# Truist Financial Corporation: 10-K Risk Factor Changes 2026 vs 2025 > Source: U.S. Securities and Exchange Commission (EDGAR) > Generated: 2026-05-05 > All data extracted directly from official filings. No hallucinated content. > **[AI-Generated Summary]** The paragraph below was produced by a language > model and may contain errors. All other content on this page is deterministically > extracted from the original SEC filing. > Between the 2025 and 2026 filings, 28 risk factor sections in 2026 have no close textual match in 2025, while 7 sections from 2025 have no close textual match in 2026. Of the sections appearing in both years, 15 show meaningful text differences and 4 are substantially similar. The 2026 filing includes newly matched sections covering regulatory topics such as capital requirements, liquidity requirements, and various compliance areas, while 2025 sections on cybersecurity, talent management, and reputational risks have no close textual match in 2026. --- ## Summary | Status | Count | |--------|-------| | New risks added | 28 | | Risks removed | 7 | | Risks modified | 15 | | Unchanged | 4 | --- ## New in Current Filing: FHC Regulation Truist has elected to be treated as an FHC. As long as an FHC maintains its standing as an FHC, it may engage in a broader range of activities than would otherwise be permissible for a BHC, such as securities underwriting, merchant banking, and other activities that are financial in nature or incidental or complementary thereto. If certain conditions are met, FHCs may acquire shares of nonbank companies, with any acquisition of a nonbank company or voting shares of a nonbank company with total consolidated assets of $10 billion or more subject to the prior approval of the FRB. To maintain its standing as an FHC, an FHC and its IDI subsidiaries must be well-capitalized and well managed as defined by applicable law, and any IDI subsidiary must have at least a satisfactory CRA rating. If the FRB determines that an FHC is not well-capitalized or well managed, the FRB may impose corrective capital and managerial requirements on the FHC, which could affect resources and limit amounts otherwise available to creditors and shareholders. In such a situation, the FRB may also place limitations on the ability of an FHC to conduct certain business activities that FHCs are generally permitted to conduct as well as the FHC's ability to make certain acquisitions. If the failure to meet these standards persists, an FHC may be required to divest its IDI subsidiaries or cease all activities other than those activities that may be conducted by BHCs that are not FHCs. Furthermore, if an IDI subsidiary of an FHC has not maintained a satisfactory CRA rating, the FHC would not be able to commence any new financial activities or acquire a company that engages in such activities, although the FHC would still be allowed to engage in activities that may be conducted by BHCs that are not FHCs. Federal law requires an FHC to act as a source of financial and managerial strength for its subsidiary IDIs. In times of severe financial stress, the obligation to serve as a source of strength could cause Truist to commit significant resources to supporting Truist Bank that otherwise would be available to Truist's creditors and shareholders. --- ## New in Current Filing: Resolution Planning As a Category III banking organization, Truist is required to submit a plan to the FRB and the FDIC periodically for Truist's orderly resolution in the event of severe financial stress (a "165(d) Resolution Plan"). If the agencies were to determine that Truist's 165(d) Resolution Plan is not credible, they would provide a joint notice identifying one or more deficiencies that could undermine the feasibility of the plan. If Truist were to receive such a notice and fail to timely submit a revised 165(d) Resolution Plan or adequately address the identified deficiencies, the agencies may subject Truist to formal or informal enforcement actions, including more stringent capital, leverage, or liquidity requirements or restrictions on growth, activities, or operations. Truist submitted its most recent 165(d) Resolution Plan on September 30, 2025. The next targeted plan is due July 1, 2028. In addition, as an IDI with over $50 billion in assets, Truist Bank is required to periodically submit to the FDIC a separate bank-level resolution plan (an "IDI Resolution Plan"). In 2024, the FDIC adopted a final rule that significantly modified the required frequency and informational content of IDI Resolution Plans. As a result of the rule, Truist Bank must submit a full IDI Resolution Plan to the FDIC every three years and an interim supplement in other years. The final rule introduced a new credibility standard for evaluating the adequacy of IDI Resolution Plan submissions, set expectations for capabilities testing, and contemplated increased engagement between IDIs and examiners. The application of the new credibility standard may require the exercise of a meaningful degree of judgment by the FDIC. If Truist Bank's IDI Resolution Plan were not to satisfy the credibility standard or any other provision of the rule, the FDIC may require Truist Bank to revise portions of it. If Truist Bank were to fail to timely submit a revised IDI Resolution Plan or adequately address the identified deficiencies, the FDIC may subject Truist Bank to formal or informal enforcement actions. Truist Bank's first interim supplement was submitted on July 1, 2025, and its full IDI Resolution Plan submission is due July 1, 2026. --- ## New in Current Filing: Enhanced Prudential Standards and Regulatory Tailoring Rules U.S. BHCs, including Truist, are subject to a range of prudential standards and requirements based on their size and complexity. Under tailoring rules adopted by the U.S. banking agencies, Truist is subject to the standards and requirements applicable to Category III banking organizations, which generally include BHCs with greater than $250 billion, but less than $700 billion, in total consolidated assets and less than $75 billion in certain risk-related exposures. Truist Financial Corporation 7 Truist Financial Corporation 7 Truist Financial Corporation 7 Truist Financial Corporation 7 Truist Financial Corporation 7 Truist Financial Corporation 7 Truist is therefore subject to more stringent liquidity and capital requirements, leverage limits, internal and supervisory stress testing requirements, single-counterparty credit limits, resolution planning requirements, and enhanced risk management standards compared to smaller institutions, while certain larger banking organizations are subject to even more stringent prudential standards and requirements than Truist. --- ## New in Current Filing: Capital Requirements Truist and Truist Bank are subject to risk-based and leverage regulatory capital requirements, which are established by the FRB for Truist and by the FDIC for Truist Bank. Failure of an FHC or an IDI to be well-capitalized as defined by applicable law or to meet minimum capital requirements can result in enforcement and other supervisory actions and have a significantly adverse impact on the institution's business and operations. The U.S. risk-based regulatory capital rules are based on the Basel Framework developed by the BCBS for strengthening the regulation, supervision, and risk management of banks as well as certain provisions of the Dodd-Frank Act. These rules prescribe minimum capital levels and allow the FRB and the FDIC to impose incremental capital requirements on a banking organization based on its size, complexity, or risk profile to enhance its ability to operate in a safe and sound manner. Under the standardized approach of the regulatory capital rules that Truist and Truist Bank are required to use, risk weights are applied to their assets, exposures, and certain off-balance sheet items to determine their risk-weighted assets. These risk-weighted assets are the denominator in the following minimum capital ratios for Truist and Truist Bank: •CET1 Risk-Based Capital Ratio, equal to the ratio of CET1 capital to risk-weighted assets. CET1 capital primarily includes common shareholders' equity and retained earnings, subject to certain regulatory adjustments and deductions, including with respect to goodwill, intangible assets, certain deferred tax assets, and AOCI. Truist must maintain a minimum CET1 capital ratio of 4.5% plus any additional CET1 mandated as a result of the SCB requirement. •Tier 1 Risk-Based Capital Ratio, equal to the ratio of Tier 1 capital to risk-weighted assets. Tier 1 capital is primarily composed of CET1 capital, perpetual preferred stock, and certain qualifying capital instruments. Truist must maintain a minimum Tier 1 capital ratio of 6.0%. •Total Risk-Based Capital Ratio, equal to the ratio of total capital, including CET1 capital, Tier 1 capital, and Tier 2 capital, to risk-weighted assets. Tier 2 capital primarily includes qualifying subordinated debt and qualifying ALLL. Tier 2 capital also includes certain trust preferred securities. Truist must maintain a minimum total capital ratio of 8.0%. Under the FRB's capital framework for BHCs, Truist is subject to the SCB, an incremental risk-based capital requirement determined from supervisory stress test results. The SCB is equal to the greater of (i) the difference between Truist's starting and minimum projected CET1 capital ratios under the severely adverse scenario in the supervisory stress test, plus the sum of the dollar amount of its planned common stock dividends for each of the fourth through seventh quarters of the planning horizon as a percentage of risk-weighted assets, or (ii) 2.5% of risk-weighted assets. Truist is required to describe its planned capital actions in its CCAR capital plan but is not required to seek prior approval for capital distributions in excess of those included in its CCAR capital plan. Instead, Truist is subject to automatic restrictions on capital distributions if its capital ratios fall below applicable minimum requirements, inclusive of the SCB. Refer to the section titled "Capital Planning and Stress Testing Requirements" for more information on the CCAR capital plan. The FRB has assigned Truist an SCB of 2.5%, which was effective from October 1, 2025 to September 30, 2026, when a revised SCB ordinarily would be provided to Truist. On February 4, 2026, the FRB notified Truist of a determination to extend until October 1, 2027, the deadlines for providing Truist with notice of its preliminary and final SCB requirements calculated in 2026. The FRB explained that its proposal from October 2025, seeking public comment on the models that the FRB planned to use for the 2026 supervisory stress test was still outstanding and was not expected to be finalized before conducting the 2026 supervisory stress test. As a result, absent further action from the FRB, Truist will continue to be subject to its current SCB requirement of 2.5% until 2027, when a new SCB based on updated models can be calculated. If Truist takes part in the supervisory stress test in 2027 as expected, Truist would receive a new final SCB requirement based on the results of a supervisory stress test conducted in 2027. If Truist continues to be subject to the capital plan rule but does not take part in the supervisory stress test in 2027, a final SCB requirement would be assigned that has been adjusted to account for Truist's updated planned common stock dividends. The FRB reserved the authority to modify these deadlines based on a change in actual or expected economic conditions, a change in the financial condition of Truist or its risk profile, or other factors that could affect the safety and soundness of Truist. 8 Truist Financial Corporation 8 Truist Financial Corporation 8 Truist Financial Corporation 8 Truist Financial Corporation 8 Truist Financial Corporation 8 Truist Financial Corporation At the FRB's discretion, certain large banking organizations, including Truist, may be subject to a CCyB of up to 2.5% of risk-weighted assets. This buffer is currently set at zero. An FRB policy statement establishes the framework and factors the FRB would use in setting and adjusting the CCyB. Covered banking organizations would generally have 12 months after the announcement of any increase in the CCyB to meet the increased buffer requirement, unless the FRB establishes an earlier effective date. Based on Truist's current SCB, if the maximum CCyB amount is implemented, Truist would be required to maintain a CET1 capital ratio of at least 9.5%, a Tier 1 capital ratio of at least 11.0%, and a total capital ratio of at least 13.0% to avoid limitations on capital distributions and certain discretionary incentive compensation payments. Certain large banking organizations with significant trading assets and liabilities, including Truist, are subject to the Market Risk Rule and must adjust their risk-based capital ratios to reflect the market risk of their trading activities. Refer to the "Market Risk" section in MD&A for additional disclosures related to market risk management. Truist and Truist Bank are subject to a Tier 1 leverage ratio, equal to the ratio of Tier 1 capital to quarterly average assets, net of goodwill, certain other intangible assets, and certain other deductions. Category III banking organizations are also subject to a minimum 3.0% supplementary leverage ratio. The supplementary leverage ratio is calculated by dividing Tier 1 capital by total leverage exposure, which takes into account on-balance sheet assets as well as certain off-balance sheet items, including loan commitments and potential future exposure of derivative contracts. For purposes of certain FRB rules, including determining whether a BHC meets the requirements to be an FHC, the BHC must maintain a Tier 1 Risk-Based Capital Ratio of 6.0% or greater and a Total Risk-Based Capital Ratio of 10.0% or greater to be "well-capitalized." The FRB may require a BHC to maintain capital ratios in excess of mandated minimum levels, depending upon general economic conditions and the BHC's particular condition, risk profile, and growth plans. In July 2023, the U.S. banking agencies issued a proposal to revise the risk-based capital standards applicable to Truist and Truist Bank. The U.S. banking agencies have indicated their intent to re-propose the revised risk-based capital standards. The potential impacts on Truist and Truist Bank of a final rule remain uncertain. Refer to the "Capital" section in MD&A for additional information on minimum regulatory capital ratios and well-capitalized minimum ratios applicable to Category III banking organizations. --- ## New in Current Filing: Capital Planning and Stress Testing Requirements Under the FRB's CCAR process and related capital plan rule, Truist must submit an annual capital plan to the FRB that reflects its projected financial performance under hypothetical macro-economic scenarios, including stress scenarios designed by Truist and a supervisory severely adverse scenario provided by the FRB. The FRB's CCAR framework and the Dodd-Frank Act stress testing framework require BHCs subject to Category III standards, such as Truist, to conduct company-run stress tests and submit to supervisory stress tests conducted by the FRB. Company-run stress tests employ stress scenarios provided by the FRB and incorporate Dodd-Frank Act capital actions intended to normalize capital distribution assumptions across large U.S. BHCs. Truist is required to conduct additional stress tests using internally-developed scenarios tailored to its unique risk profile. The FRB conducts CCAR and Dodd-Frank Act supervisory stress tests employing internal supervisory models and supervisory stress scenarios. As a Category III banking organization, Truist is subject to annual supervisory stress testing and biennial company-run stress testing requirements. Truist is required to submit its next capital plan and the results of its internal stress tests to the FRB by April 5, 2026. The FRB is expected to announce the results of its supervisory stress tests by June 30, 2026. In April 2025, the FRB issued a proposed rule that would result in the SCB being calculated based on an average of a banking organization's stress test results over two consecutive years, which is intended to reduce volatility in banking organizations' capital requirements. In October 2025, the FRB issued proposals to enhance the transparency and public accountability of its annual supervisory stress test. The proposals request comment on several elements of the stress test, including the models and scenarios used; an enhanced disclosure process for the scenarios and material model changes in future stress test cycles; modifications to reporting forms; and an adjusted timeline for the annual process to accommodate a comment period for scenarios and material model changes. Truist Financial Corporation 9 Truist Financial Corporation 9 Truist Financial Corporation 9 Truist Financial Corporation 9 Truist Financial Corporation 9 Truist Financial Corporation 9 --- ## New in Current Filing: Liquidity Requirements Certain BHCs and their bank subsidiaries, including Truist and Truist Bank, are subject to a minimum LCR and NSFR. The LCR rule requires that banking organizations maintain an amount of eligible HQLA that is sufficient within the parameters of the rule to meet estimated total net cash outflows over a prospective 30 calendar-day period of stress. The NSFR rule defines a minimum amount of stable, long-term funding that banking organizations must maintain in relation to their asset composition and off-balance sheet activities. The NSFR, calculated as the ratio of available stable funding to required stable funding, must exceed 1.0x for banking organizations required to meet the full requirement. Available stable funding represents a weighted measure of a company's funding sources over a one-year time horizon, calculated by applying standardized weightings to the company's equity and liabilities based on their expected stability. Required Stable Funding is calculated by applying standardized weighting to assets, derivatives exposures, and certain other items based on their liquidity characteristics. As a Category III banking organization, Truist and Truist Bank are subject to LCR and NSFR requirements equal to 85% of the full requirement. Truist is also subject to FRB rules that require certain large BHCs to conduct internal liquidity stress tests over a range of time horizons, maintain a buffer of highly liquid assets sufficient to meet projected net outflows under the BHC's 30-day liquidity stress test, and maintain a contingency funding plan. --- ## New in Current Filing: Long-Term Debt and Clean Holding Company Requirements U.S. banking agencies issued a proposed rule that would require banking organizations with $100 billion or more in total assets to comply with long-term debt requirements and clean holding company requirements that currently apply only to GSIBs. This proposal would also impose a long-term debt requirement on certain categories of IDIs, including IDIs with $100 billion or more in total assets, such as Truist Bank. The clean holding company requirements would limit or prohibit banking organizations such as Truist from entering into certain transactions that could impede its orderly resolution, including transactions that could spread losses to subsidiaries and third parties or could limit the amount of Truist's liabilities that are not eligible long-term debt. The timing and form of any final rule implementing the long-term debt requirements and clean holding company requirements remains uncertain. --- ## New in Current Filing: Payment of Dividends The Parent Company is a legal entity separate and distinct from its subsidiaries. The Parent Company depends in part upon dividends received from its direct and indirect subsidiaries, including Truist Bank, to fund its activities, including capital distributions such as dividends and share repurchases. Federal law limits Truist Bank's ability to declare and pay dividends to the Parent Company, including under regulatory capital requirements, safety-and-soundness requirements, and requirements relating to the payment of dividends out of net profits, surplus, and available earnings. Certain contractual restrictions also may limit the ability of Truist Bank to pay dividends to the Parent Company. No assurances can be given that Truist Bank will, in any circumstances, pay dividends to the Parent Company. The Parent Company's ability to declare and pay dividends is similarly limited by federal banking law and FRB policies. The FRB has authority to prohibit a BHC from making capital distributions if determined to be an unsafe or unsound practice. The FRB has indicated generally that paying dividends may be an unsafe and unsound practice unless net income is sufficient to fund the dividends and the expected rate of earnings retention is consistent with the BHC's capital needs, asset quality, and overall financial condition. In addition, a BHC's ability to make capital distributions, including dividends and share repurchases, is subject to the FRB's automatic restrictions on capital distributions if the BHC fails to maintain certain regulatory capital ratios. Truist's risk-based capital and leverage ratio requirements are discussed above in the "Capital Requirements" section. North Carolina law provides that, as long as a bank does not make distributions that reduce its capital below its applicable required capital, the board of directors of a bank chartered under the laws of North Carolina may declare such distributions as the directors deem proper. --- ## New in Current Filing: Prompt Corrective Action U.S. banking agencies are required to take "prompt corrective action" against IDIs that do not meet minimum capital requirements. There are five statutory categories that characterize an IDI's capital position for this purpose: "well-capitalized," "adequately capitalized," "undercapitalized," "significantly undercapitalized," and "critically undercapitalized." To be considered "well-capitalized," an IDI must maintain minimum capital ratios and must not be subject to any order or written directive to meet and maintain a specific capital level for any capital measure. 