Regions Financial Corporation: 10-K Risk Factor Changes

In the course of our business, we may foreclose on and take title to real estate. As a result, we could be subject to environmental liabilities with respect to these properties. We may be held liable to a governmental entity or to third parties for property damage, personal injury, investigation and clean-up costs incurred by these parties in connection with environmental contamination or may be required to investigate or clean up hazardous or toxic substances or chemical releases at a property. The costs associated with investigation or remediation activities could be substantial. In addition, if we are the owner or former owner of a contaminated site, we may be subject to common law claims by third parties based on damages and costs resulting from environmental contamination emanating from the property. If we become subject to significant environmental liabilities, our business, financial condition or results of operations could be adversely affected. 32 32 32 32 32 32 Table of Contents Table of Contents Table of Contents

In the course of our business, we may foreclose on and take title to real estate. As a result, we could be subject to environmental liabilities with respect to these properties. We may be held liable to a governmental entity or to third parties for property damage, personal injury, investigation and clean-up costs incurred by these parties in connection with environmental contamination or may be required to investigate or clean up hazardous or toxic substances or chemical releases at a property. The costs associated with investigation or remediation activities could be substantial. In addition, if we are the owner or former owner of a contaminated site, we may be subject to common law claims by third parties based on damages and costs resulting from environmental contamination emanating from the property. If we become subject to significant environmental liabilities, our business, financial condition or results of operations could be adversely affected.

Our accounting policies and assumptions are fundamental to our reported financial condition and results of operations. Our management must exercise judgment in selecting and applying many of these accounting policies and methods so they comply with GAAP and reflect management’s judgment of the most appropriate manner to report our financial condition and results. In some cases, management must select the accounting policy or method to apply from two or more alternatives, any of which may be reasonable under the circumstances, yet may result in us reporting materially different results than would have been reported under a different alternative. Certain accounting policies are critical to presenting our reported financial condition and results of operations. They require management to make difficult, subjective or complex judgments about matters that are uncertain. Materially different amounts could be reported under different conditions or using different assumptions or estimates. The Company’s critical accounting estimates include: the allowance for credit losses; fair value measurements; intangible assets; residential MSRs; and income taxes. Because of the uncertainty of estimates involved in these matters, we may be required to do one or more of the following: significantly increase the allowance for credit losses and/or sustain credit losses that are significantly higher than the allowance provided; recognize significant losses on assets carried at fair value; recognize significant impairment on our goodwill, other intangible assets or deferred tax asset balances; significantly increase our accrued income taxes; or significantly decrease the value of our residential MSRs. Any of these actions could adversely affect our reported financial condition and results of operations. 39 39 39 39 39 39 Table of Contents Table of Contents Table of Contents

Our accounting policies and assumptions are fundamental to our reported financial condition and results of operations. Our management must exercise judgment in selecting and applying many of these accounting policies and methods so they comply with GAAP and reflect management’s judgment of the most appropriate manner to report our financial condition and results. In some cases, management must select the accounting policy or method to apply from two or more alternatives, any of which may be reasonable under the circumstances, yet may result in us reporting materially different results than would have been reported under a different alternative. Certain accounting policies are critical to presenting our reported financial condition and results of operations. They require management to make difficult, subjective or complex judgments about matters that are uncertain. Materially different amounts could be reported under different conditions or using different assumptions or estimates. The Company’s critical accounting estimates include: the allowance for credit losses; fair value measurements; intangible assets; residential MSRs; and income taxes. Because of the uncertainty of estimates involved in these matters, we may be required to do one or more of the following: significantly increase the allowance for credit losses and/or sustain credit losses that are significantly higher than the allowance provided; recognize significant losses on assets carried at fair value; recognize significant impairment on our 38 38 38 38 38 38 Table of Contents Table of Contents Table of Contents goodwill, other intangible assets or deferred tax asset balances; significantly increase our accrued income taxes; or significantly decrease the value of our residential MSRs. Any of these actions could adversely affect our reported financial condition and results of operations.

During periods of market stress or illiquidity, our credit risk may be further increased when we fail to realize the fair value of the collateral we hold; collateral is liquidated at prices that are not sufficient to recover the full amount owed to us; or counterparties are unable to post collateral, whether for operational or other reasons. Furthermore, disputes with counterparties concerning the valuation of collateral may increase in times of significant market stress, volatility or illiquidity, and we could suffer losses during these periods if we are unable to realize the fair value of collateral or to manage declines in the value of collateral. 26 26 26 26 26 26 Table of Contents Table of Contents Table of Contents

During periods of market stress or illiquidity, our credit risk may be further increased when we fail to realize the fair value of the collateral we hold; collateral is liquidated at prices that are not sufficient to recover the full amount owed to us; or counterparties are unable to post collateral, whether for operational or other reasons. Furthermore, disputes with counterparties concerning the valuation of collateral may increase in times of significant market stress, volatility or illiquidity, and we could suffer losses during these periods if we are unable to realize the fair value of collateral or to manage declines in the value of collateral.

We are exposed to many types of operational risks, including business resilience, process, third party, information technology, human resource, model and fraud risks, each of which may be amplified by continued remote work. Our fraud risks include fraud committed by external parties against the Company or its customers and fraud committed internally by our associates. Certain fraud risks, including identity theft and account takeover, may increase as a result of customers’ account or personally identifiable information being obtained through breaches of retailers’ or other third parties’ networks. Examples of external fraud we face include fraudulent checks, stolen checks and other check-related fraud. We have established processes and procedures intended to identify, measure, monitor, mitigate, report and analyze these risks; however, there are inherent limitations to our risk management strategies as there may exist, or develop in the future, risks that we have not appropriately anticipated, monitored or identified. If our risk management framework proves ineffective, we could suffer unexpected losses, we may have to expend resources detecting and correcting the failure in our systems and we may be subject to potential claims from third parties and government agencies. We may also suffer severe reputational damage. Any of these consequences could adversely affect our business, financial condition or results of operations. In particular, the unauthorized disclosure, misappropriation, mishandling or misuse of personal, non-public, confidential or proprietary information of customers could result in significant regulatory consequences, reputational damage and financial loss.

We are exposed to many types of operational risks, including business resilience, process, third party, information technology, human resource, model, and fraud risks, each of which may be amplified by continued remote work. Our fraud risks include fraud committed by external parties against the Company or its customers and fraud committed internally by our associates. Certain fraud risks, including identity theft and account takeover may increase as a result of customers’ account or personally identifiable information being obtained through breaches of retailers’ or other third parties’ networks. We have established processes and procedures intended to identify, measure, monitor, mitigate, report and analyze these risks; however, there are inherent limitations to our risk management strategies as there may exist, or develop in the future, risks that we have not appropriately anticipated, monitored or identified. If our risk management framework proves ineffective, we could suffer unexpected losses, we may have to expend resources detecting and correcting the failure in our systems and we may be subject to potential claims from third parties and government agencies. We may also suffer severe reputational damage. Any of these consequences could adversely affect our business, financial condition or results of operations. In particular, the unauthorized disclosure, misappropriation, mishandling or misuse of personal, non-public, confidential or proprietary information of customers could result in significant regulatory consequences, reputational damage and financial loss.

