opportunities, including physical and transition risks, based on a scenario analysis methodology. We assessed through geospatial analysis the impact of physical acute and chronic risks on our business operations and real estate portfolios. We also performed industry analysis to explore vulnerabilities and opportunities to transition risks should a disruptive acceleration of the transition to a lower carbon economy occur. Details of this climate change assessment and risk management practices can be found in our recently released TCFD Report.
In 2021, we formed an ESRM Working Group composed of cross-functional leadership to oversee our environmental and social risk management practices and guide our approach to climate and social risk management within our enterprise risk framework. This ESRM Working Group meets monthly and reports to senior leadership.
We have also dedicated cross-functional resources to an ESRM program. In addition to internal education and risk framework considerations, a few efforts underway include:
- Refreshing, for the second year, and socializing an enterprise-wide assessment of our environmental and social risk in lending practices.
- Defining “sustainable finance” and evaluating current baseline measurements for future monitoring.
- Developing feasible short- and longer-term goals through strategic initiatives designed to encourage sustainable finance investments. Our current activities include but are not limited to renewable energy consumer and business financing; energy efficiency-related lending; green and social bonds; affordable housing investments and lending; and other financing to support the communities where we operate. Examples of additional concepts under consideration include programs to finance mass transit, alternate fuel creation and delivery, agriculture lending, carbon capture, and carbon offsets (such as timberland).
- Evaluating how we consider supplier alignment to environmental and social risk implications.
- Monitoring adoption of credit policy enhancements to strengthen physical and transition risk management underwriting and monitoring of individual obligors in higher-risk industries and in portfolio monitoring.
- Facilitating enhancements to our third-party data subscriptions to allow for improved insights on potential physical risk considerations of our customers and overall ESG evaluation as it pertains to credit and third-party risk management.
- Continuously improving our obligor-level climate risk assessment.
- Focusing upon increased awareness and internal education to elevate culture and expertise of environmental and social risks and opportunities.
- Enhancing our understanding of the impacts of climate risk and sea-level change for our assets and portfolio through geospatial analysis.
- Socializing results of our second annual climate change workshop analysis related to physical and transition risk considerations.
- Joining PCAF and establishing a cross-functional project operating model, which is beginning to measure portfolio Scope 3 greenhouse gas (GHG) emissions or “Financed Emissions.”
Social Risk Management
Regions manages social risk as part of the Reputational Risk component of the overall Risk Management Framework approved each year by the Board’s Risk Committee. Regions uses the themes and key issues cited within the Committee of Sponsoring Organizations’ (COSO) Framework for Environmental, Social and Governance Risks as a foundation for its management of social risk. We have reviewed Regions’ risk library and validated the relevance of numerous existing risks and risk drivers to the COSO Framework. Risks with a social risk component are tagged as related to social risk to drive enhanced ESG reporting through our existing risk management framework. Associates identify both social and reputational risks and refer issues to our Reputation Management team (RM).
While reputational risk and social risk overlap, reputational risk is much broader. Reputational risk arises from negative publicity regarding any of Regions’ business practices, as opposed to social risk’s select themes. Further, unlike reputational risk, social risk does not require negative publicity.
RM has primary responsibility for assessing and escalating matters as needed and providing effective challenge to the first-line-of-defense units’ assessment of reputational and social risks. RM collaborates with enterprise partners to identify enterprise-wide and industry trends and to respond to reputational and social risk events and issues. Depending on the issue, RM will participate in customer site visits and conduct other due diligence to develop an understanding of each identified problem. Quarterly, RM reports material issues, events, and trends to the Board’s Risk Committee.
Additionally, the Regions Human Rights Statement helps provide direction for managing social risk and reiterates our mission and values, which are the foundation of our conceptualization of reputational risk. It also states that we expect the entities with which we do business to respect individual human rights and conduct business free from human rights abuses. The Human Rights Statement is discussed further in the People section of this report.
ESG Data Governance
Regions recognizes that promoting accuracy and transparency is critical to maintaining the trust of our shareholders and other stakeholders. As such, we are constantly seeking ways to improve the quality of the information that we provide in our ESG disclosures. This acts as an investment in the value of our future disclosures by enabling our stakeholders to track our progress on the ESG goals and initiatives we have deemed most important to our organization.