10 Truist Financial Corporation 10 Truist Financial Corporation 10 Truist Financial Corporation 10 Truist Financial Corporation 10 Truist Financial Corporation 10 Truist Financial Corporation An IDI that fails to remain well-capitalized becomes subject to a series of restrictions that increase in severity as its capital condition weakens. These restrictions may include a prohibition on capital distributions, restrictions on asset growth, or the withholding of regulatory approval for applications. Additionally, the FRB is authorized to act against BHCs with undercapitalized IDI subsidiaries. In certain instances, a BHC acting as a source of strength would be required to guarantee the performance of the undercapitalized subsidiary's capital restoration plan and could be liable for civil money damages for failing to fulfill those guarantees. If an IDI fails to meet applicable capital requirements, its supervisors may take a variety of formal and informal enforcement actions, including directing the IDI to raise additional capital, substantially restricting the IDI's operations and activities, terminating the IDI's deposit insurance, and in severe cases appointing a conservator or receiver for the IDI. --- ## New in Current Filing: Transactions with Affiliates Transactions between Truist Bank and its nonbank affiliates, including the Parent Company, are subject to a number of legal restrictions. Under the Federal Reserve Act and FRB regulations, Truist Bank and its subsidiaries are subject to quantitative and qualitative limits on extensions of credit, purchases of assets, and certain other transactions with nonbank affiliates, including requirements that transactions be at arm's length and consistent with safety and soundness. --- ## New in Current Filing: Acquisitions Truist requires prior regulatory approval to engage in certain acquisitions. For example, under the BHCA, a BHC may not directly or indirectly acquire ownership or control of more than 5% of the voting shares or substantially all of the assets of any BHC or bank or merge or consolidate with another BHC without the prior approval of the FRB. The BHCA and other federal laws enumerate the factors the FRB must consider when reviewing the merger of BHCs, the acquisition of banks, or the acquisition of voting securities of a bank or BHC. These factors include the competitive effects of the transaction in the relevant geographic markets; the financial and managerial resources and future prospects of the companies and banks involved in the transaction; the effect of the transaction on the financial stability of the U.S.; the organizations' compliance with anti-money laundering statutes and regulations; the convenience and needs of the communities to be served; and the records of performance under the CRA of the IDIs involved in the transaction. Federal law authorizes interstate acquisitions of banks and BHCs without geographic limitation, and a bank headquartered in one state is authorized to merge with a bank headquartered in another state, subject to market share limitations, regulatory approvals, and any state requirement that the target bank must have been in existence and operating for a minimum period of time. The FRB's market share limitations impose conditions that the acquiring BHC, after and as a result of the acquisition, control no more than 10% of the total amount of deposits of IDIs in the U.S. and no more than 30%, subject to variation by state law, of such deposits in applicable states. FRB rules also prohibit an FHC from combining with another company if the resulting company's liabilities would exceed 10% of the aggregate consolidated liabilities of all U.S. financial companies. After a bank has established branches in a state through an interstate merger transaction, the bank may establish and acquire additional branches at any location in the state where a bank headquartered in that state could have established or acquired branches under applicable federal or state law. The U.S. DOJ has withdrawn its 1995 Bank Merger Guidelines, which focused primarily on concentrations of deposits and branches, and clarified that it will assess competition considerations in connection with bank and BHC mergers using its 2023 Merger Guidelines and 2024 Banking Addendum. The 2023 Merger Guidelines are a general merger review framework used to evaluate transactions in all segments of the economy, and the 2024 Banking Addendum allows for consideration of theories of harm and relevant markets not considered in the 1995 Bank Merger Guidelines. It is still not entirely clear how the U.S. DOJ will apply this new merger review framework to bank and BHC mergers. --- ## New in Current Filing: Other Safety and Soundness Regulations The FRB has authority to prohibit BHCs and their subsidiaries from conducting activities that constitute unsafe or unsound practices or violations of statute, rule, regulation, administrative order, or written agreement with a U.S. banking agency. These powers may be exercised through the issuance of confidential supervisory actions, cease and desist orders, civil money penalties, or other actions. In October 2025, the FDIC and the OCC issued a proposed rule that would define the term "unsafe or unsound practice" for purposes of their enforcement powers under the Federal Deposit Insurance Act. The proposed definition would focus on whether the practice is likely to materially harm, or already has materially harmed, the financial condition of an institution. Truist Financial Corporation 11 Truist Financial Corporation 11 Truist Financial Corporation 11 Truist Financial Corporation 11 Truist Financial Corporation 11 Truist Financial Corporation 11 Federal law and regulatory policy impose a number of obligations and restrictions on BHCs and their IDI subsidiaries that are designed to reduce potential loss exposure to depositors and the DIF in the event that the BHC or the IDI becomes or is in danger of becoming insolvent. In particular, a BHC must serve as a source of financial and managerial strength to its subsidiary IDI and commit financial resources to support that IDI during periods of severe stress. U.S. banking agencies have other broad powers over IDIs as well, including the power to impose confidential supervisory actions and civil penalties and to appoint a receiver or conservator over an IDI for the benefit of depositors and other creditors. The NCCOB also has the authority to take possession of a North Carolina state bank in certain circumstances, including when it appears that the bank has violated its charter or applicable law, is conducting its business in an unauthorized or unsafe manner, is in an unsafe or unsound condition to transact its business, or has an impairment of its capital stock. --- ## New in Current Filing: DIF Assessments Truist Bank's deposits are insured by the FDIC up to the maximum insurable amount, which is currently $250,000 per depositor per account ownership type. The FDIC imposes a risk-based deposit premium assessment system that determines assessment rates for each IDI using an assessment rate calculator, which incorporates measurements of the risk each IDI poses to the DIF. The assessment rate is applied to total average assets less tangible equity, as defined by the Dodd-Frank Act. The assessment rate schedule can change from time to time at the discretion of the FDIC, subject to certain limits. Under the current system, premiums are assessed quarterly. The FDIC implemented a special assessment to recoup losses to the DIF associated with the large bank failures in 2023. The special assessment is based on an IDI's estimated uninsured deposits. Truist Bank's special assessment may be adjusted for changes in the estimated relevant losses to the DIF reported by the FDIC. The special assessment will be paid by IDIs in eight quarterly installments, which began in the second quarter of 2024. In December 2025, the FDIC issued an interim final rule reducing the special assessment rate for the eighth collection quarter, with an invoice payment date of March 30, 2026, and outlining a process for (i) an offset to regular quarterly deposit insurance assessments for IDIs subject to the special assessment if the special assessment amount collected ultimately exceeds losses to the DIF or (ii) a one-time final shortfall special assessment if losses to the DIF exceed the special assessment amount collected. --- ## New in Current Filing: Consumer Protection Laws In connection with its lending, leasing and deposit-taking activities, Truist Bank is subject to federal and state laws designed to protect consumers and borrowers and to promote financial services for various sectors of the economy and population. The CFPB examines Truist and Truist Bank for compliance with a broad range of federal consumer financial statutes and regulations, including those that relate to credit card, mortgage, automobile, student, and other consumer loans as well as deposit products and other consumer financial products and services. Laws that the CFPB is charged with enforcing include the Truth in Lending Act, Truth in Savings Act, Home Mortgage Disclosure Act, Fair Credit Reporting Act, Electronic Funds Transfer Act, Real Estate Settlement Procedures Act, Fair Debt Collection Practices Act, and Equal Credit Opportunity Act. The CFPB may take enforcement actions to prevent and remedy acts and practices relating to consumer financial products and services that it deems to be unfair, deceptive, or abusive. The CFPB also may impose new disclosure requirements for consumer financial products and services. CFPB regulations and supervisory actions may impact Truist or Truist Bank, including by reducing the fees that Truist and Truist Bank receive, altering the way products and services are provided, or increasing the risk of private litigation or regulatory enforcement action. In October 2024, the CFPB finalized a rule under the Dodd-Frank Act that requires certain entities, including Truist and Truist Bank, to make available to a consumer, upon request, information in the entity's control or possession concerning the consumer financial product or service that the consumer obtained from that entity. The rule also requires data providers holding a consumer account, such as Truist Bank, to establish a developer interface satisfying certain data security specifications and other standards, through which the data provider can receive requests for and provide specific types of data covered by the rule in electronic, usable form to authorized third parties such as data aggregators. Data providers are prohibited from charging consumers or third parties fees for processing these consumer data requests. The rule further places certain data security, authorization, and other obligations on third parties accessing covered data from data providers, which could include Truist and Truist Bank when acting in certain capacities. In addition, the rule requires these third parties to limit their collection, use, and retention of the data received from the applicable data provider to only what is reasonably necessary to provide the applicable consumer's requested product or service, including uses that are reasonably necessary to improve the product or service. After release of the final rule, banking industry participants sued to enjoin and invalidate the rule in the United States District Court for the Eastern District of Kentucky. The CFPB has indicated that it will significantly revise the final rule, which is expected to change Truist's and Truist Bank's obligations and the applicable compliance dates. On October 29, 2025, the court granted a preliminary injunction to pause the compliance dates and to enjoin the CFPB from enforcing the rule until after reconsideration. 12 Truist Financial Corporation 12 Truist Financial Corporation 12 Truist Financial Corporation 12 Truist Financial Corporation 12 Truist Financial Corporation 12 Truist Financial Corporation Truist and Truist Bank are subject to consumer protection laws that have been adopted by the states where they operate. State attorneys general and regulatory agencies have authority to enforce these state consumer protection laws as well as certain federal consumer protection laws. During 2025, the CFPB reduced its staff by over 80%. The reduction in force is the subject of litigation, and the staffing cuts are currently stayed pending the federal circuit court's rehearing of the case. The impact of these developments on banking organizations subject to CFPB regulation and supervision, including Truist, is uncertain. States and state attorneys general may increase regulatory, investigative, and enforcement activity with respect to consumer protection in response to changes in regulation, supervision, and enforcement of consumer protection laws by the CFPB or other federal regulators. --- ## New in Current Filing: BSA/AML and Sanctions The BSA, as amended by the Patriot Act, and its implementing regulations are designed to protect the U.S. financial system and those who rely on it from financial crimes, such as money laundering and terrorist financing. The BSA and its implementing regulations do this by requiring financial institutions, including IDIs such as Truist Bank, broker-dealers, and other financial institutions, to develop and implement BSA/AML compliance programs that detect and report financial crimes. The BSA and its implementing regulations also strengthen the ability of U.S. law enforcement agencies and the intelligence community to disrupt and prevent money laundering, the financing of terrorism, and related crimes. In addition, U.S. persons, including entities like Truist, must comply with sanctions programs administered by OFAC and the U.S. Department of State. These sanctions programs prohibit, among other things, financial transactions involving certain individuals, entities, countries, and territories that are the subject of U.S. economic sanctions and impose other restrictions on certain investments and dealings, including requirements to block assets. Federal law grants substantial enforcement powers to U.S. banking agencies, FinCEN, OFAC, the U.S. DOJ, and other government agencies with respect to BSA and OFAC compliance, including through examination and ongoing monitoring. This enforcement authority includes the ability to assess significant civil and criminal monetary penalties, fines, and restitution; to issue cease and desist or prohibition orders; to initiate injunctive actions against financial institutions and institution-affiliated parties; and to impose restrictions on business, including bank and BHC mergers and acquisitions. These enforcement actions may be initiated for violations of statutes and regulations or for unsafe and unsound practices and could result in substantial negative shareholder reaction and reputational damage. --- ## New in Current Filing: Privacy, Data Protection, and Cybersecurity Various federal and state statutes and regulations contain data privacy, data protection, and cybersecurity provisions, and the regulatory framework for data privacy, data protection, and cybersecurity is rapidly evolving. The FRB, the FDIC, and other U.S. banking agencies have adopted guidelines for safeguarding confidential, personal customer information. These guidelines require each financial institution, under the supervision and ongoing oversight of its board of directors or an appropriate committee thereof, to create, implement, and maintain a comprehensive written information security program designed to support the security and confidentiality of customer information, protect against any anticipated threats or hazards to the security or integrity of such information, and protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer. In addition, a number of government entities, including the FRB and the SEC, have increased their focus on cybersecurity through guidance, examinations, and regulations. At the federal level, the Gramm-Leach-Bliley Act requires financial institutions to, among other things, implement policies and procedures regarding the disclosure of nonpublic personal information about consumers to non-affiliated third parties. In general, the statute requires that financial institutions provide explanations to consumers on their policies and procedures regarding the disclosure of such nonpublic personal information and, except as otherwise required by law, prohibits disclosing such personal information except as provided in the financial institution's policies and procedures. A joint regulation from the FRB, the OCC, and the FDIC requires a banking organization to notify its primary federal regulators as soon as possible and within 36 hours after identifying a "computer-security incident" that the banking organization believes in good faith has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, its business or operations in a manner that would, among other things, jeopardize the viability of its operations, result in customers being unable to access their deposit and other accounts, result in a material loss of revenue, profit or stock price, or pose a threat to the financial stability of the U.S. Truist Financial Corporation 13 Truist Financial Corporation 13 Truist Financial Corporation 13 Truist Financial Corporation 13 Truist Financial Corporation 13 Truist Financial Corporation 13 In addition, once implementing regulations are finalized, the Cyber Incident Reporting for Critical Infrastructure Act ("CIRCIA") will require, among other things, covered entities to report significant cyber incidents, including ransomware attacks, to the Cybersecurity and Infrastructure Security Agency ("CISA") within 72 hours from the time the covered entity reasonably believes the incident occurred (and within 24 hours of making a ransom payment as a result of a ransomware attack). The CISA proposed a rule under the CIRCIA in April 2024 that would clarify the scope of cyber incidents to be reported and would further define covered entities subject to the CIRCIA to include banking organizations like Truist. Although the CIRCIA originally required the CISA to finalize its regulations by October 2025, the CISA has extended such deadline to May 2026. Truist's nonbank subsidiaries are also subject to rules and regulations issued by the Federal Trade Commission, which regulates unfair or deceptive acts or practices, including with respect to data privacy, data protection, and cybersecurity. Moreover, the U.S. Congress has recently considered, and is expected to continue to consider, various proposals for more comprehensive data privacy, data protection, and cybersecurity legislation. Like other lenders, Truist Bank uses credit bureau data in its underwriting activities. The Fair Credit Reporting Act regulates use of such data, as well as reporting information to credit bureaus, prescreening individuals for credit offers, sharing of information between affiliates, and using affiliate data for marketing purposes. Similar state laws impose additional requirements on Truist Bank. States are also increasingly proposing or enacting legislation that relates to data privacy, data protection, and cybersecurity such as the California Consumer Privacy Act as amended by the California Privacy Rights Act. Truist may be subject to similar laws in other states where Truist does business or in states where Truist may collect personal information of residents. In addition, laws in all 50 U.S. states generally require businesses to provide notice under certain circumstances to individuals whose personal information has been disclosed as a result of a data breach. Moreover, the New York Department of Financial Services Cybersecurity Regulation is driving significant cybersecurity compliance activities for covered Truist entities. This regulation includes phased compliance periods as well as annual attestations of compliance by these Truist entities. Truist has undertaken compliance activities to address these statutes and regulations and continues to assess their requirements and applicability to Truist. These statutes and regulations, as well as proposed legislation and regulation regarding privacy, data protection, and cybersecurity, are subject to revision or formal guidance and may be interpreted or applied in a manner inconsistent with the Company's understanding, which may result in further uncertainty and require Truist to incur additional costs to comply. Refer to "Item 1A. Risk Factors" for more information on the risks related to compliance with applicable privacy, data protection, and cybersecurity statutes and regulations. CRA The CRA requires that U.S. banking agencies assess the records of banks in meeting the credit needs of the communities where they are chartered to do business, including low- and moderate-income neighborhoods, consistent with safe and sound operations. Banks are assigned one of four ratings: "Outstanding," "Satisfactory," "Needs to Improve," or "Substantial Noncompliance." A bank's assessment is considered in connection with its application to merge or consolidate with or acquire the assets or assume the liabilities of another bank or to open or relocate a branch office. The CRA record of each subsidiary bank of an FHC is assessed by the FRB in connection with any proposed acquisition or merger application. For its most recent CRA examination period, Truist Bank received the highest possible overall rating of "Outstanding" from the FDIC. In October 2023, the U.S. banking agencies issued a final rule to significantly amend their regulations implementing the CRA. This rule was subject to litigation, and a preliminary injunction was issued that prevented the rule from taking effect. In July 2025, the agencies issued a notice of proposed rulemaking to rescind the rule and reinstate the previous CRA regulations. --- ## New in Current Filing: Automated Overdraft Payment Regulation Federal consumer protection laws govern automated overdraft payment programs offered by financial institutions. The CFPB prohibits financial institutions from charging consumers fees for paying overdrafts on ATM and one-time debit card transactions, unless a consumer opts in to the overdraft service. Financial institutions must provide consumers with a notice that explains the financial institution's overdraft services, including associated fees and the consumer's choices. In addition, FDIC-supervised institutions must monitor overdraft payment programs for "excessive or chronic" client use and undertake "meaningful and effective" follow-up action with clients that overdraw their accounts more than six times during a rolling 12-month period. Financial institutions must also impose daily limits on overdraft charges, review and modify check-clearing procedures, prominently distinguish account balances from available overdraft coverage amounts, and provide for board and management oversight regarding overdraft payment programs. Truist offers checking accounts that are not subject to overdraft fees. 14 Truist Financial Corporation 14 Truist Financial Corporation 14 Truist Financial Corporation 14 Truist Financial Corporation 14 Truist Financial Corporation 14 Truist Financial Corporation --- ## New in Current Filing: Interchange Fees The Dodd-Frank Act requires the FRB to establish standards for assessing whether debit interchange fees charged by large debit card issuers, including Truist Bank, are reasonable and proportional to the cost incurred by the issuers. These standards are set forth in the FRB's Regulation II, which has been subject to extensive litigation that remains ongoing. In 2023, the FRB proposed but has not yet finalized revisions to Regulation II that would lower the interchange fee cap applicable to Truist Bank, which may result in reduced interchange fee revenue. States have taken steps as well to regulate interchange fees. The Illinois Interchange Fee Prohibition Act prohibits credit and debit card issuers, payment card networks, acquirer banks, and processors from receiving or charging an Illinois merchant any interchange fees on the gratuity and state and local tax portions of the transactions. This statute has an implementation date of July 1, 2026, and while subject to litigation, has not been enjoined. Other states are considering similar legislation, including some that is more expansive in its restrictions on interchange fees. --- ## New in Current Filing: Volcker Rule Truist is prohibited under the Volcker Rule from (i) engaging in proprietary trading of certain securities and (ii) having certain ownership interests in and relationships with covered private funds. The Volcker Rule contains certain exemptions and exclusions, including for market-making, hedging, underwriting, and trading in U.S. government and agency obligations. Additionally, the Volcker Rule permits certain ownership interests in certain types of funds and permits the offering and sponsoring of funds under certain conditions. Truist