We provide traditional commercial, retail and mortgage banking services, as well as other financial services including asset management, wealth management, securities brokerage, merger-and-acquisition advisory services and other specialty 23 23 23 23 23 23 Table of Contents Table of Contents Table of Contents financing. All of our businesses are materially affected by conditions in the financial markets and economic conditions generally or specifically in the South, Midwest and Texas, the principal markets in which we conduct business. A worsening of business and economic conditions generally or specifically in the principal markets in which we conduct business could have adverse effects on our business, including the following: •A decrease in the demand for, or the availability of, loans and other products and services offered by us, including as a result of changing interest rate conditions; •A decrease in the value of our loans held for sale or other assets secured by consumer or commercial real estate; •An impairment of certain intangible assets, such as goodwill; •A decrease in interest income from variable rate loans, due to declines in interest rates; •An increase in the number of clients and counterparties who become delinquent, file for protection under bankruptcy laws or default on their loans or other obligations to us, which could result in a higher level of nonperforming assets, net charge-offs, provisions for credit losses and valuation adjustments on loans held for sale; •A decrease in the supply of deposits or the need to price interest-bearing deposits higher due to competitive forces, which could result in substantial increase in cost to retain and service deposits; and •A change in the pricing or spread environment could adversely impact the yields received on newly originated loans or securities. In the event of severely adverse business and economic conditions generally or specifically in the principal markets in which we conduct business, there can be no assurance that the federal government and the Federal Reserve would intervene or make adjustments to fiscal or monetary policy that would cause business and economic conditions to improve. If business and economic conditions worsen or volatility increases, our business, financial condition and results of operations could be materially adversely affected. Volatility and uncertainty related to inflation and the effects of inflation, which has led to increased costs for businesses and consumers and potentially contribute to poor business and economic conditions generally and may enhance or contribute to some of the risks of our business. For example, higher inflation, or volatility and uncertainty related to inflation, could reduce demand for our products, adversely affect the creditworthiness of the Company’s borrowers or result in lower values for our investment securities and other fixed-rate assets. In response to sustained inflationary pressures, the Federal Reserve has tightened monetary policy, as described below. To the extent these policies do not mitigate the volatility and uncertainty related to inflation and the effects of inflation, or to the extent conditions otherwise worsen, we could experience adverse effects on our business, financial condition and results of operations.

We provide traditional commercial, retail and mortgage banking services, as well as other financial services including asset management, wealth management, securities brokerage, merger-and-acquisition advisory services and other specialty financing. All of our businesses are materially affected by conditions in the financial markets and economic conditions generally or specifically in the South, Midwest and Texas, the principal markets in which we conduct business. A worsening of business and economic conditions generally or specifically in the principal markets in which we conduct business could have adverse effects on our business, including the following: •A decrease in the demand for, or the availability of, loans and other products and services offered by us, including as a result of increases in interest rates; •A decrease in the value of our loans held for sale or other assets secured by consumer or commercial real estate; •An impairment of certain intangible assets, such as goodwill; •A decrease in interest income from variable rate loans, due to declines in interest rates; and •An increase in the number of clients and counterparties who become delinquent, file for protection under bankruptcy laws or default on their loans or other obligations to us, which could result in a higher level of nonperforming assets, net charge-offs, provisions for credit losses, and valuation adjustments on loans held for sale •A decrease in the supply of deposits or significant increase in competition for deposits, which could result in substantial increase in cost to retain and service deposits. In the event of severely adverse business and economic conditions generally or specifically in the principal markets in which we conduct business, there can be no assurance that the federal government and the Federal Reserve would intervene or make adjustments to fiscal or monetary policy that would cause business and economic conditions to improve. If business and economic conditions worsen or volatility increases, our business, financial condition and results of operations could be materially adversely affected. Volatility and uncertainty related to inflation and the effects of inflation, which has recently led to increased costs for businesses and consumers and potentially contribute to poor business and economic conditions generally, may enhance or 23 23 23 23 23 23 Table of Contents Table of Contents Table of Contents contribute to some of the risks of our business. For example, higher inflation, or volatility and uncertainty related to inflation, could reduce demand for our products, adversely affect the creditworthiness of the Company’s borrowers or result in lower values for our investment securities and other fixed-rate assets. In response to sustained inflationary pressures, the Federal Reserve increased the benchmark federal funds interest rate by 425 basis points to a range between 4.25 percent and 4.50 percent between their March 16, 2022 and December 14, 2022 meetings. Furthermore, on February 1, 2023, the Federal Reserve increased the benchmark federal funds interest rate by an additional 25 basis points to a range between 4.50 percent and 4.75 percent. The range of potential rate paths over the coming year is extremely wide and will ultimately be driven by the path for inflation, and its impact on the labor market and economic growth. The Federal Reserve also plans to continue to reduce the size of its balance sheet in 2023.To the extent these policies do not mitigate the volatility and uncertainty related to inflation and the effects of inflation, or to the extent conditions otherwise worsen, we could experience adverse effects on our business, financial condition, and results of operations.

As of December 31, 2023, approximately 9.0% of our loan portfolio consisted of investor real estate loans. The properties securing income-producing investor real estate loans are typically not fully leased at the origination of the loan. The borrower’s ability to repay the loan is instead dependent upon additional leasing through the life of the loan or the borrower’s successful operation of a business. Continued uncertainty in economic conditions may impair a borrower's business operations and slow the execution of new leases. Such economic conditions may also lead to existing lease turnover. As a result of these factors, vacancy rates for retail, office and industrial space may increase, and hotel occupancy rates may decline. High vacancy and lower occupancy rates could also result in rents falling. The combination of these factors could result in deterioration in the fundamentals underlying the commercial real estate market and the deterioration in value of some of our loans. Any such deterioration could adversely affect the ability of our borrowers to repay the amounts due under their loans. As a result, our business, results of operations or financial condition may also be adversely affected. Specifically, the office property segment, which represents 1.5 percent of our total loan portfolio, is undergoing a structural shift given the rise of a remote work environment resulting in heightened vacancies and potentially reduced leasing needs. It is anticipated that this heightened risk environment for the office segment may take several years to resolve.

As of December 31, 2022, approximately 8.6% of our loan portfolio consisted of investor real estate loans. The properties securing income-producing investor real estate loans are typically not fully leased at the origination of the loan. The borrower’s ability to repay the loan is instead dependent upon additional leasing through the life of the loan or the borrower’s successful operation of a business. Continued uncertainty in economic conditions may impair a borrower's business operations and slow the execution of new leases. Such economic conditions may also lead to existing lease turnover. As a result of these factors, vacancy rates for retail, office and industrial space may increase, and hotel occupancy rates may decline. High vacancy and lower occupancy rates could also result in rents falling. The combination of these factors could result in deterioration in the fundamentals underlying the commercial real estate market and the deterioration in value of some of our loans. Any such deterioration could adversely affect the ability of our borrowers to repay the amounts due under their loans. As a result, our business, results of operations or financial condition may be materially adversely affected.

