Truist Financial Corporation: 10-K Risk Factor Changes

2026 vs 2025  ·  SEC EDGAR  ·  2026-07-05
✓ Deterministic extraction — no AI-generated data

Classification is based on semantic text similarity scoring and may include approximations. “No match” means no high-confidence textual match was found — not necessarily that a section was removed.

28
New Risks
7
Removed
15
Modified
4
Unchanged
🟢 New in Current Filing Severity10/10Det 10

Privacy, Data Protection, and Cybersecurity

Various federal and state statutes and regulations contain data privacy, data protection, and cybersecurity provisions, and the regulatory framework for data privacy, data protection, and cybersecurity is rapidly evolving. The FRB, the FDIC, and other U.S. banking agencies have…

Read full text

Various federal and state statutes and regulations contain data privacy, data protection, and cybersecurity provisions, and the regulatory framework for data privacy, data protection, and cybersecurity is rapidly evolving. The FRB, the FDIC, and other U.S. banking agencies have adopted guidelines for safeguarding confidential, personal customer information. These guidelines require each financial institution, under the supervision and ongoing oversight of its board of directors or an appropriate committee thereof, to create, implement, and maintain a comprehensive written information security program designed to support the security and confidentiality of customer information, protect against any anticipated threats or hazards to the security or integrity of such information, and protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer. In addition, a number of government entities, including the FRB and the SEC, have increased their focus on cybersecurity through guidance, examinations, and regulations. At the federal level, the Gramm-Leach-Bliley Act requires financial institutions to, among other things, implement policies and procedures regarding the disclosure of nonpublic personal information about consumers to non-affiliated third parties. In general, the statute requires that financial institutions provide explanations to consumers on their policies and procedures regarding the disclosure of such nonpublic personal information and, except as otherwise required by law, prohibits disclosing such personal information except as provided in the financial institution’s policies and procedures. A joint regulation from the FRB, the OCC, and the FDIC requires a banking organization to notify its primary federal regulators as soon as possible and within 36 hours after identifying a “computer-security incident” that the banking organization believes in good faith has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, its business or operations in a manner that would, among other things, jeopardize the viability of its operations, result in customers being unable to access their deposit and other accounts, result in a material loss of revenue, profit or stock price, or pose a threat to the financial stability of the U.S. Truist Financial Corporation 13 Truist Financial Corporation 13 Truist Financial Corporation 13 Truist Financial Corporation 13 Truist Financial Corporation 13 Truist Financial Corporation 13 In addition, once implementing regulations are finalized, the Cyber Incident Reporting for Critical Infrastructure Act (“CIRCIA”) will require, among other things, covered entities to report significant cyber incidents, including ransomware attacks, to the Cybersecurity and Infrastructure Security Agency (“CISA”) within 72 hours from the time the covered entity reasonably believes the incident occurred (and within 24 hours of making a ransom payment as a result of a ransomware attack). The CISA proposed a rule under the CIRCIA in April 2024 that would clarify the scope of cyber incidents to be reported and would further define covered entities subject to the CIRCIA to include banking organizations like Truist. Although the CIRCIA originally required the CISA to finalize its regulations by October 2025, the CISA has extended such deadline to May 2026. Truist’s nonbank subsidiaries are also subject to rules and regulations issued by the Federal Trade Commission, which regulates unfair or deceptive acts or practices, including with respect to data privacy, data protection, and cybersecurity. Moreover, the U.S. Congress has recently considered, and is expected to continue to consider, various proposals for more comprehensive data privacy, data protection, and cybersecurity legislation. Like other lenders, Truist Bank uses credit bureau data in its underwriting activities. The Fair Credit Reporting Act regulates use of such data, as well as reporting information to credit bureaus, prescreening individuals for credit offers, sharing of information between affiliates, and using affiliate data for marketing purposes. Similar state laws impose additional requirements on Truist Bank. States are also increasingly proposing or enacting legislation that relates to data privacy, data protection, and cybersecurity such as the California Consumer Privacy Act as amended by the California Privacy Rights Act. Truist may be subject to similar laws in other states where Truist does business or in states where Truist may collect personal information of residents. In addition, laws in all 50 U.S. states generally require businesses to provide notice under certain circumstances to individuals whose personal information has been disclosed as a result of a data breach. Moreover, the New York Department of Financial Services Cybersecurity Regulation is driving significant cybersecurity compliance activities for covered Truist entities. This regulation includes phased compliance periods as well as annual attestations of compliance by these Truist entities. Truist has undertaken compliance activities to address these statutes and regulations and continues to assess their requirements and applicability to Truist. These statutes and regulations, as well as proposed legislation and regulation regarding privacy, data protection, and cybersecurity, are subject to revision or formal guidance and may be interpreted or applied in a manner inconsistent with the Company’s understanding, which may result in further uncertainty and require Truist to incur additional costs to comply. Refer to “Item 1A. Risk Factors” for more information on the risks related to compliance with applicable privacy, data protection, and cybersecurity statutes and regulations. CRA The CRA requires that U.S. banking agencies assess the records of banks in meeting the credit needs of the communities where they are chartered to do business, including low- and moderate-income neighborhoods, consistent with safe and sound operations. Banks are assigned one of four ratings: “Outstanding,” “Satisfactory,” “Needs to Improve,” or “Substantial Noncompliance.” A bank’s assessment is considered in connection with its application to merge or consolidate with or acquire the assets or assume the liabilities of another bank or to open or relocate a branch office. The CRA record of each subsidiary bank of an FHC is assessed by the FRB in connection with any proposed acquisition or merger application. For its most recent CRA examination period, Truist Bank received the highest possible overall rating of “Outstanding” from the FDIC. In October 2023, the U.S. banking agencies issued a final rule to significantly amend their regulations implementing the CRA. This rule was subject to litigation, and a preliminary injunction was issued that prevented the rule from taking effect. In July 2025, the agencies issued a notice of proposed rulemaking to rescind the rule and reinstate the previous CRA regulations.