maintains specific Volcker Rule compliance programs. --- ## New in Current Filing: Regulatory Regime for Swaps The Dodd-Frank Act established a comprehensive regulatory regime for the OTC swaps market aimed at increasing transparency and reducing systemic risk in the derivatives markets, including requirements for central clearing, exchange trading, capital adequacy, margin, reporting, and recordkeeping. The Dodd-Frank Act requires that certain swap dealers and security-based swap dealers register with one or both of the SEC and the CFTC, depending on the nature of the swaps business. Truist Bank is registered with the CFTC as a swap dealer and is registered with the SEC as a security-based swap dealer, subjecting Truist Bank to the CFTC's and SEC's regulatory regimes. This includes trade reporting and recordkeeping requirements, business conduct requirements (including daily valuations, disclosure of material risks associated with swaps and disclosure of material incentives and conflicts of interest), and mandatory clearing and exchange trading requirements for certain standardized swaps designated by the CFTC. The NFA is the primary self-regulatory organization for Truist's swap dealer. Truist Bank's uncleared swaps and security-based swaps are subject to variation margin and initial margin requirements. --- ## New in Current Filing: Broker-Dealer and Investment Adviser Regulation Truist's broker-dealer and investment adviser subsidiaries are subject to regulation by the SEC. FINRA is the primary self-regulatory organization for Truist's registered broker-dealer subsidiaries. Truist's broker-dealer and investment adviser subsidiaries are subject to additional regulation by states or local jurisdictions. The SEC and FINRA have enforcement powers over broker-dealers and investment advisers and can bring actions that result in fines, restitution, a limitation on permitted activities, disqualification to continue to conduct certain activities, and an inability to rely on certain favorable exemptions. Certain types of infractions and violations can affect Truist's ability to issue new securities expeditiously. In addition, certain changes in the activities of a broker-dealer require approval from FINRA, which may base its approval on a variety of factors, such as internal controls, capital levels, management experience and quality, prior enforcement and disciplinary history, and supervisory concerns. --- ## New in Current Filing: Other Regulatory Matters Truist is subject to examination by federal and state banking regulators as well as the SEC, the CFTC, FINRA, the MSRB, the NFA, various taxing authorities, and various state securities and other regulators. Truist periodically receives requests for information on business and accounting practices from regulatory authorities in various states, including state attorneys general, securities regulators, and other regulatory authorities. Such requests are part of our normal conduct of business. --- ## New in Current Filing: Human Capital Truist works as One Team - unified by its purpose, mission, and values - to meet clients' needs, uplift communities, empower teammates, and promote effective risk management and controls to drive performance. Truist recognizes that attracting the best talent, making investments in teammates, caring to better understand their backgrounds and experiences, and helping to bolster their career trajectories ultimately leads to more engaged and productive teammates, which can contribute to better client service and business outcomes for Truist overall. Truist Financial Corporation 15 Truist Financial Corporation 15 Truist Financial Corporation 15 Truist Financial Corporation 15 Truist Financial Corporation 15 Truist Financial Corporation 15 The Compensation and Human Capital Committee of the Board oversees the design and governance of Truist's compensation and benefit programs consistent with its compensation philosophy. This committee also provides oversight of Truist's human capital strategy that supports attracting, developing, and retaining qualified teammates. Truist strives to follow rigorous and dynamic talent practices, which develop teammates for success in a broad set of roles. Our talent practices include performance, succession, and progression planning. Truist's Enterprise Ethics Office manages the standards for ethical conduct and monitors conduct risks and related teammate concerns. The Enterprise Ethics Office also facilitates the Board's review and approval of the Code of Ethics. Through its risk monitoring and oversight routines, the Enterprise Ethics Office identifies trends and insights related to Truist's organizational culture and control environment, which are reported to the Executive-level ERC and the Board. The following table presents a summary of teammates as of December 31, 2025: Table 2: Teammate Summary# of Teammates% of PopulationFull-Time37,08695.8 %Part-Time1,6254.2 Total38,711100.0 % Truist also leverages a contingent workforce, which is not reflected in the table, as an important part of the Company's overall workforce strategy. Truist aspires to foster a performance-based culture that is reinforced with transparency and feedback. Through transparency, we further our teammate mission of creating an inclusive and energizing environment that empowers teammates to learn, grow, and have meaningful careers. Promoting feedback allows for business settings where every teammate is respected, everyone matters and has a voice, and everyone feels welcome and empowered to make meaningful contributions. Collectively, this approach helps us to be competitive in meeting the needs of our clients and communities. --- ## New in Current Filing: Talent Practices Truist utilizes a suite of talent practices providing insight into the state of our talent. Talent practices are designed to underpin and strengthen executive leaders' decisions, which are informed by data and insights. These practices include: •Performance management - goal planning, feedback, check-ins, and performance evaluation. •Succession planning - tools that identify potential interim, near- and longer-term internal successors designed to allow for optionality and business continuity. •Talent assessment - manager evaluation of the forward-looking potential of eligible teammates through the lens of their performance, ability, agility, and aspiration as well as consideration of retention risk. •Progression planning - helps teammates and managers chart a path for teammates to learn, grow, and have meaningful careers. •Enterprise strategic workforce planning and skill assessments - a practice enabling the business to plan for the appropriate workforce capability and capacity in target job profiles. --- ## New in Current Filing: Talent Development Truist teammates have access to programs and benefits for career advancement. Teammates can partner with a certified coach to help them identify and focus on potential career paths, create clear goals, and remain accountable in achieving those goals. For teammates who qualify, Truist also provides tuition assistance so teammates can continue formal education by seeking degrees that align with career goals or develop needed emerging skills through our Future Skills program. Truist offers career and job transparency through a set of resources including career discovery and career planning online services. Truist seeks to achieve a career destination culture through career mobility and pipeline strategies and programs, including Truist's Leadership Institute, which leverages developmental experiences, team optimization, executive coaching, and leadership development. 16 Truist Financial Corporation 16 Truist Financial Corporation 16 Truist Financial Corporation 16 Truist Financial Corporation 16 Truist Financial Corporation 16 Truist Financial Corporation In addition to career development opportunities, Truist provides learning experiences to new and existing teammates to help build the skills needed now and in the future, including role skill preparedness, upskilling for advancements, including the responsible use of emerging technologies such as AI, and access to skill building content for teammate-led learning. Truist Learning and Development also prioritizes and integrates regulatory-related training to mitigate risk across the organization. Truist has invested in innovative talent marketplace and learning technologies and believes that skill development leads to healthy and robust career mobility, which furthers our teammate value proposition and retention efforts. --- ## New in Current Filing: Compensation and Total Rewards Truist's Compensation and Total Rewards enable its purpose, mission, and values, specifically Truist's mission to create an inclusive and energizing environment that empowers teammates. Truist aims to provide market competitive total rewards to attract and retain talent while enabling Truist's short- and long-term performance. Truist provides compensation and rewards that are designed to achieve positive business results, are based on market and internal assessments, and are aligned with risk management principles. Truist's benefits program for qualified teammates includes a company-funded defined benefit pension plan, a 401(k) plan, an employee stock purchase plan, Truist Momentum financial well-being education, healthcare coverage, and other insurance benefits. Truist also provides access to a Lifeforce physical well-being program, mental well-being support, paid time off, teammate and family resources such as access to backup child-care centers and family care resources, and on-site services such as health centers and fitness centers. --- ## New in Current Filing: Website Access to Truist's Filings with the SEC Truist's electronic filings with the SEC, including the Annual Report on Form 10-K, Quarterly Reports on Form 10-Q, Current Reports on Form 8-K, and amendments to these reports filed or furnished pursuant to Sections 13(a) or 15(d) of the Exchange Act are made available at no cost on the Company's Investor Relations website, https://ir.truist.com, as soon as reasonably practicable after Truist files such material with, or furnishes it to, the SEC. Truist's SEC filings are also available through the SEC's website at https://www.sec.gov. Truist may use its website to distribute Company information, including as a means of disclosing material, non-public information and for complying with its disclosure obligations under Regulation FD. Truist routinely posts and makes accessible financial and other information, including corporate responsibility and sustainability information, regarding Truist on its website. Investors should monitor Truist's website, including the Investor Relations portion, in addition to its press releases, SEC filings, public conference calls, and webcasts. The information on our website is not incorporated by reference into this report. --- ## New in Current Filing: Corporate Governance Information with respect to the Board, Executive Officers, and corporate governance policies and principles is presented on Truist's Investor Relations website, https://ir.truist.com. Specifically, the Company makes available on its Investor Relations website, under the heading "Governance & Responsibility" (i) its Code of Ethics for the Board, senior financial officers, and teammates, (ii) its Corporate Governance Guidelines, and (iii) the charters of the Company's standing Board committees. If the Company makes changes in, or provides waivers from, the provisions of its Code of Ethics that the SEC requires it to disclose, the Company intends to disclose these events in the "Governance & Responsibility" section of its Investor Relations website. Truist Financial Corporation 17 Truist Financial Corporation 17 Truist Financial Corporation 17 Truist Financial Corporation 17 Truist Financial Corporation 17 Truist Financial Corporation 17 Table 3: Information about our Executive OfficersExecutive OfficerRecent Work ExperienceYears of ServiceAgeWilliam H. Rogers, Jr.Chairman and Chief Executive OfficerChairman since March 2022. Chief Executive Officer since September 2021. President and Chief Operating Officer from December 2019 to September 2021.4568Michael B. MaguireSenior Executive Vice President and Chief Financial OfficerChief Financial Officer since September 2022. Chief National Consumer Finance Services and Payments Officer from September 2021 to September 2022. Head of National Consumer Finance and Payments from December 2019 to August 2021.2347Brad BenderSenior Executive Vice President and Chief Risk OfficerChief Risk Officer since November 2024. Interim Chief Information Officer from April 2024 to November 2024. Head of Enterprise Operational Services from November 2023 to April 2024. Head of Consumer Finance Solutions and Enterprise Operations and Global Services from May 2023 to November 2023. Head of Consumer Finance Solutions from September 2022 to May 2023. Head of Home Improvement Lending from August 2021 to September 2022. Head of Consumer Credit Risk and Policy Management from December 2019 to August 2021.2145Scott A. StengelSenior Executive Vice President, Chief Legal Officer, Head of Government Affairs, and Corporate SecretaryChief Legal Officer, Head of Government Affairs, and Corporate Secretary since December 2023. General Counsel at Ally Financial Inc. from May 2016 to December 2023.254Kristin LesherSenior Executive Vice President and Chief Wholesale Banking OfficerChief Wholesale Banking Officer since February 2024. Executive Vice President and Head of Commercial Banking Coverage at Wells Fargo from October 2021 to November 2023. Head of East Region Commercial Banking Coverage at Wells Fargo from November 2018 to October 2021.253Dontá L. WilsonSenior Executive Vice President and Chief Consumer and Small Business Banking OfficerChief Consumer and Small Business Banking Officer since November 2023. Chief Retail & Small Business Banking Officer from March 2022 to November 2023. Chief Digital and Client Experience Officer from November 2018 to March 2022.2749 William H. Rogers, Jr. Chairman and Chief Executive Officer Chairman since March 2022. Chief Executive Officer since September 2021. President and Chief Operating Officer from December 2019 to September 2021. Michael B. Maguire Senior Executive Vice President and Chief Financial Officer Brad Bender Senior Executive Vice President and Chief Risk Officer Chief Risk Officer since November 2024. Interim Chief Information Officer from April 2024 to November 2024. Head of Enterprise Operational Services from November 2023 to April 2024. Head of Consumer Finance Solutions and Enterprise Operations and Global Services from May 2023 to November 2023. Head of Consumer Finance Solutions from September 2022 to May 2023. Head of Home Improvement Lending from August 2021 to September 2022. Head of Consumer Credit Risk and Policy Management from December 2019 to August 2021. Scott A. Stengel Senior Executive Vice President, Chief Legal Officer, Head of Government Affairs, and Corporate Secretary Chief Legal Officer, Head of Government Affairs, and Corporate Secretary since December 2023. General Counsel at Ally Financial Inc. from May 2016 to December 2023. Kristin Lesher Senior Executive Vice President and Chief Wholesale Banking Officer Chief Wholesale Banking Officer since February 2024. Executive Vice President and Head of Commercial Banking Coverage at Wells Fargo from October 2021 to November 2023. Head of East Region Commercial Banking Coverage at Wells Fargo from November 2018 to October 2021. Dontá L. Wilson Senior Executive Vice President and Chief Consumer and Small Business Banking Officer Chief Consumer and Small Business Banking Officer since November 2023. Chief Retail & Small Business Banking Officer from March 2022 to November 2023. Chief Digital and Client Experience Officer from November 2018 to March 2022. William H. Rogers, Jr. Chairman and Chief Executive Officer Chairman since March 2022. Chief Executive Officer since September 2021. President and Chief Operating Officer from December 2019 to September 2021. Michael B. Maguire Senior Executive Vice President and Chief Financial Officer Brad Bender Senior Executive Vice President and Chief Risk Officer Chief Risk Officer since November 2024. Interim Chief Information Officer from April 2024 to November 2024. Head of Enterprise Operational Services from November 2023 to April 2024. Head of Consumer Finance Solutions and Enterprise Operations and Global Services from May 2023 to November 2023. Head of Consumer Finance Solutions from September 2022 to May 2023. Head of Home Improvement Lending from August 2021 to September 2022. Head of Consumer Credit Risk and Policy Management from December 2019 to August 2021. Scott A. Stengel Senior Executive Vice President, Chief Legal Officer, Head of Government Affairs, and Corporate Secretary Chief Legal Officer, Head of Government Affairs, and Corporate Secretary since December 2023. General Counsel at Ally Financial Inc. from May 2016 to December 2023. Kristin Lesher Senior Executive Vice President and Chief Wholesale Banking Officer Chief Wholesale Banking Officer since February 2024. Executive Vice President and Head of Commercial Banking Coverage at Wells Fargo from October 2021 to November 2023. Head of East Region Commercial Banking Coverage at Wells Fargo from November 2018 to October 2021. Dontá L. Wilson Senior Executive Vice President and Chief Consumer and Small Business Banking Officer Chief Consumer and Small Business Banking Officer since November 2023. Chief Retail & Small Business Banking Officer from March 2022 to November 2023. Chief Digital and Client Experience Officer from November 2018 to March 2022. 18 Truist Financial Corporation 18 Truist Financial Corporation 18 Truist Financial Corporation 18 Truist Financial Corporation 18 Truist Financial Corporation 18 Truist Financial Corporation --- ## No Match in Current: Compliance Risks *This section from the 2025 filing does not have a high-confidence textual match in 2026. It may have been removed, merged, or substantially reworded.* •Truist is subject to extensive and evolving government regulation and supervision, which could adversely affect our business, financial condition, results of operations, and prospects. •Regulatory capital and liquidity standards and future revisions to them may negatively impact our business and financial results. •Truist is subject to risks related to originating and selling loans, including repurchase and indemnification obligations. •Truist faces risks as a servicer of loans. •Truist faces substantial risks in safeguarding personal and other sensitive information. •Differences in regulation and supervision can affect the Company's ability to compete effectively. --- ## No Match in Current: Reputational Risks *This section from the 2025 filing does not have a high-confidence textual match in 2026. It may have been removed, merged, or substantially reworded.* •Negative public opinion, whether real or perceived, or our failure to successfully manage it could damage the Company's reputation and adversely impact our business, financial condition, results of operations, and prospects. --- ## No Match in Current: Talent Management Risks *This section from the 2025 filing does not have a high-confidence textual match in 2026. It may have been removed, merged, or substantially reworded.* •We could be harmed by an inability to attract, develop, retain, and motivate qualified teammates while effectively managing recruiting and compensation costs amid highly competitive and rapidly changing market conditions. •The Company's operations rely on its ability, and the ability of key external parties, to maintain appropriately staffed workforces and on the competence, trustworthiness, health, and safety of teammates. --- ## No Match in Current: Regulatory and Legal Risks *This section from the 2025 filing does not have a high-confidence textual match in 2026. It may have been removed, merged, or substantially reworded.* The Company may incur damages, fines, penalties, and other negative consequences from past, current, or future supervisory actions and regulatory or other legal violations, including inadvertent or unintentional violations. Truist maintains systems and procedures designed to support its compliance with applicable laws and regulations, but there can be no assurance that these will be effective. In addition to fines and penalties, the Company may suffer other negative consequences from supervisory actions and regulatory violations, including restrictions on certain activities and damage to the Company's reputation, which in turn might adversely affect the Company's business and results of operations. Federal and state law grants substantial enforcement and supervisory powers to federal and state banking regulators and law enforcement agencies if the regulated entities fail to comply with applicable laws or to maintain a risk and control environment that meets the standards and expectations of the regulators. This enforcement and supervisory authority includes, among other things, the ability to assess significant civil or criminal monetary penalties, fines, or restitution; to issue cease and desist or removal orders; to issue formal and informal enforcement orders; and to initiate injunctive actions against banking organizations and institution-affiliated parties. These enforcement and supervisory actions may be initiated for violations of laws and regulations or unsafe and unsound practices. In addition, governmental authorities have, at times, sought criminal penalties against companies in the financial services sector for violations, and, at times, have required an admission of wrongdoing, criminal pleas or other extraordinary terms from financial institutions in connection with resolving such matters. Criminal convictions or criminal pleas or admissions of wrongdoing in a settlement with the government can lead to greater exposure in civil litigation, reputational harm, and other significant collateral consequences, such as restrictions on engaging in new activities or acquisitions, loss of clients, restrictions on the ability to access the capital markets, and the inability to operate certain businesses or offer certain products for a period of time. The Company could become subject to a significant regulatory investigation or supervisory action and be unable to disclose specific information concerning it to the public if such a disclosure would violate the Company's obligations under applicable rules and regulations to maintain the confidentiality of confidential supervisory information. Regulatory investigations, examinations or other initiatives by governmental authorities may subject the Company to litigation, settlements, fines, penalties or other sanctions, and may require the Company to engage in remediation, provide restitution to customers or to restructure its operations and activities or to cease offering certain products or services. Any of these potential outcomes could harm the Company's business, results of operations, financial condition, prospects or reputation or could result in collateral or ancillary consequences. In addition, our exposure to legal and regulatory matters can be unpredictable and could, in some cases, exceed the Company's accruals for those matters. Pending or threatened legal proceedings and other matters may adversely affect the Company's business, financial condition, results of operations, and reputation. In the ordinary course of its business, the Company is subject to lawsuits, claims, and formal and informal enforcement activity, including regulatory investigations, either directly or indirectly through our ownership interests in other entities. The volume of legal proceedings against participants in the financial services industry, including the Company, is substantial, and enforcement actions by regulatory authorities are becoming more common in the current regulatory environment. Legal proceedings against financial services firms may increase depending on factors such as market downturns, changes in law, and increased regulatory scrutiny. Heightened regulatory scrutiny or the results of an investigation or examination may lead to additional regulatory investigations or enforcement actions. Those actions could result in regulatory settlements or other enforcement actions against Truist. Furthermore, a single event involving a potential violation of law or regulation may give rise to numerous and overlapping investigations and proceedings by multiple federal and state agencies and officials. In addition, if one or more financial institutions are found to have violated a law or regulation relating to certain business activities, this could lead to investigations by regulators or other governmental agencies of the same or similar activities by other financial institutions, including Truist, and large fines and remedial measures that may have been imposed in resolving earlier investigations for the same or similar activities at other financial institutions may be used as the basis for future settlements. Truist can also be subject to lawsuits, claims, and enforcement activity indirectly through its ownership of interests in other entities. These other entities can themselves be subject to government regulation, supervision, and examination, and their failure to comply with applicable laws, rules, regulations, or regulatory requirements or expectations could have negative consequences for Truist, including a decrease in the value of Truist's investment in the other entity, damage to Truist's reputation from being an owner or otherwise associated with the other entity, or a requirement for Truist and the other owners to contribute funds to pay for judgments, settlements, fines, or client redress arising from the lawsuits, claims, or enforcement activity. Failure by another entity in which Truist has an ownership stake to comply with applicable laws, rules, regulations, or regulatory requirements or expectations could also lead to lawsuits, claims, or enforcement activity directly against the owners of the other entity, including Truist. 