Our profitability depends to a large extent on our net interest income, which is the difference between the interest income received on interest-earning assets (primarily loans, leases, investment securities and cash balances held at the Federal Reserve Bank) and the interest expense incurred in connection with interest-bearing liabilities (primarily deposits and borrowings). The level of net interest income is mostly a function of the average balance of interest-earning assets, the average balance of interest-bearing liabilities and the spread between the yield on such assets and the cost of such liabilities. These factors are influenced by both the pricing and mix of interest-earning assets and interest-bearing liabilities which, in turn, are impacted by external factors such as the local economy, competition for loans and deposits, the monetary policy of the FOMC and interest rates markets. The cost of our deposits and short-term wholesale borrowings is heavily impacted by market-based liquidity conditions and interest rates, factors which are influenced directly and indirectly by a mixture of effects including the FOMC’s monetary policy and economic conditions. Moreover, the market’s expectation of the future course of FOMC policy and economic factors interact to influence the path for market interest rates and the shape of the yield curve. Yields generated by our loans and securities and the costs of deposits and wholesale borrowings are driven by both short-term and longer-term interest rates to different degrees, thus impacting net interest income. If the yields on our interest-bearing liabilities increase at a faster pace than the yields on our interest-earning assets, our net interest income may decline. Our net interest income could be similarly affected if the yields on our interest-earning assets decline at a faster pace than the yields on our interest-bearing liabilities. Finally, interest rate volatility and levels directly impact the value of certain fixed-rate assets and liabilities, which may impact unrealized gains or unrealized losses in our portfolios. The monetary policy tightening cycle observed since 2022 has led to increased volatility in fixed income markets. The Federal Reserve increased the benchmark federal funds interest rate from near zero in early 2022 to a range between 5.25 percent and 5.50 percent with the last increase occurring at its July 26, 2023 meeting. The range of potential rate paths over the coming year is wide and will ultimately be driven by the path of inflation, labor market performance and economic growth. Estimates for net interest income exposure to interest rate changes have been reduced recently. While a persistently elevated, or 24 24 24 24 24 24 Table of Contents Table of Contents Table of Contents increasing, rate environment from current levels would continue to support net interest income, elevated rates also increase the cost of funding and competition for deposits. Additionally, elevated interest rates would increase debt service requirements for some of our borrowers and may adversely affect those borrowers’ ability to pay as contractually obligated, ultimately resulting in additional delinquencies or charge-offs. Conversely, should interest rates move lower, net interest income is well supported by a mostly neutral interest rate risk position aided by the Company’s interest rate hedging program. In this environment, deposit and funding costs will move lower; however, net interest income may be adversely impacted if those costs cannot move lower as fast as expected. Sustained higher interest rates and continued Federal Reserve asset reductions may adversely affect market stability, market liquidity and the Company’s financial performance and condition. We cannot predict the nature or timing of future changes in monetary policies or the precise effects such changes may have on our activities and financial results. For a more detailed discussion of these risks and our management strategies for these risks, see the “Executive Overview,” “Net Interest Income, Margin and Interest Rate Risk,” “Net Interest Income and Margin,” “Market Risk-Interest Rate Risk” and “Securities” sections of Item 7. “Management’s Discussion and Analysis of Financial Condition and Results of Operations” of this Annual Report on Form 10-K.

Our profitability depends to a large extent on our net interest income, which is the difference between the interest income received on interest-earning assets (primarily loans, leases, investment securities and cash balances held at the FRB) and the interest expense incurred in connection with interest-bearing liabilities (primarily deposits and borrowings). The level of net interest income is mostly a function of the average balance of interest-earning assets, the average balance of interest-bearing liabilities and the spread between the yield on such assets and the cost of such liabilities. These factors are influenced by both the pricing and mix of interest-earning assets and interest-bearing liabilities which, in turn, are impacted by external factors such as the local economy, competition for loans and deposits, the monetary policy of the FOMC and interest rates markets. The cost of our deposits and short-term wholesale borrowings is heavily impacted by market-based liquidity conditions and interest rates, factors which are influenced directly and indirectly by a mixture of effects including the FOMC’s monetary policy and economic conditions. Moreover, the market's expectation of the future course of FOMC policy and economic factors interact to influence short- and long-tenor rates in the yield curve, each of which have diverse impacts on Regions' portfolios. Yields generated by our loans and securities and the costs of deposits and wholesale borrowings are driven by both short-term and longer-term interest rates to different degrees, thus impacting net interest income. If the yields on our interest-bearing liabilities increase at a faster pace than the yields on our interest-earning assets, our net interest income may decline. Our net interest income could be similarly affected if the yields on our interest-earning assets decline at a faster pace than the yields on our interest-bearing liabilities. Finally, interest rate volatility and levels directly impact the value of certain fixed-rate assets and liabilities, which may impact unrealized gains or unrealized losses in our portfolios. The low benchmark federal funds interest rate observed over the last several years has ended leading to increased volatility in fixed income markets. The Federal Reserve increased the benchmark federal funds interest rate by 425 basis points to a range between 4.25 percent and 4.50 percent between their March 16, 2022 and December 14, 2022 meetings. Furthermore, on February 1, 2023, the Federal Reserve increased the benchmark federal funds interest rate by an additional 25 basis points to a range between 4.50 percent and 4.75, and has signaled it intends to hold interest rates at an elevated level over the course of 2023. The range of potential rate paths over the coming year is extremely wide and will ultimately be driven by the path for inflation, and its impact on the labor market and economic growth. While a persistently elevated, or increasing rate environment from current levels would continue to support net interest income, increasing rates would also increase debt service requirements for some of our borrowers and may adversely affect those borrowers’ ability to pay as contractually obligated, ultimately resulting in additional delinquencies or charge-offs. Conversely, should interest rates move lower, we would expect modest declines in net interest income over the next twelve months, aided somewhat by the protection in place from the Company’s interest rate hedging program. Sustained higher interest rates and continued Federal Reserve asset reductions may adversely affect market stability, market liquidity and the Company’s financial performance and condition. We cannot predict the nature or timing of future changes in monetary policies or the precise effects such changes may have on our activities and financial results. For a more detailed discussion of these risks and our management strategies for these risks, see the "Executive Overview", “Net Interest Income, Margin and Interest Rate Risk,” “Net Interest Income and Margin,” “Market Risk-Interest Rate Risk” and “Securities” sections of Item 7. “Management’s Discussion and Analysis of Financial Condition and Results of Operations” of this Annual Report on Form 10-K.