Over the past several years, as the number and scope of our ESG disclosures have continued to grow, we have sought to improve the processes through which those various disclosures are compiled. For example, some of the controls we have applied to this current report include:
- Soliciting contributions and certifications from internal subject-matter experts on the topics covered throughout the report.
- Partnering with internal reporting experts to obtain documentation supportive of the report’s content.
- Subjecting the report to multiple rounds of review and revision by cross-functional groups of associates, including our newly formed ESG Leadership Council.
- Presenting the report to our Disclosure Review Committee, which is generally tasked with reviewing certain of Regions’ regulatory and non-regulatory disclosures for accuracy and clarity.
- Collaborating with our Internal Audit function to enhance the effectiveness of the review process.
In 2021, we began supplementing these internal efforts by obtaining independent third-party assurance for our 2020 GHG inventory. For enhanced transparency, we have made the verification opinion declaration available alongside our 2020 TCFD Report and our 2021 CDP Climate Change Questionnaire Response, both of which incorporate the verified data. For information about our 2021 GHG emissions data, please see the Planet section of this report and our 2021 TCFD Report.
Capital Planning Process
Regions employs a robust and mature Capital Planning Process (CPP) that is designed to ensure capital levels are commensurate with the risk inherent in the balance sheet and sufficient to allow the Company to extend credit and meet customer needs, including in periods of severe stress. Additionally, the CPP seeks to promote the efficient use of capital while maintaining a long-term approach to capital allocation and distribution consistent with stakeholders’ expectations and the Company’s strategic priorities. The CPP relies upon active participation by cross-functional groups throughout the Company, including Finance, Corporate Treasury, Risk Management, Internal Audit, and the various business groups, and is overseen by a governance committee structure composed of a similarly broad cross-section of senior management as well as the Board. The governance structure is led by the senior management-level Asset-Liability Committee (ALCO) and involves several key CPP-focused sub-committees of the ALCO and other relevant senior management-level committees. These include the Scenario Design Committee, Operational Risk Committee, Capital Management Committee, and Enterprise Risk Management Committee. Lastly, Regions’ Board provides approval and oversight of all CPP activities, which flow from the capital plan and Capital Policy approved by the Board each year.
Regions’ annual capital plan is developed in accordance with our internal Capital Policy that, among other things, defines operating objectives for capital and priorities for the deployment of capital generated organically in the form of earnings from our core operations. Our current capital deployment priorities are:
- Growth and strategic investments.
- Sustainable common stock dividend payout ratio.
- Common stock repurchases.
Prudent investment of capital to grow the Company is our number one priority, as we believe this activity provides the greatest potential for long-term value creation for stakeholders, including the customers, associates, communities, and shareholders we serve.
The realities of a competitive market, however, naturally place limits on the opportunities available to prudently invest in the growth of the Company. As such, Regions must remain disciplined in the allocation of capital and ensure that returns are appropriate in the context of investment risk and the strategic objectives of the Company.
Our ability to distribute capital to shareholders in the form of dividends and share repurchases is critical to maintaining this discipline. Share repurchases provide an alternative use of capital when prudent investment opportunities are unavailable and prevent the Company from facing the losing trade-off between accepting suboptimal returns and outsized risk, versus inefficiently carrying idle capital. Inefficient management of capital can lead to strategic risk, including under-performance relative to stakeholder expectations.
As Regions develops its annual capital plan through the CPP, consistent with our capital deployment priorities, capital is allocated first to supporting expected available growth opportunities, and then to supporting a sustainable common dividend payout ratio. Regions regularly evaluates dividend sustainability through the CPP and generally seeks to manage the common dividend at a level that can reasonably be expected to be maintained through a typical, post-World War II recession. Finally, unallocated capital may be directed to share repurchases, which generally represent the most flexible mechanism for deploying capital and, in this context, serve to ensure capital levels are managed in alignment with capital targets.
The CPP is subject to continuous and in-depth supervision by the Federal Reserve and other relevant regulatory bodies. In accordance with regulatory requirements, Regions’ capital plan is regularly submitted to the Federal Reserve upon our Board’s review and approval. Any capital distributions included in the annual capital plan are promptly disclosed following Board approval.