34 Truist Financial Corporation 34 Truist Financial Corporation 34 Truist Financial Corporation 34 Truist Financial Corporation 34 Truist Financial Corporation 34 Truist Financial Corporation Claims and legal actions, including class action lawsuits and enforcement proceedings, could involve large monetary amounts, significant defense costs, and result in settlements, judgments, or orders that include penalties, fines, injunctions, or other forms of relief that are adverse to the Company. Responding to inquiries, investigations, lawsuits, and other proceedings is time-consuming and expensive and can divert senior management attention from Truist's business. The outcome of any such legal proceedings, as well as the timing of any ultimate resolutions, may be difficult to predict or estimate. Actual legal and other costs arising from claims and legal actions may be greater than the Company's accruals. Further, the Company may not have accruals for all legal proceedings where we face a risk of significant loss. The ultimate resolution of a pending legal proceeding or significant regulatory or government action against the Company could adversely affect the Company's results of operations and financial condition or cause significant reputational harm, which may adversely impact the Company's business prospects. Further, the Company may be exposed to substantial uninsured liabilities, which could adversely affect the Company's results of operations and financial condition. Refer to the Legal Proceedings and Other Matters section in "Note 16. Commitments and Contingencies" for additional information. --- ## No Match in Current: Reputational Risks *This section from the 2025 filing does not have a high-confidence textual match in 2026. It may have been removed, merged, or substantially reworded.* Negative public opinion, whether real or perceived, or our failure to successfully manage it could damage the Company's reputation and adversely impact our business, financial condition, results of operations, and prospects. Truist's earnings, capital, and stock price are subject to risks associated with negative public opinion. Negative public opinion could result from the Company's actual or alleged conduct in any number of activities, including lending, sales, training, quality assurance, client complaint resolution, and other operating practices, incentive compensation design and governance, corporate governance, acquisitions, a data breach of client or teammate information, or the failure of any product or service sold to meet clients' expectations or applicable regulatory requirements. There can be no assurance that the Company's processes and actions will meet regulatory or other stakeholders' standards or expectations. Findings from self-identified or regulatory reviews require responsive actions, which may include increased investments in compliance systems and teammates or the payment of fines, penalties, increased regulatory assessments, or client redress and may increase legal or reputational risk exposures. In addition, the public perception that a cyberattack on the Company's systems has been successful, whether or not this perception is correct, may damage the Company's reputation with clients and third parties with whom the Company does business. Any cybersecurity breaches, attacks, and other similar incidents, including the compromise of personal information, could significantly harm Truist's reputation, which could adversely affect the Company's financial condition and results of operation. Negative public opinion could also result from heightened and differing stakeholder expectations regarding environmental and social considerations that may affect Truist and clients of Truist. The proliferation of social media may increase the likelihood that negative public opinion from any of the real or perceived events discussed above could impact our reputation and business. Negative public opinion could adversely affect the Company's ability to attract and retain clients and teammates and can result in litigation and regulatory actions. Actual or alleged conduct by one of the Company's businesses can result in negative public opinion about the Company's other businesses. Actual or alleged conduct by another financial services company can result in negative public opinion about the financial services industry in general and, as a result, adversely affect Truist. Our efforts to identify, measure and monitor reputational risk and communicate, internally and externally, such risks to key stakeholders, may be ineffective, untimely, or otherwise result in adverse effects on the Company. --- ## No Match in Current: Talent Management Risks *This section from the 2025 filing does not have a high-confidence textual match in 2026. It may have been removed, merged, or substantially reworded.* We could be harmed by an inability to attract, develop, retain, and motivate qualified teammates while effectively managing recruiting and compensation costs amid highly competitive and rapidly changing market conditions. The Company's success depends, to a large degree, upon the continued services of executive officers and other key teammates who have extensive experience and expertise in the industry, and the Company's ability to attract, develop, and retain high performing, and well-qualified teammates. The Company faces significant competition in the recruitment of highly motivated teammates who can deliver Truist's purpose, mission, and values. Changes in teammate preferences for work environments, in particular the desire of teammates to work remotely for many or all of their hours, may impact our ability to attract and retain qualified teammates. The Company's business or its ability to execute its business strategy and provide high quality service may suffer: due to the loss of key or highly-skilled teammates or a failure to successfully transition key roles; if the Company is unable to recruit, develop, or retain a sufficient number of qualified teammates; or if the costs of teammate compensation or benefits increase substantially. The U.S. banking agencies have jointly issued comprehensive guidance to support incentive compensation policies and practices that do not undermine the safety and soundness of banking organizations by encouraging teammates to take imprudent risks. This guidance significantly affects the amount, form, and context of incentive compensation that may be provided to teammates and could negatively affect Truist's ability to compete for talent relative to non-banking companies. Truist Financial Corporation 37 Truist Financial Corporation 37 Truist Financial Corporation 37 Truist Financial Corporation 37 Truist Financial Corporation 37 Truist Financial Corporation 37 The Company's operations rely on its ability, and the ability of key external parties, to maintain appropriately staffed workforces and on the competence, trustworthiness, health, and safety of teammates. Truist's ability to operate its businesses efficiently and profitably, to offer products and services that meet the expectations of its clients, and to maintain an effective risk management framework is highly dependent on its ability to staff its operations appropriately and on the competence, integrity, health, and safety of its teammates. Truist is similarly dependent on the workforces of other parties on which its operations rely, including vendors and other service providers. Truist's businesses could be adversely affected by the ineffective implementation of business decisions; any failure to institute controls that appropriately address risks associated with business activities, or to appropriately train teammates with respect to those risks and controls; or staffing shortages, particularly in tight labor markets. Changes in law or regulation in jurisdictions in which our operations are located that affect teammates may also adversely affect our ability to hire, develop, and retain qualified teammates in those jurisdictions. In addition, the Company's business could be adversely impacted by a significant operational breakdown or failure, theft, fraud, or other unlawful conduct, or other negative outcomes caused by human error or misconduct by a teammate of Truist or a teammate of another party on which Truist's operations depend. Truist's operations could also be impaired if the measures taken by it or by governmental authorities to support the health and safety of its teammates are ineffective, or if any external party on which Truist relies fails to take appropriate and effective actions to protect the health and safety of its teammates. --- ## No Match in Current: ITEM 1C. CYBERSECURITY *This section from the 2025 filing does not have a high-confidence textual match in 2026. It may have been removed, merged, or substantially reworded.* The following is a discussion of Truist's cybersecurity risk management strategy and governance. Refer to the "Risk Management" section of Part II, Item 7 for additional discussion. Cybersecurity risk management and strategy Like other financial services firms, Truist faces an increasingly complex and evolving cybersecurity threat environment. See Item 1A, "Risk Factors" for information on risks from cybersecurity threats. We maintain a risk-based cybersecurity framework that is part of our ERM Framework. It is implemented through people, processes, and technology, whereby we assess, identify, and manage material risks from cybersecurity threats, and seek to adapt our risk mitigation activities accordingly. Foundationally, our cybersecurity framework is based upon the National Institute of Standards and Technology for Improving Critical Infrastructure Cybersecurity and is also designed to incorporate elements from additional industry standards, such as those of the Federal Financial Institutions Examination Council, to better suit the Company's cyber risk profile. In addition, our cybersecurity framework incorporates internal and third-party capabilities that drive the development and implementation of our data security strategy, which is designed to reduce cybersecurity risk while enabling Truist's corporate business objectives. Processes for assessing, identifying, and managing material risks from cybersecurity threats We maintain an Information Security Program that specifies how we execute our cybersecurity framework. The Information Security Program is designed to assess, identify, and manage risks arising from the cybersecurity threats facing Truist. Truist maintains cybersecurity and information security policies, procedures, and technologies that are intended to protect our clients', teammates' and our own data against unauthorized disclosure, modification, and misuse. These policies, procedures, and technologies cover a broad range of areas, including identification of internal and external threats, access control, data security, protective controls, detection of malicious or unauthorized activity, incident response, and recovery planning. For example, to further mitigate the risks presented by an evolving cyber threat landscape, Truist: •provides data protection guidance to clients; •promotes data protection awareness and accountability through mandatory teammate training; and •conducts scenario-driven test exercises simulating impacts and consequences developed through analysis of real-world incidents as well as known and anticipated cyber threats. These exercises are designed to assess the viability of Truist's crisis response and management programs and provide the basis for improvement. In addition, as a key part of the Company's Information Security Program, Truist participates in the federally recognized Financial Services Information Sharing and Analysis Center, as well as other industry organizations and initiatives that promote industry best practices, such as harmonized cybersecurity standards, cyber readiness, and secure consumer financial data sharing. Our Cyber Incident Response Team is responsible for identifying, triaging, and containing cybersecurity threats and incidents, including, to the extent possible, those experienced by third-party service providers. Incidents with potential for higher impacts are routed to an enterprise response function that coordinates the response activities across impacted resource groups and business stakeholders. Through this structure, Truist manages its cyber, business, and legal obligations, including escalation to executive management and the Board, as appropriate, client and regulatory notifications, and remediation activities. Our Information Security Program is also designed to help oversee, identify, and mitigate cybersecurity risks associated with our use of third-party service providers. Following an initial assessment of the level of enterprise risk potentially posed by use of the third party, the service provider is then subject to further risk-based assessments on its operational resilience and cybersecurity practices, including disaster recovery and business continuity plans that specify the time frame to resume activities and recover data. In its agreements with third-party service providers, Truist requires service providers to adhere to Truist's relevant cybersecurity and operational resilience standards, subject to certain exceptions that are managed on a case-by-case basis. Our Information Security Program is assessed periodically to test the effectiveness of key controls through cybersecurity maturity measurements, technology risk oversight, compliance risk management testing and monitoring, internal audit review, and regulatory oversight. In addition, Truist maintains disaster recovery plans that are reviewed, modified, and approved annually. Truist Financial Corporation 41 Truist Financial Corporation 41 Truist Financial Corporation 41 Truist Financial Corporation 41 Truist Financial Corporation 41 Truist Financial Corporation 41 Management's role in assessing and managing material risks from cybersecurity threats Truist's Information Security Program is operated and maintained by management, including the CIO, interim CISO, and CRO. These senior officers are responsible for assessing and managing Truist's cybersecurity risks. Our Information Security Program also includes processes for escalating and considering the materiality of incidents that impact Truist, including escalation to executive management and the Board, which are periodically tested through tabletop exercises to assess Truist's preparedness. Our cybersecurity framework strategy, which is overseen by the interim CISO, is informed by various risk and control assessments, control testing, external assessments, threat intelligence, and public and private information sharing. In addition, various management committees assess and manage Truist's cybersecurity risks. These committees promote visibility and awareness of cybersecurity risks and drive action and escalation as needed. The primary management committees involved in Truist's Information Security Program are the Enterprise Technology Risk Committee and the Technology Risk Oversight Committee, each of which is a sub-committee of the ERC. Truist's cybersecurity teams that implement the Information Security Program and the risk partners who oversee the program leverage these committees to report on and escalate current or emerging cybersecurity risks or other changes in the business environment which could affect Truist's risk profile or control environment. As discussed in more detail in the "Risk Management" section of Part II, Item 7, the ERC is a cross-functional executive forum to promote awareness and dialogue on risk matters across the enterprise, including cybersecurity risks, oversee the execution of risk program requirements and sound risk management activities, and enact delegated decision-making authority and oversight routines from the BRC. Our CRO and CIO are members of the ERC. The interim CISO provides updates at every ERC meeting on cybersecurity and information security risk. The Enterprise Technology Risk Committee provides business unit oversight of key management activities, including the Company's Information Security Program. The Technology Risk Oversight Committee provides oversight of key risk management activities to identify, assess, monitor, mitigate, and report on technology (including core technology, data and cybersecurity) risk across the enterprise. These sub-committees serve as governing forums for monitoring and escalating significant cybersecurity as well as other technology risk matters to the ERC. The members of management that lead our Information Security Program and strategy have extensive experience in technology, cybersecurity, and information security. Our CRO previously served as our interim CIO and has more than 20 years of banking experience spanning a variety of roles in both the commercial and consumer segments, including credit risk, portfolio risk management, model management, acquisition integrations, technology, and vertically integrated operations for revenue producing businesses, including leading operational services across Truist for deposits, payments, credit card, capital markets, consumer and wholesale lending, fraud, and care centers across all products. Our CIO has over 25 years of experience leading technology teams at financial institutions, including in the areas of application development, infrastructure, information technology strategy, risk management, and information security. Following the departure of our CISO in November 2024, the CIO is serving as our interim CISO while our search for a permanent CISO continues. The CIO's direct reports have on average over 20 years of experience with technology management and information security at financial institutions, including in the areas of governance, operations, application and data protection, access management, and business information security. Board of Directors' oversight of risks from cybersecurity threats Our Board has primary responsibility for the oversight of our enterprise risk management and exercises its oversight function in respect of cybersecurity risk through the BRC. The BRC is responsible for overseeing Truist's risk management function, including approving and reviewing Truist's risk management framework and policies, and overseeing management's implementation of such framework and policies. The oversight responsibility of our Board and the BRC is facilitated through management-reporting processes designed to provide visibility to the Board on cybersecurity matters. For example, members of the BRC receive regular reports from our CRO and interim CISO related to information technology and cybersecurity risks to Truist. The BRC meets periodically with risk management advisors and discusses with executive management any cybersecurity recommendations received. Management also discusses urgent cybersecurity developments with the Chairs of the BRC and BTC between Board and committee meetings, as appropriate. The Board annually reviews and approves our Information Security Program and Information Security Policy. Additionally, the BTC provides oversight of Truist's technology strategy, including elements of it that involve cybersecurity. Truist provides ongoing development and education to its directors with respect to cybersecurity, including presentations at Board meetings on special topics, such as updates on cybersecurity legislation and regulation. The Board also conducts a cybersecurity tabletop exercise at least every other year to simulate Truist's analysis and response to hypothetical cybersecurity incidents. In addition, Truist provides directors with a Board Cybersecurity Handbook that provides details on key Truist practices, resources, and protocols relating to cybersecurity protection, response, and preparedness. Finally, as required by the Gramm-Leach-Bliley Act, the Board receives an update at least annually on Truist's Information Security Program. 