Failure or errors in or breach of our systems or networks, or those of our third-party service providers (or providers to such third-party service providers), including as a result of cybersecurity or other similar incidents, could disrupt our businesses or impact our customers. Examples of incidents include, among other things, denial of service attacks, ransomware, malware, worms, software bugs, hacking, social engineering, phishing attacks, credential stuffing, account takeovers, insider threats, theft, malfeasance or improper access by employees or service providers, human error, fraud or other similar disruptions. These incidents could result in the loss, unauthorized disclosure, misuse or misappropriation of confidential, personal, proprietary or other information, damage to our reputation, increases to our costs and cause customer and financial losses. As a large financial institution, we depend on our ability to process, record and monitor a large number of customer transactions on a continuous basis and otherwise collect, transmit, store and process a significant amount of personal information in connection therewith. As public, regulatory and customers' expectations have increased regarding operational resilience and cybersecurity, our systems, networks and infrastructure must continue to be safeguarded and monitored for potential failures and disruptions, as well as cybersecurity or other similar incidents. Our systems and facilities may stop operating properly or become disabled or damaged as a result of a number of factors, including events that are wholly or partially beyond our control. For example, there could be electrical or telecommunications outages; pandemics; events arising from local or larger scale political or social matters, including terrorist acts and civil unrest; and, as described below, cyber-attacks or other similar incidents. Although we have business continuity plans and other safeguards in place, our business operations may be adversely affected by significant and widespread disruption to our physical infrastructure or operating systems or networks, or those of our third-party service providers, that support our businesses and customers. Cybersecurity risks for large financial institutions, such as us, have increased significantly in recent years in part because of the proliferation of technology-based products and services and the increased sophistication and activities of organized 27 27 27 27 27 27 Table of Contents Table of Contents Table of Contents crime, hackers, terrorists, nation-states, nation state-supported actors, activists and other external parties. This increase is expected to continue and further intensify. The techniques used by cyber criminals change frequently, may not be recognized until launched (or may evade detection for considerable time), can be initiated from a variety of sources, including terrorist organizations and hostile foreign governments, and may see their frequency increased, and effectiveness enhanced, by the use of artificial intelligence. These criminals may attempt to fraudulently induce employees, customers or other users of our systems and networks to disclose sensitive information (including confidential, personal, proprietary and other information) in order to gain access to data or our systems and networks. Third parties with whom we or our customers do business also present operational and cybersecurity risks to us, including cybersecurity or other similar incidents or failures or disruptions of their own systems and networks. While we have successfully defended similar attacks, we could become the subject of a successful similar style attack through a supply chain compromise. As noted above, our operations rely on the secure collection, transmission, storage and other processing of confidential, personal, proprietary and other information in our operating systems and networks. In addition, to access our products and services, our customers may use personal computers, smartphones, tablets and other mobile devices that are beyond our control environment. Additionally, cybersecurity and other similar incidents or terrorist activities could disrupt our or our customers’ or other third parties’ business operations. Although these past events have not resulted in a breach of our client data or account information, such attacks have adversely affected the performance of Regions Bank’s website, www.regions.com, and, in some instances, prevented customers from accessing Regions Bank’s secure websites for consumer and commercial applications. In all cases, the attacks primarily resulted in inconvenience; however, future cyber-attacks or other similar incidents could be more disruptive and damaging, and we may not be able to anticipate or prevent all such attacks. The United States government has raised concerns about a potential increase in cyber-attacks and other similar incidents generally as a result of the military conflict between Russia and Ukraine and the related sanctions imposed by the United States and other countries or the ongoing Israel-Hamas conflict. Although we believe that we have appropriate information security procedures and controls designed to prevent or limit the effects of a cybersecurity or other similar incident, our technologies, systems, networks and our customers’ devices may be the target of cybersecurity or other similar incidents that could result in the unauthorized release, accessing, gathering, monitoring, loss, destruction, modification, acquisition, transfer, use or other processing of us or our customers’ confidential, personal, proprietary and other information. We also have insurance coverage, that is reviewed annually, that may, subject to policy terms and conditions, cover certain losses associated with cybersecurity and other similar incidents, but our insurer may deny coverage as to any future claim or our insurance coverage may be insufficient to cover all losses from any such attack, breach or incident, including any related damage to our reputation. In addition, given the proliferation of cyber-events in our industry, the cost of cyber insurance is expected to continue to increase and may not be available at all or on acceptable terms. As cyber threats continue to evolve, we may be required to expend significant additional resources to continue to modify or enhance our layers of defense or to investigate and remediate any information security vulnerabilities. We may also be required to incur significant costs in connection with any regulatory investigation or civil litigation, fines, damages or injunctions resulting from a cybersecurity or other similar incident that impacts us. In addition, our third-party service providers may be unable to identify vulnerabilities in their systems and networks or, once identified, be unable to promptly provide required patches or other remedial measures. Further, even if provided, such patches or remedial measures may not fully address any vulnerability or may be difficult for us to implement. While we perform cybersecurity diligence on our key service providers, because we do not control our service providers and our ability to monitor their cybersecurity is limited, we cannot ensure the cybersecurity measures they take will be sufficient to protect any information we share them. Due to applicable laws and regulations or contractual obligations, we may be held responsible for cybersecurity or other similar incidents attributed to our service providers as they relate to the information we share with them. Disruptions or failures in the physical infrastructure or operating systems or networks that support our businesses and customers, or cybersecurity or other similar incidents of the networks, systems or devices that our customers use to access our products and services, could result in customer attrition, violation of applicable privacy and cybersecurity laws and regulations, notifications obligations, regulatory fines, civil litigation, damages, injunctions, penalties or intervention, reputational damage, reimbursement or other compensation costs, remediation costs, additional cybersecurity protection costs, increased insurance premiums and/or additional compliance costs, any of which could materially adversely affect our business, results of operations or financial condition. We could also be adversely affected if we lose access to information or services from a third-party service provider as a result of a cybersecurity or similar incident or system, network or operational failure or disruption affecting the third-party service provider. For a more detailed discussion of these risks and specific occurrences, see the “Information Security Risk” section of Item 7. “Management’s Discussion and Analysis of Financial Condition and Results of Operations” of this Annual Report on Form 10-K.

