Regions Financial Corporation: 10-K Risk Factor Changes

2026 vs 2025  ·  SEC EDGAR  ·  2026-07-05
✓ Deterministic extraction — no AI-generated data

Classification is based on semantic text similarity scoring and may include approximations. “No match” means no high-confidence textual match was found — not necessarily that a section was removed.

35
New Risks
12
Removed
16
Modified
33
Unchanged
🟢 New in Current Filing Severity10/10Det 10

Privacy and Cybersecurity

We are, or may in the future become, subject to a variety of complex and evolving laws, regulations, rules and standards at the federal, state and local level regarding privacy and cybersecurity. Privacy and cybersecurity are currently areas of considerable legislative and…

Read full text

We are, or may in the future become, subject to a variety of complex and evolving laws, regulations, rules and standards at the federal, state and local level regarding privacy and cybersecurity. Privacy and cybersecurity are currently areas of considerable legislative and regulatory attention, with new or modified laws, regulations, rules and standards being frequently adopted and potentially subject to divergent interpretation or application in a manner that may create inconsistent or conflicting requirements for businesses. Privacy and cybersecurity laws and regulations often impose strict requirements regarding the collection, storage, handling, use, disclosure, transfer, protection and other processing of personal information, which may have adverse consequences on our business, including incurring significant compliance costs, requiring changes to our business or operations and imposing severe penalties for non-compliance. For example, at the federal level, the federal banking regulators have adopted certain rules, including pursuant to the GLBA, that limit the ability of banks and other financial institutions to disclose non-public personal information about consumers to third parties. These limitations require disclosure of privacy policies to consumers and, in some circumstances, allow consumers to prevent disclosure of certain non-public personal information to non-affiliated third parties. In addition, consumers may also prevent disclosure among affiliated companies of certain non-public personal information that is assembled or used to determine eligibility for a product or service, such as that shown on consumer credit reports and application information. Consumers also have the option to direct banks and other financial institutions not to share certain information about transactions and experiences with affiliated companies for the purpose of marketing products or services. Federal law also requires financial institutions to implement a written IS Program that includes administrative, technical, and physical safeguards appropriate to the size and complexity of the institution and the nature and scope of its activities. The program should be designed to ensure the security and confidentiality of customer information, protect against unanticipated threats or hazards to the security or integrity of such information, and protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer. Financial institutions must also conduct ongoing oversight of third-party service providers to ensure they are maintaining appropriate security controls. Financial institutions must report on the institution’s cybersecurity program annually to the board of directors or a committee of the board of directors. The federal banking regulators regularly issue guidance regarding cybersecurity intended to enhance cyber risk management standards among financial institutions. A financial institution is expected to establish multiple lines of defense against security threats and to ensure their risk management processes appropriately address the risk posed by potential threats 16 16 16 16 16 16 Table of Contents Table of Contents Table of Contents to the institution. A financial institution’s management is expected to maintain sufficient processes to effectively identify, prevent and detect a cyber-attack. A financial institution is also expected to develop appropriate processes to enable recovery of data and business operations if a critical service provider of the institution falls victim to a cyber-attack. In addition to the GLBA, we are subject to various other federal and state laws, regulations, rules and standards. The Regions IS Program is designed to reflect the regulatory requirements and guidance. In addition, in the spring of 2022, federal banking regulators imposed a cybersecurity-related notification rule that requires banking organizations, including Regions and Regions Bank to notify their primary federal regulator as soon as possible and within 36 hours of incidents that, among other things, have materially disrupted or degraded, or are reasonably likely to materially disrupt or degrade, the banking organization’s ability to deliver services to a material portion of its customer base, or ability to carry out key operations of the banking organization, the failure of which would pose a threat to the stability of the U.S. financial sector. The rule also imposes requirements on bank service providers to notify their affected banking organization customers of certain computer-security incidents. Additionally, the enactment of the Cyber Incident Reporting for Critical Infrastructure Act of 2022, once rulemaking is complete, will require, among other things, covered entities to report significant cyber incidents, including ransomware attacks, to the CISA Further, in 2023, the SEC adopted regulations requiring public companies to disclose certain information regarding material cybersecurity incidents impacting those companies, as well as descriptions about how they manage material cybersecurity risks. State regulators have also been increasingly active in implementing privacy and cybersecurity laws, regulations, rules and standards. Several states have adopted regulations requiring certain financial institutions to implement cybersecurity programs and have provided detailed requirements with respect to these programs, including data encryption requirements. Many states have also implemented or are considering implementing, comprehensive data privacy and cybersecurity laws and regulations, such as the CCPA. In addition, laws in all 50 U.S. states generally require businesses to provide notice under certain circumstances to individuals whose personal information has been disclosed as a result of a data breach. Moreover, the United States Congress has considered, and will likely in the future consider, various proposals for more comprehensive data privacy and cybersecurity legislation, to which Regions and/or Regions Bank may be subject if passed. We expect this trend of state and federal activity to persist, and we continue to monitor such developments in the geographic areas in which our customers are located.