42 Truist Financial Corporation 42 Truist Financial Corporation 42 Truist Financial Corporation 42 Truist Financial Corporation 42 Truist Financial Corporation 42 Truist Financial Corporation --- ## Modified: Liquidity Risks **Key changes:** - Reworded sentence: "Truist competes for deposit funding with banks and other financial institutions and with money market funds and other providers of deposit equivalents." - Reworded sentence: "For example, in 2025, maintaining and growing client deposits continued to be challenging as the Federal Reserve System reduced the size of its balance sheet through quantitative tightening." - Reworded sentence: "In addition, idiosyncratic factors affecting the Company, including realization of other risks described herein, as well as other factors outside of the Company's control, such as a general market disruption or an operational problem that affects service providers or intermediaries, could impair the Company's ability to access short-term or contingent funding sources or create an unforeseen outflow of cash due to, among other factors, draws on unfunded commitments or attrition of non-FDIC-insured and other deposits." - Reworded sentence: "The GSEs could limit their purchases of conforming loans due to capital constraints or other changes in their eligibility criteria for conforming loans, such as maximum loan amounts or borrower eligibility." - Reworded sentence: "Credit ratings may also be influenced by other factors, some of which are outside the Company's control, such as recent and anticipated economic trends, geopolitical risk, legislative and regulatory developments, perceptions of the banking industry and U.S." **Prior (2025):** Our inability to retain and grow deposits or a change in deposit costs or mix could negatively impact our funding strategy and financial results. Deposits are a relatively low cost and stable source of funding. Truist competes with banks and other financial institutions for deposits and as a result, the Company could lose deposits in the future, clients may shift their deposits into higher yielding or alternate savings vehicles, or the Company may need to raise interest rates to avoid deposit attrition. Funding costs may also increase if deposits lost are replaced with wholesale funding. Higher funding costs reduce Truist's net interest margin, net interest income, and net income. For example, in 2024, maintaining and growing deposits continued to be challenging with the FRB continuing to reduce the size of its balance sheet through quantitative tightening and sustained increased interest rates giving clients an incentive to move deposits to money market funds and other higher-yielding alternatives. In addition, our ability to maintain, grow, or favorably price deposits may be constrained by gaps in our product and service offerings, changes in consumer trends, our scale relative to other financial institutions, competition from fintech companies and emerging financial-services providers, any failures or deterioration in our client service, or any loss of confidence in our brand or our business. Truist's liquidity could be impaired by an inability to access short-term funding, an unforeseen outflow of cash, or an inability to monetize liquid assets. Liquidity is the ability to fund increases in assets and meet obligations as they come due, all without incurring unacceptable costs. Banks are especially vulnerable to liquidity risk because of their reliance on demand or short-term deposits to fund longer-term loans or other extensions of credit. We, like other financial-services companies, rely to a significant extent on external sources of funding, such as deposits and borrowings, for the liquidity needed to conduct our business and operations. A number of factors beyond our control, however, could have a detrimental impact on the availability or cost of that funding and thus on our liquidity. When volatility or disruptions occur in the wholesale funding markets, the Company's ability to access short-term liquidity could be impaired. In addition, idiosyncratic factors, including realization of other risks described herein, as well as other factors outside of the Company's control, such as a general market disruption or an operational problem that affects third parties, could impair the Company's ability to access short-term or contingent funding sources or create an unforeseen outflow of cash due to, among other factors, draws on unfunded commitments or deposit attrition. The Company's inability to monetize liquid assets without unacceptable losses or to access short-term funding or capital markets could constrain the Company's ability to make new loans or meet existing lending commitments and could ultimately jeopardize the Company's overall liquidity and capitalization. While our policies and controls are designed to enable us to maintain adequate liquidity to conduct our business in the ordinary course even in a stressed environment, our liquidity position could still become compromised. Such an event could damage the performance and value of our business, prompt regulatory intervention and private litigation, harm our reputation, and cause a loss of client and investor confidence, and if the condition were to persist for any appreciable period of time, our viability as a going concern could be threatened. A disruption in our access to the mortgage secondary market and GSEs for liquidity could negatively affect us. Truist sells a portion of the mortgage loans that it originates to reduce the Company's retained credit risk and to provide funding capacity for originating additional loans. The GSEs could limit their purchases of conforming loans due to capital constraints or other changes in their eligibility criteria for conforming loans (e.g., maximum loan amount or borrower eligibility). This potential reduction in purchases could limit the Company's ability to fund new loans. Proposals have been presented to reform the housing finance market in the U.S., including the role of the GSEs in the housing finance market. The extent and timing of any such regulatory reform of the housing finance market and the GSEs, as well as any effect on the Company's business and financial results, are uncertain. The Company's cost of funding or access to the banking and capital markets could be adversely affected if our credit ratings are downgraded or otherwise fail to meet investor expectations. Credit ratings are influenced by many factors, including the Company's profitability, asset quality, capital levels, liquidity, business mix, operations, and risk management practices. Credit ratings may also be influenced by other factors, some of which are outside the Company's control, such as recent and anticipated economic trends, geopolitical risk, legislative and regulatory developments, including implied levels of government support during a crisis, environmental, social, and governance considerations, and litigation, as well as changes to the rating agencies' methodologies. There can be no assurance we will be able to maintain our current ratings and outlooks. Truist's failure to maintain credit ratings could adversely affect funding costs and increase the Company's cost of capital. A ratings downgrade could affect the Company's ability to attract or retain funding, including deposits from commercial and corporate clients. Additionally, a downgrade to Truist's credit ratings might also adversely impact the Company's ability to conduct derivatives business with certain clients and counterparties and could trigger obligations to make cash or collateral payments to certain clients and counterparties. Truist Financial Corporation 25 Truist Financial Corporation 25 Truist Financial Corporation 25 Truist Financial Corporation 25 Truist Financial Corporation 25 Truist Financial Corporation 25 The Parent Company could have less access to funding sources and its liquidity could be constrained if the Bank becomes unable to pay dividends. The Parent Company relies upon capital markets access and dividends from affiliates for funding and has less access to contingent funding sources than the Bank. If the Bank were subject to a financial stress, its dividends to the Parent Company could be reduced or eliminated in order to support Bank capital ratios or other regulatory requirements. This would increase the Parent Company's reliance on capital markets at a time when credit spreads and funding costs are likely elevated due to the stress impacting the Bank and would also impair the Parent Company's ability to serve as a source of strength to its subsidiaries. The financial system is highly interrelated, and financial or systemic shocks or the failure of even a single financial institution or other participant in the financial system could adversely impact us. Adverse developments affecting the overall strength and soundness of other financial institutions, the financial services industry as a whole, the macroeconomic climate, and the U.S. Treasury market could have a negative impact on perceptions about the strength and soundness of our business even if we are not subject to the same adverse developments. In addition, adverse developments with respect to third parties with whom we have important relationships could also negatively impact perceptions about us. These perceptions about us could cause our business to be negatively affected and exacerbate the other risks that we face. Truist may be impacted by actual or perceived soundness of other financial institutions, including as a result of the financial or operational failure of a major financial institution, or concerns about the creditworthiness of such a financial institution or its ability to fulfill its obligations, which can cause substantial and cascading disruption within the financial markets and increased expenses, including FDIC insurance premiums or special assessments, and could affect our ability to attract and retain depositors and to borrow or raise capital. The failure of other banks and financial institutions and the measures taken by governments, businesses, and other organizations in response to these events could adversely impact the Company's business, financial condition, and results of operations. The Company's ability to engage in routine funding transactions could be adversely affected by the actions and commercial soundness of other financial institutions. Financial services institutions are interrelated as a result of trading, clearing, counterparty, and other relationships. Truist has exposure to many different industries and counterparties and routinely executes transactions with counterparties in the financial industry, including brokers and dealers, central counterparties, commercial banks, investment banks, mutual and hedge funds, and other institutional investors and clients. As a result, defaults by, or even rumors or questions about, one or more financial services institutions or the financial services industry generally, in the past have led to market-wide liquidity problems and could lead to losses or defaults by Truist or by other institutions. Many of these transactions expose the Company to credit risk in the event of default of the Company's counterparty or client. In addition, the Company's credit risk may be exacerbated when the collateral held by Truist cannot be liquidated or is liquidated at prices not sufficient to recover the full amount of the Company's exposure. Any such losses could adversely affect the Company's results of operations and financial condition. **Current (2026):** Our inability to retain and grow deposits or a change in deposit costs or mix could negatively impact our funding strategy and financial results. Deposits are a relatively low cost and stable source of funding. Truist competes for deposit funding with banks and other financial institutions and with money market funds and other providers of deposit equivalents. If we are unable to compete effectively, deposits can be lost. In addition, our funding costs can increase if we are required to raise interest rates to avoid deposit attrition or to replace deposits with wholesale funding. Higher funding costs reduce Truist's net interest margin, net interest income, and net income. For example, in 2025, maintaining and growing client deposits continued to be challenging as the Federal Reserve System reduced the size of its balance sheet through quantitative tightening. The future direction of the Federal Reserve System balance sheet and the level of excess reserves in the banking system may have implications for deposit gathering and competition. Our ability to maintain, grow, or favorably price deposits also may be constrained by gaps in our product and service offerings, changes in client trends, our scale relative to other financial institutions, competition from financial technology companies and emerging financial-services providers, any failures or deterioration in our client service, or any loss of confidence in our brand or our business. For example, deposits and other traditional banking products could be significantly disrupted by an increase in the adoption and use of digital assets, stablecoins, cryptocurrencies, tokenization, and similar products, services, and technologies that enable financial services and transactions without or with less intermediation by commercial banks. 24 Truist Financial Corporation 24 Truist Financial Corporation 24 Truist Financial Corporation 24 Truist Financial Corporation 24 Truist Financial Corporation 24 Truist Financial Corporation Truist's liquidity could be impaired by an inability to access short-term funding, an unforeseen outflow of cash, or an inability to monetize liquid assets. Liquidity is the ability to fund increases in assets and meet obligations as they come due, all without incurring unacceptable costs. Banks are especially vulnerable to liquidity risk because of their reliance on demand or short-term deposits to fund longer-term loans or other extensions of credit. We, like other financial-services companies, rely to a significant extent on external sources of funding, such as deposits and borrowings, for the liquidity needed to conduct our business and operations. A number of factors beyond our control, however, could have a detrimental impact on the availability or cost of that funding and thus on our liquidity. When volatility or disruptions occur in the wholesale funding markets, the Company's ability to access short-term liquidity could be impaired. In addition, idiosyncratic factors affecting the Company, including realization of other risks described herein, as well as other factors outside of the Company's control, such as a general market disruption or an operational problem that affects service providers or intermediaries, could impair the Company's ability to access short-term or contingent funding sources or create an unforeseen outflow of cash due to, among other factors, draws on unfunded commitments or attrition of non-FDIC-insured and other deposits. Refer to the "Funding Activities" section in MD&A for additional discussion of deposits. The Company's inability to monetize liquid assets without unacceptable losses or to access short-term funding or capital markets could constrain the Company's ability to make new loans or meet existing lending commitments and could ultimately jeopardize the Company's overall liquidity and capitalization. While our policies and controls are designed to enable us to maintain adequate liquidity to conduct our business in the ordinary course even in a stressed environment, our liquidity position could still become compromised. Such an event could damage the performance and value of our business, prompt regulatory intervention and private litigation, harm our reputation, and cause a loss of client and investor confidence, and if the condition were to persist for any appreciable period of time, our viability as a going concern could be threatened. A disruption in our access to the mortgage secondary market and GSEs for liquidity could negatively affect us. Truist sells a portion of the mortgage loans that it originates to reduce the Company's retained credit risk and to provide funding capacity for originating additional loans. The GSEs could limit their purchases of conforming loans due to capital constraints or other changes in their eligibility criteria for conforming loans, such as maximum loan amounts or borrower eligibility. This potential reduction in purchases could limit the Company's ability to fund new loans and other financial products and services. Proposals are presented from time to time to reform the housing finance market in the U.S., including the role of the GSEs in the housing finance market. The extent and timing of any such regulatory reform of the housing finance market and the GSEs, as well as any effect on the Company's business and financial results, are uncertain. The Company's cost of funding or access to the banking and capital markets could be adversely affected if our credit ratings are downgraded or otherwise fail to meet investor expectations. Credit ratings are influenced by many factors, including the Company's profitability, asset quality, capital levels, liquidity, business mix, operations, and risk management practices. Credit ratings may also be influenced by other factors, some of which are outside the Company's control, such as recent and anticipated economic trends, geopolitical risk, legislative and regulatory developments, perceptions of the banking industry and U.S. financial stability, environmental, social, and governance considerations, litigation, and changes to the rating agency methodologies. There can be no assurance we will be able to maintain our current credit ratings and outlooks. Truist's failure to maintain credit ratings could adversely affect funding costs and increase the Company's cost of capital. A ratings downgrade could affect the Company's ability to attract or retain funding, including deposits from commercial and corporate clients. Additionally, a downgrade to Truist's credit ratings may adversely impact the Company's ability to conduct derivatives business with certain clients and counterparties and could trigger obligations to make cash or collateral payments to certain clients and counterparties. The Parent Company relies on dividends from Truist Bank for its liquidity needs, the payment of which is limited by statutes and regulations, and the Parent Company could have less access to funding sources and its liquidity could be constrained if Truist Bank becomes unable to pay dividends. The Parent Company relies upon capital markets access and dividends from subsidiaries for funding and has less access to contingent funding sources than Truist Bank. If Truist Bank were subject to financial stress, its dividends to the Parent Company could be reduced or eliminated in order to support Truist Bank's capital position or its satisfaction of other regulatory requirements. This would increase the Parent Company's reliance on capital markets and other wholesale funding at a time when credit spreads and funding costs are likely to be elevated due to the stress impacting Truist Bank and would also impair the Parent Company's ability to serve as a source of strength to its subsidiaries. Truist Financial Corporation 25 Truist Financial Corporation 25 Truist Financial Corporation 25 Truist Financial Corporation 25 Truist Financial Corporation 25 Truist Financial Corporation 25 The financial system is highly interrelated, and financial or systemic shocks or the failure of even a single financial institution or other participant in the financial system could adversely impact us. Adverse developments affecting the overall strength and soundness of other financial institutions, the financial services industry as a whole, the macroeconomic climate, and the U.S. Treasury market could have a negative impact on perceptions about the strength and soundness of Truist even if we are not subject to the same adverse developments. In addition, adverse developments with respect to counterparties, intermediaries, and other third parties with whom we have important relationships could also negatively impact perceptions about us. These perceptions about us could cause our business and operations to be negatively affected and exacerbate the other risks that we face. Truist may be impacted by the actual or perceived soundness of other financial institutions, including as a result of the financial or operational failure of a major financial institution or concerns about the creditworthiness of such a financial institution or its ability to fulfill its obligations, which can cause substantial and cascading disruption within the financial markets. Such an event may negatively affect our financial results due to increased expenses, including FDIC insurance assessments or special assessments, and challenges in attracting and retaining funding from depositors, the capital markets, and other sources. The measures taken by governments, businesses, and other organizations in response to such an event also could adversely impact the Company's business, financial condition, and results of operations. The Company's ability to engage in routine funding transactions could be adversely affected by the actions and commercial soundness of other financial institutions. Financial institutions are interrelated as a result of trading, clearing, counterparty, and other relationships. Truist routinely executes transactions with brokers and dealers, central counterparties, commercial banks, investment banks, mutual and hedge funds, and other counterparties in the financial industry. Defaults by or even rumors or questions about the soundness of one or more of these counterparties or the financial services industry generally have led to market-wide liquidity constraints and could lead to losses or defaults by Truist or other financial institutions. These liquidity challenges and credit losses, together with related consequences, could adversely affect the Company. --- ## Modified: Strategic Risks **Key changes:** - Reworded sentence: "Ineffective execution of strategic initiatives could adversely affect investor sentiment and the Company's business, financial condition, results of operations, prospects, and reputation." - Reworded sentence: "In addition, the execution of our strategies may be impacted by our response to external factors, including geopolitical, macroeconomic, social, cultural, competitive, and regulatory factors." - Reworded sentence: "36 Truist Financial Corporation 36 Truist Financial Corporation 36 Truist Financial Corporation 36 Truist Financial Corporation 36 Truist Financial Corporation 36 Truist Financial Corporation Truist also competes with nonbank companies and, in some cases, with companies other than those traditionally considered financial sector participants." - Reworded sentence: "The adoption of new technologies by competitors, including internet banking services, mobile applications, advanced ATM functionality, digital assets, tokenization, stablecoins and cryptocurrencies, and similar products, services, and technologies that enable financial services and transactions without or with less intermediation by commercial banks, is likely to require the Company to make substantial investments to modify or adapt the Company's existing products and services or even radically alter the way Truist conducts business." - Reworded sentence: "If we are unable to successfully adopt and implement new technologies in a way that meets customer and industry demand, we may lose market share or deposits, including as a result of financial disintermediation." **Prior (2025):** Ineffective execution of strategic initiatives could adversely affect investor sentiment and our business and financial results. There is no guarantee that our strategic initiatives, including initiatives to drive focused growth, achieve operational excellence and efficiency, and leverage modern and scalable technology, will be successful and improve profitability or allow us to return capital to shareholders. Our execution of strategic initiatives may be impacted by internal factors, such as maintaining a level of earnings appropriate to support growth objectives, the ability to maintain dividends in various economic cycles, or the successful delivery of innovation and technology strategies. In addition, our execution of our strategies may be impacted by our response to external factors, including geopolitical, macroeconomic, social, cultural, competitive, and regulatory factors. To the extent we are impeded or unable to execute effective strategic initiatives, our prospects for growth, earnings, capital levels, and stock price, as well as