Failure or errors in or breach of our systems or networks, or those of our third-party service providers (or providers to such third-party service providers), including as a result of cyber-attacks, information security breaches or other similar incidents, could disrupt our businesses or impact our customers. This could result in the loss, unauthorized disclosure, misuse, or misappropriation of confidential, personal, proprietary, or other information, damage to our reputation, increases to our costs and cause customer and financial losses. As a large financial institution, we depend on our ability to process, record and monitor a large number of customer transactions on a continuous basis and otherwise collect, transmit, store and otherwise process a significant amount of personal information in connection therewith. As public and regulatory expectations, as well as 26 26 26 26 26 26 Table of Contents Table of Contents Table of Contents our customers’ expectations, have increased regarding operational resilience and information security, our systems, networks and infrastructure must continue to be safeguarded and monitored for potential failures, disruptions and breakdowns as well as cyber-attacks, information security breaches or similar incidents. Our business, financial, accounting and data processing systems or other operating systems and facilities may stop operating properly or become disabled or damaged as a result of a number of factors, including events that are wholly or partially beyond our control. For example, there could be electrical or telecommunications outages; natural disasters such as earthquakes, tornadoes and hurricanes; pandemics; events arising from local or larger scale political or social matters, including terrorist acts and civil unrest; and, as described below, cyber-attacks, information security breaches or other similar incidents. Although we have business continuity plans and other safeguards in place, our business operations may be adversely affected by significant and widespread disruption to our physical infrastructure or operating systems or networks, or those of our third-party service providers, that support our businesses and customers. Information security risks for large financial institutions, such as us, have increased significantly in recent years in part because of the proliferation of technology-based products and services and the increased sophistication and activities of organized crime, hackers, terrorists, nation-states, nation state-supported actors, activists and other external parties. This increase is expected to continue and further intensify. The techniques used by cyber criminals change frequently, may not be recognized until launched (or may evade detection for considerable time) and can be initiated from a variety of sources, including terrorist organizations and hostile foreign governments. These criminals may attempt to fraudulently induce employees, customers or other users of our systems and networks to disclose sensitive information (including confidential, personal, proprietary and other information) in order to gain access to data or our systems and networks. Third parties with whom we or our customers do business also present operational and information security risks to us, including cyber-attacks, information security breaches or other similar incidents or failures or disruptions of their own systems and networks. In recent years, attacks in which hackers inserted malware into software updates, have highlighted the growing risk from the infection of software while it is under assembly, known as a supply chain attack. While we have successfully defended similar attacks, we could become the subject of a successful similar style attack through a supply chain compromise. As noted above, our operations rely on the secure collection, transmission, storage and other processing of confidential, personal, proprietary, and other information in our operating systems and networks. In addition, to access our products and services, our customers may use personal computers, smartphones, tablets, and other mobile devices that are beyond our control environment. Additionally, cyber-attacks, information security breaches and other similar incidents (such as, among other things, denial of service attacks, ransomware, malware, worms, software bugs, social engineering, phishing attacks, credential stuffing, account takeovers, insider threats, theft, malfeasance or improper access by employees or service providers, human error, fraud, or other similar disruptions), or hacking or terrorist activities, could disrupt our or our customers’ or other third parties’ business operations. For example, denial of service attacks have been launched against a number of large financial services institutions, including us. Although these past events have not resulted in a breach of our client data or account information, such attacks have adversely affected the performance of Regions Bank’s website, www.regions.com, and, in some instances, prevented customers from accessing Regions Bank’s secure websites for consumer and commercial applications. In all cases, the attacks primarily resulted in inconvenience; however, future cyber-attacks could be more disruptive and damaging, and we may not be able to anticipate or prevent all such attacks. Recently, the United States government has raised concerns about a potential increase in cyber-attacks generally as a result of the military conflict between Russia and Ukraine and the related sanctions imposed by the United States and other countries. Although we believe that we have appropriate information security procedures and controls designed to prevent or limit the effects of a cyber-attack, information security breach or other similar incident, our technologies, systems, networks and our customers’ devices may be the target of cyber-attacks information security breaches or other similar incidents that could result in the unauthorized release, accessing, gathering, monitoring, loss, destruction, modification, acquisition, transfer, use or other processing of us or our customers’ confidential, personal, proprietary and other information. We also have insurance coverage, that is reviewed annually, that may, subject to policy terms and conditions, cover certain losses associated with cyber-attacks, information security breaches, and other similar incidents, but our insurer may deny coverage as to any future claim or our insurance coverage may be insufficient to cover all losses from any such attack, breach, or incident, including any related damage to our reputation. In addition, given the proliferation of cyber-events in our industry, the cost of cyber insurance is expected to continue to increase and may not be available at all or on acceptable terms. As cyber threats continue to evolve, we may be required to expend significant additional resources to continue to modify or enhance our layers of defense or to investigate and remediate any information security vulnerabilities. We may also be required to incur significant costs in connection with any regulatory investigation or civil litigation, fines, damages or injunctions resulting from a cyber-attack, information security breach, or other similar incident that impacts us. In addition, our third-party service providers may be unable to identify vulnerabilities in their systems and networks or, once identified, be unable to promptly provide required patches or other remedial measures. Further, even if provided, such patches or remedial measures may not fully address any vulnerability or may be difficult for us to implement. While we perform cybersecurity diligence on our key service providers, because we do not control our service providers and our ability to monitor their cybersecurity is limited, we cannot ensure the cybersecurity measures they take will be sufficient to protect any information we share them. Due to applicable laws and regulations or contractual obligations, we may be held responsible for cyber-attacks, 27 27 27 27 27 27 Table of Contents Table of Contents Table of Contents information security breaches or other similar incidents attributed to our service providers as they relate to the information we share with them. Disruptions or failures in the physical infrastructure or operating systems or networks that support our businesses and customers, or cyber-attacks, information security breaches, or other similar incidents of the networks, systems or devices that our customers use to access our products and services, could result in customer attrition, violation of applicable privacy and cybersecurity laws and regulations, notifications obligations, regulatory fines, civil litigation, damages, injunctions, penalties or intervention, reputational damage, reimbursement or other compensation costs, remediation costs, additional cybersecurity protection costs, increased insurance premiums and/or additional compliance costs, any of which could materially adversely affect our business, results of operations or financial condition. We could also be adversely affected if we lose access to information or services from a third-party service provider as a result of a cyber attack, information security breach, or similar incident, or system, network or operational failure or disruption affecting the third-party service provider. For a more detailed discussion of these risks and specific occurrences, see the “Information Security Risk” section of Item 7. “Management’s Discussion and Analysis of Financial Condition and Results of Operations” of this Annual Report on Form 10-K.

•Our business and financial performance could be adversely affected by a U.S. government debt default or the threat of such a default. •Weather-related events, pandemics and other natural or man-made disasters could cause a disruption in our operations or lead to other consequences that could adversely impact our financial results and condition. These impacts could be intensified by climate change. Heightening focus on climate change may also carry transition risks that could negatively impact our results of operations and financial condition.

•Our business and financial performance could be adversely affected by a U.S. government debt default or the threat of such a default. •Our business, financial condition, liquidity, capital and results of operations have been, and will likely continue to be, adversely affected by the COVID-19 pandemic and may, in the future also be affected by other pandemics. •Weather-related events and other natural or man-made disasters could cause a disruption in our operations or lead to other consequences that could adversely impact our financial results and condition. These impacts could be intensified by climate change. Heightening focus on climate change may also carry transition risks that could negatively impact our results of operations and financial condition.