🟢 New in Current Filing Talent Development 🔒
🟢 New in Current Filing Prompt Corrective Action 🔒
🟢 New in Current Filing Acquisitions 🔒
🟢 New in Current Filing BSA/AML and Sanctions 🔒
🟢 New in Current Filing Interchange Fees 🔒
🟢 New in Current Filing Human Capital 🔒
🟢 New in Current Filing Talent Practices 🔒
🟢 New in Current Filing Compensation and Total Rewards 🔒
🟢 New in Current Filing Website Access to Truist’s Filings with the SEC 🔒
🔴 No Match in Current Filing ITEM 1C. CYBERSECURITY 🔒
🟢 New in Current Filing FHC Regulation 🔒
🟢 New in Current Filing Resolution Planning 🔒
🟢 New in Current Filing Enhanced Prudential Standards and Regulatory Tailoring Rules 🔒
🟢 New in Current Filing Capital Requirements 🔒
🟢 New in Current Filing Capital Planning and Stress Testing Requirements 🔒
🟢 New in Current Filing Liquidity Requirements 🔒
🟢 New in Current Filing Long-Term Debt and Clean Holding Company Requirements 🔒
🟢 New in Current Filing Payment of Dividends 🔒
🟢 New in Current Filing Transactions with Affiliates 🔒
🟢 New in Current Filing Other Safety and Soundness Regulations 🔒
🟢 New in Current Filing DIF Assessments 🔒
🟢 New in Current Filing Consumer Protection Laws 🔒
🟢 New in Current Filing Automated Overdraft Payment Regulation 🔒
🟢 New in Current Filing Volcker Rule 🔒
🟢 New in Current Filing Regulatory Regime for Swaps 🔒
🟢 New in Current Filing Broker-Dealer and Investment Adviser Regulation 🔒
🟢 New in Current Filing Corporate Governance 🔒
🟡 Modified Technology and Data Risks 🔒
🟡 Modified Technology and Data Risks 🔒
🟡 Modified Compliance, Regulatory, and Legal Risks 🔒
🟢 New in Current Filing Other Regulatory Matters 🔒
🔴 No Match in Current Filing Compliance Risks 🔒
🟡 Modified Compliance, Regulatory, and Legal Risks 🔒
🟡 Modified Additional Risks 🔒
🟡 Modified Additional Risks 🔒
🔴 No Match in Current Filing Talent Management Risks 🔒
🔴 No Match in Current Filing Talent Management Risks 🔒
🟡 Modified Liquidity Risks 🔒
🟡 Modified Market Risks 🔒
🔴 No Match in Current Filing Reputational Risks 🔒
🔴 No Match in Current Filing Regulatory and Legal Risks 🔒
🔴 No Match in Current Filing Reputational Risks 🔒
🟡 Modified Operational Risks 🔒
🟡 Modified Operational Risks 🔒
🟡 Modified Strategic Risks 🔒
🟡 Modified Strategic Risks 🔒
🟡 Modified Risks Related to Estimates and Assumptions 🔒
🟡 Modified Risk Factors 🔒
🟡 Modified Credit Risks 🔒
49 more changes in this filing

Full diff access, historical comparisons, and cross-company signal tracking.

Get full access — from $29/month Already a Pro subscriber? View full diff →