stakeholder confidence in Truist, could be adversely affected. Competition may reduce Truist's client base or cause Truist to modify the pricing or other terms for products and services, which could have an adverse impact on our business and financial results. Truist operates in a highly competitive industry that could become even more competitive with growth in areas such as digital financial service providers and other nonbank platforms. Increased competition could arise from technological advancements, legislative and regulatory changes, as well as competition from other financial services companies, some of which may be subject to less extensive regulation than Truist. The Company's success depends, in part, on the Company's ability to adapt its offering of products and services to evolving industry standards and client expectations. The widespread adoption of new technologies has required and will continue to require substantial investments to modify existing products and services or to develop new products and services. In addition, there is increasing pressure to provide products and services at lower prices further reducing contribution margins. The Company may not be successful in introducing new products and services in response to industry trends or developments in technology or those new products may not achieve market acceptance. Truist also competes with nonbank companies and, in some cases, with companies other than those traditionally considered financial sector participants. In particular, technology companies are increasingly focusing on the financial sector, either in partnership with competitor banking organizations or on their own. These companies generally are not subject to the same regulatory oversight as main street financial institutions and may accordingly realize certain cost strategies and offer products and services at more favorable rates and with greater convenience to the client. This competition could result in the loss of clients and revenue in areas where fintechs are operating. As the pace of technology and change advance, continuous innovation is expected to exert long-term pressure on the financial services industry. The adoption of new technologies by competitors, including internet banking services, mobile applications, advanced ATM functionality, AI, and cryptocurrencies, could require the Company to make substantial investments to modify or adapt the Company's existing products and services or even radically alter the way Truist conducts business. These and other capital investments in the Company's business may not produce expected growth in earnings anticipated at the time of the expenditure. Truist Financial Corporation 35 Truist Financial Corporation 35 Truist Financial Corporation 35 Truist Financial Corporation 35 Truist Financial Corporation 35 Truist Financial Corporation 35 Acquisitions, mergers, and divestitures introduce a broad range of anticipated and unanticipated risks, including unforeseen or negative consequences from supervisory or regulatory action that may limit Truist's ability to pursue and complete them. We may from time to time seek to acquire other financial-services companies or businesses. Acquisitions involve numerous risks and uncertainties, including inaccurate financial and operational assumptions, incomplete or failed due diligence, lower than expected performance, higher than expected costs, difficulties related to integration, diversion of management's attention from other business activities, adverse market or other reactions, changes in relationships with clients or counterparties, the potential loss of key personnel, and the possibility of litigation and other disputes. An acquisition also could be dilutive to our existing shareholders if we were to issue common stock to fully or partially pay or fund the purchase price. We, moreover, may not be successful in identifying appropriate acquisition candidates, integrating acquired companies or businesses, or realizing expected value from acquisitions. There is significant competition for valuable acquisition targets, and we may not be able to acquire other companies or businesses on attractive terms. No assurance can be given that we will pursue future acquisitions, and our ability to grow and successfully compete may be impaired if we choose not to pursue or are unable to successfully make acquisitions. The Company must satisfy a number of meaningful conditions before completing an acquisition of another bank or BHC, including federal and state regulatory approvals. In determining whether to approve a proposed bank or BHC acquisition, bank regulators will consider, among other factors, the effect of the acquisition on competition; financial condition and future prospects, including current and projected capital ratios and levels; the competence, experience, and integrity of management; the supervisory relationship; record of compliance with laws and regulations; the convenience and needs of the communities to be served, including the acquiring institution's record of compliance under the CRA; the effectiveness of the acquiring institution in combating money laundering activities; and public comments. In addition, U.S. regulators must take systemic risk to the U.S. financial system into account when evaluating whether to approve a potential acquisition transaction involving a large financial institution like Truist. There is no certainty as to when or if or on what terms and conditions, any required regulatory approvals will be granted for any potential acquisition. In specific cases, Truist may be required to divest certain operations, including branches, or take other actions as a condition to receiving regulatory approval. An inability to satisfy other conditions necessary to consummate an acquisition transaction, such as third-party litigation, a judicial order blocking the transaction, or lack of shareholder approval, could also prevent the Company from completing an announced acquisition. In addition, we may decide to divest certain businesses or assets. Divestitures of businesses involve a number of risks, including significant costs and expenses, and any divestiture we undertake could adversely affect our business, financial condition, results of operations, and cash flows. Divestitures may involve significant uncertainty and execution complexity, which may cause us not to achieve our strategic objectives, realize expected cost savings, or obtain other benefits from the divestiture. The significant risks and uncertainties involved in divestitures may include: •the inability to sell such businesses or assets on satisfactory price and terms and in a timely manner, including potentially long and costly sales processes and unsuccessful attempts by a buyer to receive required regulatory approvals, satisfy other conditions to closing, or obtain equity or debt financing in order to satisfy its payment obligations related to the transaction, •disruption to other parts of our business and distraction of management, •loss of key teammates or clients, •exposure to contingencies, including, among other things, those arising from representations and warranties made to a buyer regarding the businesses being sold, or •ongoing obligations to support the businesses following such divestitures, including through transition services arrangements, and other adverse financial impacts. Whether such divestitures are completed or not, their pendency could have a number of negative effects on our current business, including potentially disrupting our regular operations and diverting the attention of our workforce and management team. It could also disrupt existing business relationships, make it harder to develop new business relationships, or otherwise negatively impact the way that we operate our business. In the event of a termination of a divestiture transaction before it is consummated, the payment of a termination fee may not fully compensate us for our losses. Truist has businesses other than banking that are subject to a variety of risks. Truist is a diversified financial services company. This diversity subjects the Company's earnings to a broader variety of risks and uncertainties. Other businesses in addition to banking that the Company operates include investment banking, securities underwriting and market making, loan syndications, investment management and advice, and retail and wholesale brokerage services offered through the Company's subsidiaries. These businesses entail significant market, operational, credit, compliance, technology, legal, and other risks that could adversely impact the Company's results of operations. 36 Truist Financial Corporation 36 Truist Financial Corporation 36 Truist Financial Corporation 36 Truist Financial Corporation 36 Truist Financial Corporation 36 Truist Financial Corporation **Current (2026):** Ineffective execution of strategic initiatives could adversely affect investor sentiment and the Company's business, financial condition, results of operations, prospects, and reputation. There is no guarantee that our strategic initiatives, including initiatives to drive focused growth, deepen relationships with clients, increase client acquisition, and enhance digital engagement with clients, will be successful and improve profitability or allow us to return capital to shareholders. Our execution of strategic initiatives may be impacted by internal factors, such as maintaining a level of earnings appropriate to support growth objectives, the ability to maintain dividends in various economic cycles, or the successful delivery of innovation and technology strategies. In addition, the execution of our strategies may be impacted by our response to external factors, including geopolitical, macroeconomic, social, cultural, competitive, and regulatory factors. To the extent we are impeded or unable to execute effective strategic initiatives, our business, results of operations, financial condition, prospects, and reputation could be adversely affected. Competition may reduce Truist's client base or cause Truist to modify the pricing or other terms for products and services, or require significant investments to maintain competitiveness, which could have an adverse impact on our business and financial results. Truist operates in a highly competitive industry that is expected to become even more competitive with growth in areas such as digital financial service providers and other nonbank platforms. In many cases, Truist competes against larger banks with greater scale and deposits than Truist. These advantages can enable competitors to more aggressively price, reduce costs, and invest in new technology. Increased competition also arises from technological advancements, legislative and regulatory changes, as well as competition from other financial services companies, some of which may be subject to less extensive regulation than Truist. The Company's success depends, in part, on the Company's ability to adapt its offering of products and services to evolving industry standards and client expectations, including with respect to digital offerings and assets, such as stablecoins, cryptocurrencies, and tokenized assets more broadly. The widespread adoption of new technologies has required and will continue to require substantial investments to modify existing products and services or to develop new products and services. In addition, there is increasing pressure to provide products and services at lower prices further reducing contribution margins. The Company may not be successful in introducing new products and services in response to industry trends or developments in technology or those new products may not achieve market acceptance. 36 Truist Financial Corporation 36 Truist Financial Corporation 36 Truist Financial Corporation 36 Truist Financial Corporation 36 Truist Financial Corporation 36 Truist Financial Corporation Truist also competes with nonbank companies and, in some cases, with companies other than those traditionally considered financial sector participants. In particular, fintechs are increasingly focusing on the financial sector, either in partnership with competitor banking organizations or on their own, including potentially through limited-purpose bank or trust company subsidiaries, and competition from such companies has grown in recent years and is expected to continue growing. In some cases, fintechs have and may continue to offer bank-like products. These companies generally are not subject to the same regulatory oversight as main street financial institutions and may accordingly realize certain cost efficiencies and offer bank and bank-like products and services at more favorable rates and with greater convenience to the client. This competition could result in the loss of clients, deposits, and revenue in areas where fintechs are operating. As the pace of technology and change advance, continuous innovation is expected to exert long-term pressure on the financial services industry. The adoption of new technologies by competitors, including internet banking services, mobile applications, advanced ATM functionality, digital assets, tokenization, stablecoins and cryptocurrencies, and similar products, services, and technologies that enable financial services and transactions without or with less intermediation by commercial banks, is likely to require the Company to make substantial investments to modify or adapt the Company's existing products and services or even radically alter the way Truist conducts business. These and other capital investments in the Company's business may not produce expected growth in earnings anticipated at the time of the expenditure. If we are unable to successfully adopt and implement new technologies in a way that meets customer and industry demand, we may lose market share or deposits, including as a result of financial disintermediation. Acquisitions, mergers, and divestitures introduce a broad range of anticipated and unanticipated risks, including unforeseen or negative consequences from supervisory or regulatory action that may limit Truist's ability to pursue and complete them, which may impair the Company's ability to expand or grow its client base, or execute on its strategic initiatives and compete effectively. We may from time to time seek to acquire other financial-services companies or businesses. Acquisitions involve numerous risks and uncertainties, including inaccurate financial and operational assumptions, incomplete or failed due diligence, lower than expected performance or synergies, higher than expected costs, difficulties related to integration, diversion of management's attention from other business activities, adverse market or other reactions, changes in relationships with clients or counterparties, the potential loss of key personnel, and the possibility of litigation and other disputes. An acquisition also could be dilutive to our existing shareholders if we were to issue common stock to fully or partially pay or fund the purchase price. We, moreover, may not be successful in identifying appropriate acquisition candidates, integrating acquired companies or businesses, or realizing expected value from acquisitions. There is significant competition for valuable acquisition targets, and we may not be able to acquire other companies or businesses on attractive terms. No assurance can be given that we will pursue future acquisitions, and our ability to grow and successfully compete may be impaired if we choose not to pursue or are unable to successfully make acquisitions. Under the BHCA, a BHC may not directly or indirectly acquire ownership or control of more than 5% of the voting shares or substantially all of the assets of any BHC or bank or merge or consolidate with another BHC without the prior approval of the FRB. The BHCA and other federal laws enumerate the factors the FRB must consider when reviewing the merger of BHCs, the acquisition of banks, or the acquisition of voting securities of a bank or BHC. These factors include the competitive effects of the transaction in the relevant geographic markets; the financial and managerial resources and future prospects of the companies and banks involved in the transaction; the effect of the transaction on the financial stability of the U.S.; the organizations' compliance with anti-money laundering statutes and regulations; the convenience and needs of the communities to be served; and the records of performance under the CRA of the IDIs involved in the transaction. In addition, U.S. regulators must take systemic risk to the U.S. financial system into account when evaluating whether to approve a potential acquisition transaction involving a large financial institution like Truist. There is no certainty as to when or if or on what terms and conditions any required regulatory approvals will be granted for any potential acquisition. In specific cases, Truist may be required to divest certain operations, including branches, or take other actions as a condition to receiving regulatory approval. The standards by which bank and financial institution acquisitions are evaluated may be subject to change, and it may be unclear how revised guidelines and frameworks for reviewing such acquisitions will be applied. Refer to the "Regulatory and Supervisory Considerations" section in "Item 1. Business" for additional details related to other factors and limitations related to potential BHC acquisitions. An inability to satisfy other conditions necessary to consummate an acquisition transaction, such as third-party litigation, a judicial order blocking the transaction, or lack of shareholder approval, could also prevent the Company from completing an announced acquisition. Truist Financial Corporation 37 Truist Financial Corporation 37 Truist Financial Corporation 37 Truist Financial Corporation 37 Truist Financial Corporation 37 Truist Financial Corporation 37 In addition, we may decide to divest certain businesses or assets. Divestitures of businesses involve a number of risks, including significant costs and expenses, and any divestiture we undertake could adversely affect our business, financial condition, results of operations, and cash flows. Divestitures may involve significant uncertainty and execution complexity, which may cause us not to achieve our strategic objectives, realize expected cost savings, or obtain other benefits from the divestiture. The significant risks and uncertainties involved in divestitures may include: •the inability to sell such businesses or assets at satisfactory prices and terms and in a timely manner, including potentially long and costly sales processes and unsuccessful attempts by a buyer to receive required regulatory approvals, satisfy other conditions to closing, or obtain equity or debt financing in order to satisfy its payment obligations related to the transaction, •disruption to other parts of our business and distraction of management, •loss of key teammates or clients, •exposure to contingencies, including, among other things, those arising from representations and warranties made to a buyer regarding the businesses being sold, or •ongoing obligations to support the businesses following such divestitures, including through transition services arrangements, and other adverse financial impacts. Whether such divestitures are completed or not, their pendency could have a number of negative effects on our current business, including potentially disrupting our regular operations and diverting the attention of our workforce and management team. Divestitures could also disrupt existing business relationships, make it harder to develop new business relationships, or otherwise negatively impact the way that we operate our business. If a divestiture transaction is terminated before it is consummated, the payment of a termination fee by the purchaser may not fully compensate us for our losses. Truist has businesses other than banking that are subject to a variety of risks that may affect our financial condition and results of operations. Truist is a diversified financial services company. This diversity subjects the Company's earnings to a broader variety of risks and uncertainties. Other businesses in addition to banking that the Company operates include investment banking, securities underwriting and market making, loan syndications, investment management and advice, and retail and wholesale brokerage services offered through the Company's subsidiaries. These businesses entail significant market, operational, credit, compliance, technology, legal, and other risks that could adversely impact the Company's financial condition and results of operations. --- ## Modified: Credit Risks **Key changes:** - Reworded sentence: "Truist incurs credit risk, which is the risk to current or anticipated earnings or capital arising when a borrower, obligor, issuer, or counterparty has a decline in creditworthiness or does not meet its financial obligations to us." - Added sentence: "The Company may have higher credit risk, or experience higher credit losses, to the extent its loan exposures increase or are concentrated by loan type, industry segment, borrower type, or location of the borrower or collateral, including with respect to any increase in its nonbank financial institution lending activities." - Reworded sentence: "Credit losses may exceed the amount of the Company's reserves due to changing economic conditions, falling collateral values, falling commodity prices, higher unemployment, losses on a client or sector where Truist has an outsized exposure, or other factors such as changes in borrower behavior or borrower composition." - Reworded sentence: "Truist Financial Corporation 23 Truist Financial Corporation 23 Truist Financial Corporation 23 Truist Financial Corporation 23 Truist Financial Corporation 23 Truist Financial Corporation 23 The Company could have more credit risk and higher credit losses if our underwriting standards and practices are inadequate, we adopt more liberal underwriting standards for competitive or other reasons, information provided to us by clients and counterparties is inaccurate, or our concentration and other risk limits are not well-calibrated." - Added sentence: "Additionally, in deciding whether to extend credit or enter into other transactions with clients and counterparties, the Company relies on the completeness and accuracy of representations made by and information furnished by or on behalf of clients and counterparties, including financial statements and other financial information." **Prior (2025):** The Company is subject to credit risk, and the Company's allowance for credit losses may not be adequate to cover realized and future losses. Truist incurs credit risk, which is the risk to current or anticipated earnings or capital arising when a borrower, obligor, issuer, or counterparty does not meet its financial obligations to us. Credit risk is primarily incurred through lending activities in the Company's WB and CSBB operating segments. A number of products expose the Company to credit risk, including loans and leases, lending commitments, derivatives, trading assets, and investment securities. Changes in credit quality can have a significant impact on the Company's earnings and capital position. The Company estimates and establishes contractual lifetime reserves for credit risks and credit losses inherent in its determination of credit exposure. This process, which is critical to the Company's financial results and condition, requires complex calculations and extensive use of judgment, considering both external and borrower-specific factors that might impair the ability of borrowers to repay their loans. If the Company fails to identify all pertinent factors, or fails to accurately estimate the impacts of factors identified, the Company's allowance for credit losses may not be adequate to cover realized and future losses. Credit losses may exceed the amount of the Company's reserves due to changing economic conditions, falling collateral values, falling commodity prices, higher unemployment, losses on a client / sector where Truist has an outsized exposure, or other factors such as changes in borrower behavior. There is no assurance that reserves will be sufficient to cover all credit losses. In the event of significant deterioration in current or projected future economic conditions, the Company could experience reduced demand for credit and increased delinquencies or defaults. In addition, the Company could be required to increase reserves in future periods, which would reduce the Company's earnings and potentially impact its capital. The Company could have more credit risk and higher credit losses if our underwriting standards and practices are inadequate, we adopt more liberal underwriting standards for competitive or other reasons, or our concentration and other risk limits are not well calibrated. The Company's credit risk and credit losses can increase if the Company's loans are concentrated in borrowers engaged in the same or similar activities or in borrowers who as a group may be uniquely or disproportionately affected by economic conditions or market conditions, including as a result of climate change or natural disasters. Increased delinquencies or defaults could also result from our failing to appropriately underwrite loans and other products that we originate or purchase or from our adopting - for strategic, competitive, or other reasons - more liberal underwriting standards. There can be no assurance that our forecasts of economic conditions, our assessments and monitoring of credit risk, and our efforts to mitigate credit risk through risk-based pricing, appropriate underwriting and investment policies, loss-mitigation strategies, and diversification are or will be sufficient to prevent an adverse impact to our business and financial results. The Company may suffer losses if the value of collateral declines in weak, deteriorating, or stressed economic or market conditions. During periods of market stress or illiquidity, the Company's credit risk may be further increased if it fails to realize the expected value of the collateral it holds, collateral is liquidated at prices that are not sufficient to recover the full amount owed to Truist, or counterparties are unable to post collateral, whether for operational or other reasons. Furthermore, disputes with counterparties concerning the valuation of collateral may increase in times of significant market stress, volatility, or illiquidity, and Truist could suffer losses during these periods if it is unable to obtain additional collateral from counterparties, manage declines in the value of collateral, or realize the expected value of collateral. 