Like other bank holding companies, Regions is required to participate in Supervisory Stress Testing, and may be subject to Federal Reserve required constraints on capital distributions through the application of the Stress Capital Buffer framework, which requires Regions to maintain a firm-specific capital buffer established by the Federal Reserve or face increasing restrictions on capital distributions. Additionally, the Federal Reserve may, from time to time, place additional restrictions on capital distributions.
For more information on Regions’ Capital Planning and Stress Testing Framework, please see our Annual Report on Form 10-K for the year ended December 31, 2021, dated February 24, 2022.
Corporate Political Activity
Regions’ Statement on Political Contributions and Code of Conduct collectively govern and promote the highest standards of behavior by our Company and our associates with regard to political activities. These policies also support our compliance with all applicable federal and state campaign finance laws. Like most public companies, Regions recognizes that decisions made by governmental agencies and lawmakers can have a significant impact on our operations, customers, shareholders, and associates. Accordingly, we monitor and track issues that affect our business and express our views to lawmakers and regulators.
Regions may make corporate political contributions in states where doing so is permissible. These contributions may be directed to state party organizations and candidates for statewide offices, state legislatures, and, in rare instances, local offices. Also, where legally permitted, Regions may make independent expenditures or corporate contributions in connection with state and local ballot initiatives, and referenda on important policy issues likely to impact our business and our stakeholders. However, even when legally permissible, Regions does not make contributions to single-issue political entities organized under Section 527 of the Internal Revenue Code (IRC) or to special interest lobbying groups organized under Section 501(c)(4) of the IRC to support political activities.
Regions’ corporate political contributions are subject to a tiered approval process based on the amount of the anticipated contribution. The full Board receives a report on the Company’s annual corporate contributions and non-deductible portions of trade association dues. Reports are reviewed and certified to be in compliance with the Statement by Regions’ Chief Legal Officer.
The Company believes that transparency regarding our political contributions is important to our stakeholders. Since 2014, we have published Government Affairs Reports on a semi-annual basis that contain the Company’s Statement on Political Contributions and our related activities. In each report, we describe our oversight process for political contributions and a summary of independent expenditures and corporate political giving over the report’s covered period. The report also discloses trade associations to which Regions paid more than $25,000 in annual dues and the portion of those dues that were non-deductible under the IRC as attributable to lobbying expenses.
The Company believes that these disclosures offer transparency with respect to the Company’s public policy advocacy, which benefits our shareholders, the Company, our associates, and our customers. Our Governmental Affairs Reports can be found under the “Company Values, Mission and Vision” page on regions.com/about-regions.
Information Security, Business Resilience, and Data Privacy
Information Security
As a company that deals with large volumes of sensitive customer information and financial transactions, we increasingly rely on the secure processing, transmission, and storage of information in our computer systems and networks. For that reason, we treat cybersecurity risk as a key operational risk within our enterprise-wide risk management framework. To manage information security risk, we have designed an expansive Information Security Program. One integral component of the program is our Information Security Policy, which aligns with standards promulgated by the National Institute of Standards and Technology (NIST). The Information Security Policy establishes technical, administrative, and physical control directives to protect our informational assets from reasonably foreseeable risks and threats. The program is supplemented by security operations that protect the integrity and availability of our information systems.
To effectuate the goals articulated in our policies and programs, we invest heavily in our technology, tools, people, and security processes. Information Security leverages technology innovation to enhance security while improving the customer experience. We perform comprehensive security analytics, assess and manage vulnerabilities, and establish strong layered cyber defenses. We continuously develop and enhance controls, processes, and systems to protect our networks, computers, systems, and data from attacks or unauthorized access. We facilitate internal and external third-party assessments, network penetration testing, and regular vulnerability scans both internally and externally. We also conduct comprehensive due diligence and ongoing oversight of the Company’s third-party vendors. Internally, we regularly provide our associates with cyber security training, education, and awareness (e.g., phishing simulations).
From a response perspective, we maintain a Cyber Incident Response Plan, which is part of our broader business continuity planning and Crisis Management Program, to help us effectively respond to a possible data breach. We keep a computer forensics firm and an industry-leading consulting firm on retainer in case of a breach event. Other vendors provide us with denial-of-service mitigation and other resources necessary to support Regions in the event of an attack.