We are subject to extensive state and federal regulation, supervision and examination governing almost all aspects of our operations, which limits the businesses in which we may permissibly engage. The laws and regulations governing our business are intended primarily for the protection of our depositors, our customers, the financial system and the FDIC insurance fund, not our shareholders or other creditors. These laws and regulations govern a variety of matters, including certain debt obligations, changes in control, maintenance of adequate capital, consumer protection and general business operations and financial condition (including permissible types, amounts and terms of loans and investments, the amount of reserves against deposits, restrictions on dividends and repurchases of our capital securities, establishment of branch offices and the maximum interest rate that may be charged by law). Further, we must obtain approval from our regulators before engaging in many activities, and our regulators have the ability to compel us to, or restrict us from, taking certain actions entirely. There can be no assurance that any regulatory approvals we may require or otherwise seek will be obtained in a timely manner or at all. Regulations affecting banks and other financial institutions are undergoing continuous review and frequently change, and the ultimate effect of such changes cannot be predicted. Regulations and laws may be modified or repealed at any time, and new legislation may be enacted that will affect us, including those resulting from any changes to control of branches of the U.S government or leadership of administrative agencies resulting from upcoming elections. Any changes in any federal and state law, as well as regulations and governmental policies, income tax laws and accounting principles, could affect us in substantial and unpredictable ways, including ways that may adversely affect our business, financial condition or results of operations. Failure to appropriately comply with any such laws, regulations or principles could result in sanctions by regulatory agencies, civil money penalties or damage to our reputation, all of which could adversely affect our business, financial condition or results of operations. Our regulatory capital position is discussed in greater detail in Note 12 "Regulatory Capital Requirements and Restrictions" to the consolidated financial statements of this Annual Report on Form 10-K. 34 34 34 34 34 34 Table of Contents Table of Contents Table of Contents

We are subject to extensive state and federal regulation, supervision and examination governing almost all aspects of our operations, which limits the businesses in which we may permissibly engage. The laws and regulations governing our business are intended primarily for the protection of our depositors, our customers, the financial system and the FDIC insurance fund, not our shareholders or other creditors. These laws and regulations govern a variety of matters, including certain debt obligations, changes in control, maintenance of adequate capital, and general business operations and financial condition (including permissible types, amounts and terms of loans and investments, the amount of reserves against deposits, restrictions on dividends and repurchases of our capital securities, establishment of branch offices, and the maximum interest rate that may be charged by law). Further, we must obtain approval from our regulators before engaging in many activities, and our regulators have the ability to compel us to, or restrict us from, taking certain actions entirely. There can be no assurance that any regulatory approvals we may require or otherwise seek will be obtained in a timely manner or at all. Regulations affecting banks and other financial institutions are undergoing continuous review and frequently change, and the ultimate effect of such changes cannot be predicted. Regulations and laws may be modified or repealed at any time, and new legislation may be enacted that will affect us, including any changes resulting from the recent change in U.S. presidential administration and change in control of the U.S. Senate. Any changes in any federal and state law, as well as regulations and governmental policies, income tax laws and accounting principles, could affect us in substantial and unpredictable ways, including ways that may adversely affect our business, financial condition or results of operations. Failure to appropriately comply with any such laws, regulations or principles could result in sanctions by regulatory agencies, civil money penalties or damage to our reputation, all of which could adversely affect our business, financial condition or results of operations. Our regulatory capital position is discussed in 33 33 33 33 33 33 Table of Contents Table of Contents Table of Contents greater detail in Note 12 "Regulatory Capital Requirements and Restrictions" to the consolidated financial statements of this Annual Report on Form 10-K.

We are subject to a variety of risks, including reputational risk, associated with environmental, social and governance, or ESG, issues. As a large financial institution with a diverse base of customers, vendors and suppliers, we may face negative publicity based on the identity, practices and perceptions of certain entities with whom we choose to do business. The public holds diverse and potentially conflicting views of those entities, and their activities, including the perceived environmental, social or economic impacts of those entities or of financial institutions’ relationships with those entities. Because we have multiple stakeholders, among them shareholders, customers, employees, federal and state regulatory authorities and political entities, often those stakeholders have differing, and sometimes conflicting, priorities and expectations regarding ESG issues. For example, certain federal and state laws and regulations related to ESG issues may include provisions that conflict with other laws and regulations, which may increase our costs or limit our ability to conduct business in certain jurisdictions. Simultaneous, disparate and divergent sentiments on ESG-related matters from multiple stakeholder groups must be considered. For example, there is an increasing number of state-level anti-ESG initiatives in the U.S. that may conflict with other regulatory requirements or our various stakeholders' expectations. Such divergent, sometimes conflicting views on ESG-related matters increase the risk that any action or lack thereof by us on such matters will be perceived negatively by some stakeholders. Failing to comply with expectations and standards from investors, customers, regulators, policymakers and other stakeholders regarding ESG-related issues, or taking action in conflict with one or another of those stakeholders’ expectations, could also lead to loss of business, adverse publicity, an adverse impact on our reputation, customer complaints or public protests. Negative publicity may be driven by adverse news coverage in traditional media and may also be spread more broadly through the use of social media platforms. If our relationships with our customers, vendors and suppliers were to become the subject of such negative publicity, our ability to attract and retain customers and employees, compete effectively and grow our business may be negatively impacted. Additionally, a growing number of investors (in particular institutional investors who hold and manage substantial equity positions, in some cases in nearly all major U.S. listed companies) are integrating ESG factors into their analysis of the expected risk and return of potential investments. The specific ESG factors considered, as well as the approach to incorporating the factors into a broader investment process, vary by investor and can shift over time. Our failure to align with, or remain aligned with, investors’ ESG-related priorities may negatively impact the trading price of our common stock.

We are subject to a variety of risks, including reputational risk, associated with environmental, social and governance, or ESG, issues. As a large financial institution with a diverse base of customers, vendors and suppliers, we may face negative publicity based on the identity, practices, and perceptions of certain entities with whom financial institutions choose to do business. The public holds diverse and potentially conflicting views of certain entities with whom we choose to do business and their activities, including the perceived environmental, social or economic impacts of those entities or of financial institutions relationships with those entities. Because we have multiple stakeholders, among them shareholders, customers, employees, federal and state regulatory authorities, and political entities, often those stakeholders have differing priorities and expectations regarding ESG issues. Simultaneous, disparate sentiments from multiple stakeholder groups must be considered. Taking action in conflict with one or another of those stakeholder's expectations could lead to loss of business, adverse publicity, customer complaints, or public protests. Negative publicity may be driven by adverse news coverage in traditional media and may also be spread more broadly through the use of social media platforms. If our relationships with our customers, vendors and suppliers were to become the subject of such negative publicity, our ability to attract and retain customers and employees, compete effectively, and grow our business may be negatively impacted. Additionally, a growing number of investors (in particular significant U.S. institutional investors who hold and manage substantial equity positions, in some cases in nearly all major U.S. listed companies) are integrating ESG factors into their analysis of the expected risk and return of potential investments. The specific ESG factors considered, as well as the approach to incorporating the factors into a broader investment process, vary by investor and can shift over time. Our failure to align with, or remain aligned with, investors' ESG-related priorities may negatively impact the trading price of our common stock.

Our ability to attract and retain customers and highly-skilled management and employees is impacted by our reputation. A negative public opinion of us and our business can result from any number of activities, including our lending practices, corporate governance and regulatory compliance, acquisitions and actions taken by community organizations in response to these activities. Furthermore, negative publicity regarding us as an employer could have an adverse impact on our reputation, especially with respect to matters of diversity, pay equity and workplace harassment. 33 33 33 33 33 33 Table of Contents Table of Contents Table of Contents Significant harm to our reputation, or the reputation of any company, could also arise as a result of regulatory or governmental actions, litigation and the activities of our customers, other participants in the financial services industry or our contractual counterparties, such as our service providers and vendors. In addition, a cybersecurity event affecting us or our customers’ data could have a negative impact on our reputation and customer confidence in us and our cybersecurity practices. Damage to our reputation could also adversely affect our credit ratings and access to the capital markets. Additionally, the widespread use of social media platforms by virtually every segment of society facilitates the rapid dissemination of information or misinformation, which magnifies the potential harm to our reputation.