24 Truist Financial Corporation 24 Truist Financial Corporation 24 Truist Financial Corporation 24 Truist Financial Corporation 24 Truist Financial Corporation 24 Truist Financial Corporation **Current (2026):** The Company is subject to credit risk, and the Company's allowance for credit losses may not be adequate to cover realized and future losses. Truist incurs credit risk, which is the risk to current or anticipated earnings or capital arising when a borrower, obligor, issuer, or counterparty has a decline in creditworthiness or does not meet its financial obligations to us. Credit risk is primarily incurred through lending activities in the Company's WB and CSBB operating segments. The Company may have higher credit risk, or experience higher credit losses, to the extent its loan exposures increase or are concentrated by loan type, industry segment, borrower type, or location of the borrower or collateral, including with respect to any increase in its nonbank financial institution lending activities. A number of products expose the Company to credit risk, including loans and leases, lending commitments, derivatives, trading assets, and investment securities. Changes in credit quality can have a significant impact on the Company's earnings and capital position. The Company estimates and establishes contractual lifetime reserves for credit risks and credit losses inherent in its determination of credit exposure. This process, which is critical to the Company's financial results and condition, requires complex calculations and extensive use of judgment, considering both external and borrower-specific factors that might impair the ability of borrowers to repay their loans. If the Company fails to identify all pertinent factors, or fails to accurately estimate the impacts of factors identified, the Company's allowance for credit losses may not be adequate to cover realized and future losses. Credit losses may exceed the amount of the Company's reserves due to changing economic conditions, falling collateral values, falling commodity prices, higher unemployment, losses on a client or sector where Truist has an outsized exposure, or other factors such as changes in borrower behavior or borrower composition. We have a significant consumer loan portfolio, including indirect auto and credit card loans, which may present higher credit risks during economic downturns and market fluctuations. There is no assurance that reserves will be sufficient to cover all credit losses. In the event of significant deterioration in current or projected future economic conditions, the Company could experience reduced demand for credit and increased delinquencies or defaults. In addition, the Company could be required to increase reserves in future periods, which would reduce the Company's earnings and potentially impact its capital. Truist Financial Corporation 23 Truist Financial Corporation 23 Truist Financial Corporation 23 Truist Financial Corporation 23 Truist Financial Corporation 23 Truist Financial Corporation 23 The Company could have more credit risk and higher credit losses if our underwriting standards and practices are inadequate, we adopt more liberal underwriting standards for competitive or other reasons, information provided to us by clients and counterparties is inaccurate, or our concentration and other risk limits are not well-calibrated. The Company's credit risk and credit losses can increase if the Company's loans are concentrated in borrowers engaged in the same or similar activities or in borrowers who as a group may be uniquely or disproportionately affected by economic or market conditions, including as a result of climate change or natural disasters or their particular industries. Increased delinquencies or defaults could also result from our failing to appropriately underwrite loans and other products that we originate or purchase or from our adopting - for strategic, competitive, or other reasons - more liberal underwriting standards. There can be no assurance that our forecasts of economic conditions, our assessments and monitoring of credit risk, and our efforts to mitigate credit risk through risk-based pricing, appropriate underwriting and investment policies, loss-mitigation strategies, and diversification are or will be sufficient to prevent an adverse impact to our business and financial results. Additionally, in deciding whether to extend credit or enter into other transactions with clients and counterparties, the Company relies on the completeness and accuracy of representations made by and information furnished by or on behalf of clients and counterparties, including financial statements and other financial information. If the information provided is not complete or accurate, the Company could make misjudgments about extending credit or entering into other transactions with clients or counterparties, and the Company could suffer defaults, credit losses, or other negative consequences as a result. The Company may suffer losses if the value of collateral declines in weak, deteriorating, or stressed economic or market conditions. During periods of market stress or illiquidity, the Company's credit risk may be further increased if it fails to realize the expected value of the collateral it holds, collateral is liquidated at prices that are not sufficient to recover the full amount owed to Truist, or counterparties are unable to post collateral, whether for operational or other reasons. Furthermore, disputes with counterparties concerning the valuation of collateral or contractual agreements may increase in times of significant market stress, volatility, or illiquidity, and Truist could suffer losses during these periods if it is unable to effectively handle counterparty disputes, obtain additional collateral from counterparties, manage declines in the value of collateral, or realize the expected value of collateral. --- ## Modified: Technology and Data Risks **Key changes:** - Reworded sentence: "The Company's applications, operating systems, and infrastructure, as well as operational capabilities managed or supplied by third parties on whom we rely, could fail or be interrupted, which could adversely impact the Company's business, operations, financial condition, prospects, and reputation and cause significant legal and financial exposure." - Reworded sentence: "The Company's ability to conduct its business and operations may be adversely affected by these kinds of disruptions to third parties whom the Company interacts with or relies upon." - Reworded sentence: "The Company and its clients, suppliers, service providers, and other third parties face a wide array of cybersecurity risks, which could result in the loss, alteration, or disclosure of confidential, proprietary, personal, and other sensitive information; adversely impact the Company's business, operations, financial condition, results of operations, prospects, and reputation; and cause significant legal and financial exposure." - Reworded sentence: "28 Truist Financial Corporation 28 Truist Financial Corporation 28 Truist Financial Corporation 28 Truist Financial Corporation 28 Truist Financial Corporation 28 Truist Financial Corporation A successful penetration or circumvention of the security for our applications, operating systems, or infrastructure or those of third parties could cause serious negative consequences, including loss of clients and business opportunities; costs associated with maintaining client and business relationships after a cyber-attack or security breach; a loss of investor confidence; significant disruption to the Company's operations and business; misappropriation, exposure, or destruction of the Company's confidential, proprietary, and other sensitive information, including personal information, and the funds of the Company and its clients; damage to the Company's or third-parties' computers, systems, or networks; and a violation of applicable statutes and regulations, including those related to data privacy, data protection, and cybersecurity." - Reworded sentence: "The Company faces risks associated with the privacy, quality, availability, and retention of key data for operational, strategic, regulatory, and compliance purposes." **Prior (2025):** The Company's operating systems and infrastructure, as well as operational capabilities managed or supplied by third parties on whom we rely, could fail or be interrupted, which could disrupt the Company's business and adversely impact the Company's operations, financial condition, prospects, and reputation, and cause significant legal and financial exposure. The Company's operational and security systems, networks, and infrastructure, including computer systems and networks, data management, and internal processes, as well as those of third parties, are integral to the Company's performance. The Company's business relies on the secure collection, transmission, storage, use, retrieval, and other processing of confidential, proprietary, and other sensitive information in the Company's information systems, networks and those of third parties. In addition, to access the Company's systems, networks, products, and services, the Company's clients and other third parties may use personal mobile devices or computing devices that are outside of the Company's control and network environments. The Company's operating systems and infrastructure are vulnerable to damage or interruption from, among other things, software bugs, server malfunctions, software or hardware failure, and human error. These risks may increase in the future as Truist continues to evolve its internal and external operating systems and infrastructure. 26 Truist Financial Corporation 26 Truist Financial Corporation 26 Truist Financial Corporation 26 Truist Financial Corporation 26 Truist Financial Corporation 26 Truist Financial Corporation The potential for operational risk exposure exists throughout the Company's business, and because of the Company's interactions with and reliance on third parties, is not limited to the Company's own internal operational functions. Truist's vendors, service providers, and other third parties may expose the Company to risk as a result of human error, misconduct, malfeasance, or a failure or breach of systems, networks, and infrastructure. In addition, third-party system breakdowns or failures, could affect their ability to deliver a product or service to the Company or result in lost or compromised information of the Company or its clients. Truist cannot be certain that it will receive timely notification of such incidents or be able to exert any meaningful control or influence over how and when they are addressed. The Company's ability to conduct business may be adversely affected by any such significant disruptions to third parties with whom the Company interacts or relies upon. In addition, as a result of increasing consolidation, interdependence, and complexity of financial entities and technology systems and networks, a technology failure that significantly degrades, deletes, or compromises the systems, networks, or data of one or more financial entities could have an adverse impact on counterparties or other market participants. This consolidation, interconnectivity, and complexity increases the risk of operational failure, on both individual and industry-wide bases, as disparate systems need to be integrated, often on an accelerated basis. Any third-party technology failure, other information or security breach, termination, or constraint could, among other things, adversely affect the Company's ability to conduct transactions, service the Company's clients, manage the Company's exposure to risk, or expand the Company's business. Truist is heavily reliant on technology, and a failure to effectively anticipate, develop, and implement new technology could negatively impact our financial results, business, operations, or security. The financial services industry is undergoing rapid technological change with frequent introductions of new technology-driven products and services, including those related to AI and migration to the cloud. Truist has invested in technology to automate functions previously performed manually, to facilitate the ability of clients to engage in financial transactions and otherwise to enhance the client experience with respect to the Company's products and services. Truist expects to make additional investments in innovation and technology to address technological disruption in the industry and improve client offerings and service. Although changes are designed to allow the Company to better serve the Company's clients and to reduce costs, many of these initiatives take a significant amount of time to develop and implement, are tied to critical systems, and require substantial financial, human, and other resources. Although we take steps to mitigate the risks and uncertainties associated with these initiatives, they are not always implemented, and may not in the future be implemented, on time, within budget, or without negative financial, operational, or client impact. In addition, these initiatives do not always perform, and may not in the future perform, as we or our clients expect. The Company's continued success depends, in part, upon the Company's ability to address clients' needs by using technology to provide products and services that satisfy client demands, including demands for faster, simpler, and more secure payment services, to create efficiencies in the Company's operations, and to integrate those offerings with legacy platforms or to update those legacy platforms. A failure to maintain or enhance the Company's competitive position with respect to technology, whether because of a failure to anticipate client expectations or keep pace with new or enhanced product or service offerings by competitors, a failure in the performance of technological developments, or an untimely roll out of developments, may cause the Company to lose market share or incur additional expense. Our use of systems and other technologies also depends on rights or interests in the underlying intellectual property, which we or our service providers may own or license. If we or a service provider were alleged or found to be infringing on the intellectual-property rights of another person or entity, we could be liable for significant damages for past infringement, substantial fees for continued use, and deprivation of access to or use of such intellectual property for limited or extended periods of time without the practical availability of an alternative, or we could enter into a settlement agreement to resolve such claims. For example, in 2023 we settled a lawsuit brought by another financial institution alleging that our mobile remote deposit capture systems infringed patents owned by the other financial institution. The Company faces risks associated with the quality, availability, and retention of key data for operational, strategic, regulatory, and compliance purposes. The Company's financial and regulatory reporting, public disclosures, and key business decisions are reliant on the quality, availability, and retention of data, including personal information. A control failure, for example, may lead to data breaches, data loss, data misuse, and data integrity and quality risks. These failures may result in inaccuracies in financial and regulatory reports, inhibited management decision-making, financial loss, reputational risk, and regulatory compliance risk, including data privacy, data protection, and cybersecurity compliance risks. We also can experience enforcement and other supervisory actions, damage to our reputation, and private litigation as a result of these failures. Truist Financial Corporation 27 Truist Financial Corporation 27 Truist Financial Corporation 27 Truist Financial Corporation 27 Truist Financial Corporation 27 Truist Financial Corporation 27 The Company and its suppliers and service providers face a wide array of cybersecurity risks, which could result in the loss, alteration, or disclosure of confidential, proprietary, personal, and other sensitive information; adversely impact the Company's operations, financial condition, prospects, and reputation; and cause significant legal and financial exposure. The Company's computer systems and network infrastructure and those of its suppliers and service providers are continuously targeted in cyberattacks and vulnerable to damage or interruption from, among other things, fraud, denial of service attacks, social engineering schemes (such as phishing), hacking, malware or ransomware intrusion, data corruption attempts, terrorist activities, or identity theft. Such incidents have exposed and may continue to expose security vulnerabilities in the Company's systems, networks, or other security measures, or those of third parties, and have resulted and could result in the unauthorized access, gathering, monitoring, misuse, release, loss, or destruction of confidential, proprietary, or other sensitive information, including personal information. Such incidents could also damage the Company's systems and networks by introducing material disruptions to the network access or business operations of the Company, its clients, or other third parties. In addition, Truist's clients, regulators, and other third parties, including other financial services institutions and companies engaged in data processing, have been subject to and will continue to be the target of cyberattacks and other similar incidents. The Company also faces cybersecurity risks relating to partners and other third parties that the Company relies upon to facilitate or enable business activities, including vendors, service providers, and providers of critical infrastructure such as internet access and electrical power. While the Company performs cybersecurity due diligence on its vendors and service providers, the Company does not control its vendors or service providers and its ability to monitor their cybersecurity is limited. Therefore, the Company cannot ensure that the cybersecurity measures they take will be sufficient to protect information the Company shares with them or prevent disruption arising from a cyberattack. In addition, the existence of cyberattacks or security breaches at third-party vendors and service providers with access to the Company's data and systems may not be disclosed to the Company in a timely manner. Cybersecurity risks for financial institutions have significantly increased in recent years and will likely continue to increase, in part because of the proliferation of new technologies to facilitate and conduct financial transactions. In addition, cybersecurity risks have significantly increased in recent years in part due to the increased sophistication and activities of organized crime affiliates, terrorist organizations, hostile foreign governments, state-sponsored actors, disgruntled teammates or vendors, hackers, activists, and other external parties, including those involved in corporate espionage, any of which may see their effectiveness enhanced by the use of AI, including the use of generative AI to conduct more sophisticated social engineering attacks on the Company or its clients. Even the most advanced internal control environment may be vulnerable to compromise. Persistent attackers may succeed in penetrating defenses given enough resources, time, and motive. The techniques used by cybersecurity threat actors change frequently and may not be recognized until launched or well after a breach has occurred. A successful penetration or circumvention of system or network security could cause serious negative consequences, including loss of clients and business opportunities; costs associated with maintaining business relationships after a cyberattack or security breach; significant disruption to the Company's operations and business; misappropriation, exposure or destruction of the Company's confidential, proprietary, and other sensitive information, including personal information, and funds and those of the Company's clients; damage to the Company's or the Company's clients' or third parties' computers, systems, or networks; and a violation of applicable laws and regulations, including those related to data privacy, data protection, and cybersecurity. This could result in litigation exposure, regulatory fines, penalties, loss of confidence in the Company's security measures, reputational damage, reimbursement or other compensatory costs, and additional compliance costs, which could adversely impact the Company's results of operations, liquidity, and financial condition. In addition, we may not have adequate insurance coverage to compensate for losses from any of the foregoing, our existing insurance coverage may not continue to be available on acceptable terms or at all, and our insurers may deny coverage as to any future claims. In addition, cybersecurity and data-privacy risks have received heightened legislative, regulatory, and supervisory attention. Legislation and regulations on cybersecurity and data privacy, as well as related supervisory expectations, can compel us to enhance or modify our systems and infrastructure, invest in new systems and infrastructure, change our service providers, augment our scenario and vulnerability testing, and alter our business practices or our policies on security, data governance, and privacy. Any of these, in turn, can cause a significant increase in the complexity and costs of our operations and expose us to enforcement and other supervisory actions, related litigation by private plaintiffs, reputational damage, and a loss of client or investor confidence. 