Lastly, we recognize the growing risk associated with highly sophisticated actors targeting corporations, and we have procured insurance policies that cover potential financial losses from cyber events.
Thanks to these efforts, our layered control environment has effectively responded to the increased number of cyber events we experienced during the COVID-19 pandemic and prevented potential material impact to the Company.
Business Resilience
Business resilience and contingency planning are integral components of our operations. Regions is committed to supporting our customers and associates by providing essential business and technology services, minimizing disruptions of service, ensuring timely resumptions of service, and limiting related losses in times of crisis.
Regions’ Business Resilience Program facilitates a process that aligns with regulatory requirements of the Federal Financial Institutions Examination Council, as well as leading industry standards from NIST and the International Organization for Standardization (ISO). The program is supported by our: (i) Business Resilience Policy, which provides for resilience planning and emergency management (i.e., planning to continue operations during a loss of associates, facilities, critical systems, and key third parties), and (ii) Pandemic Response Guide, which seeks to protect associates and customers during a pandemic, while maintaining normal operations whenever possible. Our Crisis Management Team ensures efficient triage (i.e., evaluation, communication, mitigation, and response) to significant events and incidents that could impact the Company or our customers. The crisis team is supported by the Crisis Management Guide.
The program, Business Resilience Policy and Pandemic Response Guide, and the work of the Crisis Management Team are all overseen by the Board’s Risk Committee.
Because of this preparation, we were able to implement an alternative work location strategy early in the COVID-19 pandemic that enabled a significant number of our associates to quickly transition to a remote work location. Planning also facilitated distributing on-site associates across physical locations to allow for proper social distancing. Through these changes we were able to maintain a stable and productive operating environment.
In addition to enterprise-wide efforts, all Regions business units are responsible for developing and maintaining their own business continuity plans protecting critical business functions in the face of business interruptions related to local events such as weather. The Business Resilience team within Information Security assists these business units in developing their business unit-specific continuity plans. The team also coordinates with application system owners to ensure that plans are developed for recovering Regions’ systems. Yearly testing is performed to ensure these systems can recover to Regions’ secondary data center.
Data Privacy
Data privacy is critical to operationalizing advanced technologies that collect increasing amounts of data and use our customers’ and associates’ personal information for conventional business purposes, such as processing transactions, as well as those enabled by innovative technologies. Failure to collect and process information effectively, and in compliance with increasingly complex privacy regulations, could threaten business survival.
Our Privacy Policy states our commitment to controlling and mitigating privacy risks, and all associates and third-party vendors must adhere to the policy. In addition, the Regions Privacy Pledge (or “privacy notice”) is provided to all customers upon establishing a new consumer relationship or account with Regions. It explains how we collect, use, and share information. The Privacy Pledge also provides customers with instructions on how they can limit certain types of information-sharing. We post the Privacy Pledge, along with other helpful privacy, security, and fraud prevention resources, on our website.
These privacy programs and policies are overseen by the Corporate Privacy Compliance Office. The Office’s main objectives include effective, annual associate training; adherence to legal and regulatory requirements in policies and standards; establishment of privacy risk tolerance and control environments in daily operations; formalized procedural and transactional reviews; and prompt escalation of privacy issues, trends, and incidents for attention and resolution.
Governance
Our internal governance processes incorporate organization-wide reporting and escalation of the Business Resilience Program, Information Security Program, data privacy, and related matters, to management and the Board. Our Board considers business and technical resilience, information security and technological innovation, and privacy considerations, along with related risk considerations and mitigation efforts, within the Company’s strategic plan. The Board also receives an annual update on the Company’s enterprise services, which include resilience, information technology, and information security. The Board’s Risk Committee directly oversees information technology and information security risks through regular reports from management, the risk management function, and external assessments. The Risk Committee also receives annual reports on the Information Security Program and approves the Information Security Policy. Further, the Risk Committee approves the Business Resilience Policy and Pandemic Response Guide every year.
The newly formed Technology Committee will provide additional oversight on the role of technology in executing the Company’s business strategy, including with respect to specific projects like our multi-year “Regions 2.0/R2” initiative. And, the Company has a strong team of associates reporting to senior management on day-to-day operational matters involving information security, as well as the impact of initiatives in technology and digital transformation on information security.