Our ability to attract and retain customers and highly-skilled management and employees is impacted by our reputation. A negative public opinion of us and our business can result from any number of activities, including our lending practices, corporate governance and regulatory compliance, acquisitions, and actions taken by community organizations in response to 32 32 32 32 32 32 Table of Contents Table of Contents Table of Contents these activities. Furthermore, negative publicity regarding us as an employer could have an adverse impact on our reputation, especially with respect to matters of diversity, pay equity and workplace harassment. Significant harm to our reputation, or the reputation of any company, could also arise as a result of regulatory or governmental actions, litigation and the activities of our customers, other participants in the financial services industry or our contractual counterparties, such as our service providers and vendors. In addition, a cybersecurity event affecting us or our customers’ data could have a negative impact on our reputation and customer confidence in us and our cybersecurity practices. Damage to our reputation could also adversely affect our credit ratings and access to the capital markets. Additionally, the widespread use of social media platforms by virtually every segment of society facilitates the rapid dissemination of information or misinformation, which magnifies the potential harm to our reputation.

From time to time, the FASB and SEC change the financial accounting and reporting standards that govern the preparation of our financial statements. These changes can be difficult to predict and can materially impact how we record and report our financial condition and results of operations.

From time to time, the FASB and SEC change the financial accounting and reporting standards that govern the preparation of our financial statements. These changes can be difficult to predict and can materially impact how we record and report our financial condition and results of operations. For example, FASB’s CECL accounting standard became effective on January 1, 2020 and substantially changed the accounting for credit losses on loans and other financial assets held by banks, financial institutions and other organizations. The standard had a material impact to our allowance and capital at adoption. See Regions' impact at adoption in Note 1 "Summary of Significant Accounting Policies" to the consolidated financial statements of our Annual Report on Form 10-K for the year ended December 31, 2020.

•Ineffective liquidity management could adversely affect our financial results and condition. •We rely on the mortgage secondary market to manage various risks.

Aggressive actions by hostile governments or groups, including armed conflict or intensified cyber-attacks, could expand in unpredictable ways by drawing in other countries or escalating into full-scale war with potentially catastrophic consequences, particularly if one or more of the combatants possess nuclear weapons. Depending on the scope of the conflict, the hostilities could result in worldwide economic disruption, heightened volatility in financial markets, severe declines in asset values, disruption of global trade and supply chains and diminished consumer, business and investor confidence. Instability in geopolitical matters could have a material adverse effect on our results of operations and financial condition. The macroeconomic environment in the United States is susceptible to global events and volatility in financial markets. For example, trade negotiations between the United States and other nations remain uncertain and could adversely impact economic and market conditions for our and our clients and counterparties. The wars in the Ukraine, Israel and the Gaza Strip presents destabilizing forces, including higher and more volatile commodity and food prices, which may cause international and domestic economic deterioration. Financial markets may be adversely affected by the current or anticipated impact of military conflict, including the wars in the Ukraine, Israel and the Gaza Strip, terrorism or other geopolitical events. This could magnify 31 31 31 31 31 31 Table of Contents Table of Contents Table of Contents inflationary pressure resulting from the pandemic and other sources and extend any prolonged period of higher inflation. Any of the above consequences could have significant negative effects on the U.S. economy, and, as a result, our operations and earnings. We could also experience more numerous and aggressive cyber-attacks launched by or under the sponsorship of one or more of the adversaries in such a conflict.

Aggressive actions by hostile governments or groups, including armed conflict or intensified cyber attacks, could expand in unpredictable ways by drawing in other countries or escalating into full-scale war with potentially catastrophic consequences, particularly if one or more of the combatants possess nuclear weapons. Depending on the scope of the conflict, the hostilities could result in worldwide economic disruption, heightened volatility in financial markets, severe declines in asset values, disruption of global trade and supply chains, and diminished consumer, business and investor confidence. Any of the above consequences could have significant negative effects on the U.S. economy, and, as a result, our operations and earnings. We could also experience more numerous and aggressive cyber attacks launched by or under the sponsorship of one or more of the adversaries in such a conflict.

•We are subject to a variety of operational risks, including the risk of fraud or theft by internal or external parties, which may adversely affect our business and results of operations. •We rely on other companies to provide key components of our business infrastructure. •We depend on the accuracy and completeness of information about clients and counterparties. 22 22 22 22 22 22 Table of Contents Table of Contents Table of Contents •We are exposed to risk of environmental liability when we take title to property. •We can be negatively affected if we fail to identify and address operational risks associated with the introduction of or changes to products, services and delivery platforms. •Enhanced regulatory and other standards for the oversight of vendors and other service providers can result in higher costs and other potential exposures.

•We are subject to a variety of operational risks, including the risk of fraud or theft by employees, which may adversely affect our business and results of operations. •We rely on other companies to provide key components of our business infrastructure. •We depend on the accuracy and completeness of information about clients and counterparties. •We are exposed to risk of environmental liability when we take title to property. •We can be negatively affected if we fail to identify and address operational risks associated with the introduction of or changes to products, services and delivery platforms. •Enhanced regulatory and other standards for the oversight of vendors and other service providers can result in higher costs and other potential exposures.

Regions and Regions Bank are each subject to capital adequacy and liquidity guidelines and other regulatory requirements specifying minimum amounts and types of capital that must be maintained. From time to time, the regulators implement changes to these regulatory capital adequacy and liquidity guidelines. If we fail to meet these minimum capital adequacy and liquidity guidelines and other regulatory requirements, we or our subsidiaries may be restricted in the types of activities we may conduct and may be prohibited from taking certain capital actions, such as paying dividends and repurchasing or redeeming capital securities. Regions and Regions Bank are each required to comply with applicable capital adequacy standards established by the Federal Reserve, which are based on the Basel III framework. Proposed changes to applicable capital and liquidity requirements, such as the Basel III proposal and the long-term debt proposal, could result in increased expenses or cost of funding, which could negatively affect our financial results or our ability to pay dividends and engage in share repurchases. For more information concerning our legal and regulatory obligations with respect to Basel III and long-term debt requirements, please see the “Supervision and Regulation-Regulatory Capital Requirements” discussion within Item 1. “Business,” and for more information concerning our compliance with capital and liquidity requirements, see Note 12 “Regulatory Capital Requirements and Restrictions” to the consolidated financial statements of this Annual Report on Form 10-K.