🟢 New in Current Filing The development and use of AI presents risks and challenges that may adversely impact our business. 🔒
🟢 New in Current Filing Supervision and Regulation 🔒
🟢 New in Current Filing Safety and Soundness 🔒
🟢 New in Current Filing Anti-Money Laundering 🔒
🟢 New in Current Filing Climate-Related Developments 🔒
🟢 New in Current Filing Banking Operations 🔒
🟢 New in Current Filing Permissible Activities under the BHC Act 🔒
🟢 New in Current Filing Regulatory Capital Requirements 🔒
🟢 New in Current Filing Liquidity Requirements 🔒
🟢 New in Current Filing FDIA and Prompt Corrective Action 🔒
🟢 New in Current Filing Payment of Dividends 🔒
🟢 New in Current Filing Transactions with Affiliates 🔒
🟢 New in Current Filing Acquisitions 🔒
🟢 New in Current Filing Volcker Rule 🔒
🟢 New in Current Filing Community Reinvestment Act 🔒
🟢 New in Current Filing Compensation Practices 🔒
🟢 New in Current Filing Office of Foreign Assets Control Regulation 🔒
🟢 New in Current Filing Competition 🔒
🟢 New in Current Filing Human Capital 🔒
🟢 New in Current Filing Available Information 🔒
🟢 New in Current Filing Other Financial Services Operations 🔒
🟢 New in Current Filing Enhanced Prudential Standards and Regulatory Tailoring Rules 🔒
🟢 New in Current Filing Resolution Planning 🔒
🟢 New in Current Filing Lending Standards and Guidance 🔒
🟢 New in Current Filing Deposit Insurance 🔒
🟢 New in Current Filing Consumer Protection Laws 🔒
🟢 New in Current Filing Regulation of Broker Dealers and Investment Advisers 🔒
🟡 Modified We are subject to extensive governmental regulation, which could have an adverse impact on our operations and our business model. 🔒
🟡 Modified We are subject to sociopolitical risks that could adversely affect our business, reputation and the trading price of our common stock. 🔒
🟡 Modified An outbreak or escalation of hostilities between countries or within a country or region could have a material adverse effect on the U.S. economy and on our businesses. 🔒
🟢 New in Current Filing Business Segments 🔒
🟢 New in Current Filing Support of Subsidiary Banks 🔒
🟢 New in Current Filing Limits on Exposure to One Borrower and Exposure to Insiders 🔒
🟢 New in Current Filing De Novo Branching and De Novo Banks 🔒
🟢 New in Current Filing Anti-Tying Provisions 🔒
🟢 New in Current Filing FDIC Recordkeeping Requirements 🔒
🟢 New in Current Filing Depositor Preference 🔒
🔴 No Match in Current Filing Technology Risks 🔒
🔴 No Match in Current Filing Legal, Regulatory and Compliance Risks 🔒
🔴 No Match in Current Filing Other External Risks 🔒
🟡 Modified Weakness in commodity businesses could adversely affect our performance. 🔒
🔴 No Match in Current Filing Market Risks 🔒
🔴 No Match in Current Filing Strategic Risks 🔒
🔴 No Match in Current Filing Operational Risks 🔒
🔴 No Match in Current Filing Reputational Risks 🔒
🔴 No Match in Current Filing Talent Management Risks 🔒
🔴 No Match in Current Filing Our business and financial performance could be adversely affected by a U.S. government debt default or the threat of such a default. 🔒
🟡 Modified Our businesses may be adversely affected if we are unable to hire and retain qualified employees. 🔒
🟡 Modified Industry competition, including competition from decentralized finance platforms, cryptocurrencies and blockchain technologies, could disrupt our business model and adversely affect our revenues, market share or liquidity. 🔒
🔴 No Match in Current Filing Credit Risks 🔒
🔴 No Match in Current Filing Liquidity Risks 🔒
🔴 No Match in Current Filing Estimates and Assumptions Risks 🔒
🟡 Modified Rulemaking changes and regulatory initiatives implemented by the CFPB may result in higher regulatory and compliance costs that may adversely affect our results of operations. 🔒
🟡 Modified We are a holding company and depend on our subsidiaries for dividends, distributions and other payments. 🔒
🟡 Modified Our operations are concentrated primarily in the South, Midwest and Texas, and adverse changes in the economic conditions in this region can adversely affect our financial results and condition. 🔒
🟡 Modified We may be subject to more stringent capital and liquidity requirements. 🔒
🟡 Modified We are, and may in the future be, subject to claims and litigation calling into question our right to use the intellectual property underlying certain technology in our business. 🔒
🟡 Modified Our reported financial results depend on management’s selection of accounting methods and certain assumptions and estimates. 🔒
🟡 Modified Increases in FDIC insurance assessments may adversely affect our earnings. 🔒
🟡 Modified Weakness in the residential real estate markets could adversely affect our performance. 🔒
🟡 Modified We depend on the accuracy and completeness of information about clients and counterparties. 🔒
🟡 Modified Ineffective liquidity management could adversely affect our financial results and condition. 🔒
62 more changes in this filing

Full diff access, historical comparisons, and cross-company signal tracking.

Get full access — from $29/month Already a Pro subscriber? View full diff →