Regions and Regions Bank are each subject to capital adequacy and liquidity guidelines and other regulatory requirements specifying minimum amounts and types of capital that must be maintained. From time to time, the regulators implement changes to these regulatory capital adequacy and liquidity guidelines. If we fail to meet these minimum capital adequacy and liquidity guidelines and other regulatory requirements, we or our subsidiaries may be restricted in the types of activities we may conduct and may be prohibited from taking certain capital actions, such as paying dividends and repurchasing or redeeming capital securities. Regions and Regions Bank are each required to comply with applicable capital adequacy standards established by the Federal Reserve, which are based on the Basel III framework. The Basel Committee has published standards that it describes as the finalization of the Basel III post-crisis regulatory reforms. Among other things, these standards revise the standardized approach for credit risk and provide a new standardized approach for operational risk capital. The Basel framework contemplates that national regulators would have implemented these standards by January 1, 2023, with an aggregate output floor phasing in through January 1, 2028; however, the U.S. federal bank regulatory authorities have not yet proposed rules implementing the Basel III revisions for purposes of their risk-based capital ratios. Under the current capital rules, these standards only apply to advanced approached institutions and not to Regions or Regions Bank and any impact of these standards on us will depend on the manner in which the revisions are implemented in the U.S. with respect to firms such as Regions and Regions Bank. For more information concerning our compliance with capital and liquidity requirements, see Note 12 "Regulatory Capital Requirements and Restrictions" to the consolidated financial statements of this Annual Report on Form 10-K..

Certain securities within the investment portfolio, certain hedging transactions and certain of the products that we offer, such as floating-rate loans and mortgages, determine their applicable interest rate or payment amount by reference to a benchmark rate, an index, or other financial metric. LIBOR and certain other benchmark rates have been or currently are the subject of recent national, international, and other regulatory guidance and proposals for reform. All LIBOR settings ceased to be published as of June 30, 2023. Regions has adopted new products linked to alternative reference rates, such as adjustable-rate mortgages, consistent with guidance provided by U.S. regulators, ARRC and GSEs. Additionally, Regions transitioned LIBOR-based products to alternative rates that are consistent with industry standard conventions. In the fourth quarter of 2023, Bloomberg Index Services Limited announced the permanent cessation of the BSBY index and all tenors effective November 15, 2024. Regions is in the process of evaluating exposure to BSBY and planning for cessation. For a more detailed discussion of our management strategies related to the LIBOR cessation and transition, see the “LIBOR Transition and Reference Rate Reform” section of Item 7. “Management’s Discussion and Analysis of Financial Condition and Results of Operations” of this Annual Report on Form 10-K.

Certain securities within the investment portfolio, certain hedging transactions and certain of the products that we offer, such as floating-rate loans and mortgages, determine their applicable interest rate or payment amount by reference to a benchmark rate, such as LIBOR, an index, or other financial metric. LIBOR and certain other benchmark rates are the subject of recent national, international, and other regulatory guidance and proposals for reform. The publication of one week and two-month LIBOR settings ceased to be published as of December 31, 2021. The publication of all other LIBOR settings, which are the most commonly used U.S. dollar LIBOR settings, will cease to be published or cease to be representative after June 30, 24 24 24 24 24 24 Table of Contents Table of Contents Table of Contents 2023. Financial market participants have transitioned away from LIBOR and other similar inter-bank offering rates. Regions has adopted new products linked to alternative reference rates, such as adjustable-rate mortgages, consistent with guidance provided by U.S. regulators, ARRC and GSEs. Certain of our LIBOR-based financial products and contracts, including, but not limited to, hedging products, preferred stock, investments, and loans, extend beyond proposed LIBOR cessation timelines. We are in the process of transitioning the aforementioned LIBOR-based products to alternative rates that are consistent with the IOSCO's Principles for Financial Benchmarks. For a more detailed discussion of our management strategies related to the LIBOR cessation and transition, see the “LIBOR Transition” section of Item 7. “Management’s Discussion and Analysis of Financial Condition and Results of Operations” of this Annual Report on Form 10-K.

Adverse developments affecting the overall strength and soundness of other financial institutions, the financial services industry as a whole and the general economic climate and the U.S. Treasury market could have a negative impact on perceptions about the strength and soundness of our business even if we are not subject to the same adverse developments. In addition, adverse developments with respect to third parties with whom we have important relationships could also negatively impact perceptions about us. These perceptions about us could cause our business to be negatively affected and exacerbate the other risks that we face. Regions may be impacted by actual or perceived soundness of other financial institutions, including as a result of the financial or operational failure of a major financial institution, or concerns about the creditworthiness of such a financial institution or its ability to fulfill its obligations, which can cause substantial and cascading disruption within the financial markets and increased expenses, including FDIC insurance premiums, and could affect our ability to attract and retain depositors and to borrow or raise capital. For example, during 2023 the FDIC took control and was appointed receiver of Silicon Valley Bank, Signature Bank and First Republic Bank. The failure of other banks and financial institutions and the measures taken by governments, businesses and other organizations in response to these events could adversely impact Regions’ business, financial condition and results of operations. Regions’ ability to engage in routine funding transactions could be adversely affected by the actions and commercial soundness of other financial institutions. Financial services institutions are interrelated as a result of trading, clearing, counterparty and other relationships. Regions has exposure to many different industries and counterparties and routinely executes transactions with counterparties in the financial industry, including brokers and dealers, central counterparties, commercial banks, investment banks, mutual and hedge funds and other institutional investors and clients. As a result, defaults by, or even rumors or questions about, one or more financial services institutions or the financial services industry generally, in the past have led to market-wide liquidity problems and could lead to losses or defaults by Regions or by other institutions. Many of these transactions expose Regions to credit risk in the event of default of Regions’ counterparty or client. In addition, Regions’ credit risk may be exacerbated when the collateral held by Regions cannot be liquidated or is liquidated at prices not sufficient to recover the full amount of Regions’ exposure. Any such losses could materially and adversely affect Regions’ results of operations and financial condition.

Financial services companies are interrelated as a result of trading, clearing, counterparty or other relationships. We have exposure to many different industries and counterparties, and we routinely execute transactions with counterparties in the financial services industry, including brokers and dealers, commercial banks, investment banks, mutual and hedge funds, and other institutional clients. As a result, defaults by, or even mere speculation about, one or more financial services companies, or the financial services industry generally, may lead to market-wide liquidity problems and could lead to losses or defaults by us or by other institutions. Many of these transactions expose us to credit risk in the event of default of our counterparty or client. In addition, our credit risk may be exacerbated if the collateral held by us cannot be realized or is liquidated at prices not sufficient to recover the full amount of the loan or lease or derivative exposure due us. Any such losses may materially and adversely affect our business, financial condition or results of operations.

•Our businesses have been, and may continue to be, adversely affected by conditions in the financial markets and economic conditions generally. •Fluctuations in market interest rates, including the level and shape of the yield curve, may adversely affect our performance. •Transitions away from and the replacement of benchmark rates could adversely impact our business, financial condition and results of operations.

•Our businesses have been, and may continue to be, adversely affected by conditions in the financial markets and economic conditions generally. •Fluctuations in market interest rates may adversely affect our performance. •Transitions away from and the replacement of LIBOR and other benchmark rates could adversely impact our business, financial condition and results of operations. 21 21 21 21 21 21 Table of Contents Table of Contents Table of Contents