28 Truist Financial Corporation 28 Truist Financial Corporation 28 Truist Financial Corporation 28 Truist Financial Corporation 28 Truist Financial Corporation 28 Truist Financial Corporation **Current (2026):** The Company's applications, operating systems, and infrastructure, as well as operational capabilities managed or supplied by third parties on whom we rely, could fail or be interrupted, which could adversely impact the Company's business, operations, financial condition, prospects, and reputation and cause significant legal and financial exposure. The Company's ability to perform and succeed depends on applications, operating systems, and infrastructure, including computer systems and networks, software, security systems, data management, and internal processes. These may be owned or controlled by the Company or by clients, suppliers, service providers, or other third parties. We rely on the secure collection, transmission, storage, use, retrieval, and other processing of confidential, proprietary, personal, and other sensitive information in the Company's systems and networks as well as those of its clients and other third parties. To access the Company's systems, networks, products, and services, the Company's clients and other third parties may use personal devices or other computing devices that are outside of the Company's control and network environments. The Company's operating systems and infrastructure are vulnerable to damage or interruption from, among other things, software bugs, server malfunctions, software or hardware failure, and human error that originate inside or outside its control and network environment. These risks may increase in the future as Truist continues to evolve its use of, interactions with, and dependence on internal and external operating systems and infrastructure. The Company has experienced, and may continue to experience, failures and disruptions affecting the stability, performance, security, and availability of its applications, operating systems, and infrastructure. These include degraded processing performance, data quality issues, loss of network connectivity, software malfunctions and misconfigurations, and interruptions in the availability and reliability of cloud-based and other third-party systems and services. The Company's substantial and increasing reliance on cloud service providers and other external technology vendors heightens exposure to risks outside of its control, including system outages, downtime, cyber-attacks, and adverse financial and operating conditions at those providers and vendors. The Company's expanding use of AI tools and related technologies introduces additional operational risks, including reliance on data integrity and model performance as well as third-party AI services that may fail, degrade, or produce inaccurate or unexpected outputs. The Company regularly updates and modifies its applications, operating systems, and infrastructure to support business and operations, including growth initiatives and regulatory compliance requirements. These activities involve significant costs and create additional risks related to the implementation, integration, and effectiveness of new or modified applications, systems, and infrastructure. The introduction, updating, or retraining of AI models and other methods of automation may amplify these risks. Changes in model behavior or configuration may produce unintended outcomes, increase susceptibility to operational errors, or reduce the effectiveness of existing controls. Failures associated with upgrades, configuration changes, system conversions, AI model deployment, integration efforts, and related activities may result in operational interruptions, system failures, or reduced control effectiveness. 26 Truist Financial Corporation 26 Truist Financial Corporation 26 Truist Financial Corporation 26 Truist Financial Corporation 26 Truist Financial Corporation 26 Truist Financial Corporation Failures to properly maintain, upgrade, or secure applications, operating systems, and infrastructure may increase the Company's susceptibility to cybersecurity threats, including supply chain attacks, and may impair the Company's ability to meet business continuity and resiliency objectives. AI-enabled technologies may further expand the cyber-attack surface and velocity, including exposure to adversarial manipulation, data poisoning, and vulnerabilities in third-party AI and other platforms. These events have resulted in adverse client impacts, including the inability to access account information or conduct transactions through ATM, online, or mobile channels, the exposure of confidential, proprietary, personal, and other sensitive information, the posting of duplicative or delayed transactions, and delays in obtaining assistance through call centers. The Company cannot assure that similar or more severe operational or technology failures and disruptions, including AI-related failures or third-party service interruptions, will not occur in the future or that their effects can be prevented, contained, or remediated in a timely manner. The potential for operational risk exposure exists throughout the Company and, because of the Company's interactions with and reliance on third parties, is not limited to the Company's own internal operational functions. Truist's clients, service providers, intermediaries, and other third parties may expose the Company to risk as a result of human error, misconduct, malfeasance, or a failure or breach of applications, systems, and infrastructure. In addition, third-party breakdowns or failures could affect their ability to deliver a product or service to the Company or its clients or result in lost or compromised information of the Company or its clients. Truist cannot be certain that it will receive timely notification of such incidents or be able to exert any meaningful control or influence over how and when they are addressed. The Company's ability to conduct its business and operations may be adversely affected by these kinds of disruptions to third parties whom the Company interacts with or relies upon. In addition, as a result of increasing consolidation, interconnectivity, and complexity of financial entities and operating systems and infrastructure, a technology failure that significantly degrades, deletes, or compromises the applications, systems, infrastructure, or data of one or more financial entities could have an adverse impact on counterparties or other market participants. This consolidation, interconnectivity, and complexity increases the risk of operational failure, on both individual and industry-wide bases, as disparate systems need to be integrated, often on an accelerated basis, for transactions and other business to be conducted in the ordinary course. Any third-party technology failure, other information or security breach, termination, or constraint could, among other things, adversely affect the Company's ability to conduct transactions and other business, service the Company's clients, manage the Company's exposure to risk, or expand the Company's business. Such an event affecting the Company could likewise negatively impact its counterparties and other market participants and, as a result, create reputational damage as well as legal and financial exposure. Truist is heavily reliant on technology, and a failure to effectively anticipate, develop, and implement new or enhanced technology could negatively impact our financial results, business, operations, security, or ability to compete effectively. The financial services industry is undergoing rapid technological change with frequent introductions of new technology-driven products and services, including those related to AI and cloud migration as well as blockchain and other distributed ledger technologies such as those underpinning digital assets, tokenization, cryptocurrencies, and stablecoins. Truist has invested in technology to automate functions previously performed manually, to facilitate the ability of clients to engage in financial transactions, and otherwise to enhance the client experience with respect to the Company's products and services. As a result of these developments and investments, Truist is heavily reliant on technology, and any inability to effectively anticipate, develop, or implement new or enhanced technology could have an adverse effect on Truist's business. Truist expects to make additional investments in innovation and technology to address technological disruption in the industry, improve client offerings and service, and streamline and automate operations. Although these and future investments are designed to enable the Company to better serve its clients and to reduce costs, many of these initiatives take a significant amount of time to develop and implement, are tied to critical systems, and require substantial financial, human, and other resources. Although we take steps to mitigate the risks and uncertainties associated with these initiatives, they have not been in the past and may not be in the future implemented on time, within budget, or without negative financial, operational, or client impact. In addition, these initiatives have not in the past and may not in the future always perform as we or our clients expect. Changes in our business, including the use of new technologies, may require us to modify our workforce strategies and training programs, which could negatively impact our ability to attract, develop, retain, and motivate qualified teammates and ultimately our operations and financial results. The Company's continued success depends, in part, upon its ability to use technology to provide products and services that satisfy client needs and preferences, including demands for faster, simpler, more cost-effective, and more secure payment services and settlement, to create efficiencies in the Company's operations, and to integrate new or enhanced client offerings with legacy platforms or to update those legacy platforms. A failure to maintain or enhance the Company's competitive position with respect to technology, whether because of a failure to anticipate client expectations or keep pace with new or enhanced product or service offerings by competitors, a failure in the performance or reception of technological enhancements, or an untimely rollout of technological enhancements, may cause the Company to lose market share, miss growth opportunities, or adversely affect our financial results. Truist Financial Corporation 27 Truist Financial Corporation 27 Truist Financial Corporation 27 Truist Financial Corporation 27 Truist Financial Corporation 27 Truist Financial Corporation 27 Our use of systems and other technologies also depends on rights or interests in the underlying intellectual property, which we or our service providers may own or license. If we or a service provider were alleged or found to be infringing on the intellectual-property rights of another person or entity, we could incur significant damages for past infringement, substantial fees for continued use, deprivation of access to or use of such intellectual property for limited or extended periods of time without the practical availability of an alternative, or considerable expense to settle or otherwise resolve the matter. For example, in 2023 we settled a lawsuit brought by another financial institution alleging that our mobile remote deposit capture systems infringed patents owned by the other financial institution. The Company and its clients, suppliers, service providers, and other third parties face a wide array of cybersecurity risks, which could result in the loss, alteration, or disclosure of confidential, proprietary, personal, and other sensitive information; adversely impact the Company's business, operations, financial condition, results of operations, prospects, and reputation; and cause significant legal and financial exposure. The Company's applications, operating systems, and infrastructure and those of its clients, suppliers, service providers, and other third parties are continuously targeted in cyber-attacks and vulnerable to damage or interruption from, among other things, fraud, denial of service attacks, social engineering schemes (such as phishing and smishing), hacking, malware or ransomware intrusion, data corruption attempts, terrorist activities, or identity theft. Such incidents have in the past exposed and may in the future expose security vulnerabilities in the Company's applications, systems, and infrastructure and those of third parties, resulting in the unauthorized access, gathering, monitoring, misuse, release, loss, or destruction of confidential, proprietary, or other sensitive information, including personal information. Such incidents could also damage the Company's applications, systems, and infrastructure by significantly disrupting access or the business or operations of the Company or third parties. In addition, Truist's clients, regulators, and other third parties, including other financial institutions and companies engaged in data processing, have been subject to and will continue to be the target of cyber-attacks and similar incidents. As our clients regularly transact using our Truist-issued debit and credit cards, data is distributed across multiple platforms and networks, and card and other information is stored on these external platforms and networks. When these external platforms and networks are compromised, our clients' information and accounts may be exposed to fraud and other data security and privacy-related issues. As a result, the Company has incurred, and expects to continue to incur, losses related to the reimbursement of clients for fraudulent transactions and other costs associated with data security incidents affecting these platforms and networks. The Company also faces cybersecurity risks relating to third parties that the Company relies upon to facilitate or enable business activities, including vendors, providers of outsourced software, services, and infrastructure, payment networks, card processors, merchants, and providers of critical infrastructure such as internet access and electrical power. While the Company performs varying degrees of cybersecurity due diligence on many of these third parties, the Company does not control third parties and our ability to monitor their cybersecurity is limited. Therefore, the Company cannot ensure that the cybersecurity measures they take will be sufficient to protect information the Company shares with them or prevent disruption arising from a cyber-attack. In addition, the existence, nature, or extent of cyber-attacks or security breaches at third parties with access to the Company's data and systems may not be disclosed to the Company in a timely manner. Cybersecurity risks for financial institutions have significantly increased in recent years and will likely continue to increase, in part because of the proliferation of new technologies to facilitate and conduct financial transactions and the increased sophistication and activities of organized crime affiliates, terrorist organizations, hostile foreign governments, state-sponsored actors, disgruntled teammates or vendors, hackers, activists, and other third parties, including those involved in corporate espionage. The risk of a security breach due to a cyber-attack could increase in the future due to factors such as the financial industry's ongoing expansion of digital banking and other internet-based client offerings and the internal use of internet-based products and applications, including those that use cloud computing services; advances in AI, such as the use of machine learning, generative AI, and quantum computing by malicious actors to develop more advanced social engineering attacks on the Company or its clients, including targeted phishing and smishing attacks; the inability to maintain the security of information transmitted by financial institutions due to advances in quantum computing and other technology that may counteract or nullify existing information protections; and the acquisition and integration of new businesses. Even the most advanced internal control environment may be vulnerable to compromise. Persistent attackers may succeed in penetrating defenses given enough resources, time, and motive. The techniques used by cybersecurity threat actors change frequently and may not be recognized until launched or well after a breach has occurred. 28 Truist Financial Corporation 28 Truist Financial Corporation 28 Truist Financial Corporation 28 Truist Financial Corporation 28 Truist Financial Corporation 28 Truist Financial Corporation A successful penetration or circumvention of the security for our applications, operating systems, or infrastructure or those of third parties could cause serious negative consequences, including loss of clients and business opportunities; costs associated with maintaining client and business relationships after a cyber-attack or security breach; a loss of investor confidence; significant disruption to the Company's operations and business; misappropriation, exposure, or destruction of the Company's confidential, proprietary, and other sensitive information, including personal information, and the funds of the Company and its clients; damage to the Company's or third-parties' computers, systems, or networks; and a violation of applicable statutes and regulations, including those related to data privacy, data protection, and cybersecurity. Additional impacts include litigation exposure, regulatory fines, penalties, loss of confidence in the Company's security measures, significant investment of management time, reputational damage, reimbursement or other compensatory costs, and additional compliance costs. Any of these consequences or impacts could adversely impact the Company's business, operations, financial condition, results of operations, prospects, and reputation. In addition, the Company may not have adequate insurance coverage to compensate for losses from any of the foregoing, its existing insurance coverage may not continue to be available on acceptable terms or at all, and its insurers may deny coverage as to any future claims. Cybersecurity and data-privacy risks have received heightened legislative, regulatory, and supervisory attention. Legislation and regulations on cybersecurity and data privacy, as well as related supervisory expectations, can compel us to enhance or modify our applications, systems, and infrastructure, invest in new applications, systems, and infrastructure, change our service providers, augment our scenario and vulnerability testing, and alter our business practices or our policies on security, data governance, and privacy. Any of these, in turn, can cause a significant increase in the complexity and costs of our operations and expose us to enforcement and other supervisory actions, related litigation by private plaintiffs, reputational damage, and a loss of client or investor confidence. The Company faces risks associated with the privacy, quality, availability, and retention of key data for operational, strategic, regulatory, and compliance purposes. The Company's financial and regulatory reporting, public disclosures, and key business decisions are reliant on the quality, availability, and retention of data, including personal information. A control failure, for example, may lead to data breaches, data loss, data misuse, and data integrity and quality risks. These failures may result in inaccuracies in financial and regulatory reports, inhibited management decision-making, financial loss, brand and stakeholder risk, and regulatory compliance risk, including data privacy, data protection, and cybersecurity compliance risks. We also can experience enforcement and supervisory actions, damage to our reputation, and private litigation as a result of these failures. Truist faces substantial risks in safeguarding personal and other sensitive information, which may negatively impact the Company's business, financial condition, results of operations, prospects, or reputation. Truist's businesses are subject to complex and evolving statutes, rules, and regulations governing data privacy, data protection, and cybersecurity, particularly with respect to the privacy and protection of personal information of individuals. Individuals whose personal information may be protected by law can include the Company's clients (and in some cases its clients' clients), prospective clients, job applicants, teammates, and the employees of the Company's vendors and other third parties. Complying with the statutes, rules, and regulations applicable to the Company's disclosure, collection, use, sharing, storage, and other processing of personal information can increase operating costs, impact the development of new products or services, and reduce operational efficiency. Any mishandling or misuse of personal information by the Company or a third party affiliated with the Company could expose the Company to reputational damage, litigation, or regulatory fines, penalties, or other sanctions. Additional risks could arise from the failure of the Company or third parties to provide adequate disclosure or transparency to the Company's clients about the personal information collected from them and the use of such information; to receive, document, and honor the privacy preferences expressed by the Company's clients; to protect personal information from unauthorized disclosure; or to maintain training on data privacy, data protection, or cybersecurity practices for all teammates or third parties who have access to personal information. Concerns regarding the effectiveness of Truist's measures to safeguard personal information, or even the perception that those measures are inadequate, could cause Truist to lose existing or potential clients and negatively affect its business, financial results, and prospects. Furthermore, any failure or perceived failure by the Company to comply with applicable data privacy, data protection, or cybersecurity statutes, rules, or regulations may subject it to inquiries, examinations, and investigations that could result in requirements to modify or cease certain operations or practices, significant liabilities, or regulatory fines, penalties, or other sanctions. Any of these could damage Truist's reputation and otherwise adversely affect its business, financial results, and financial condition. Truist Financial Corporation 29 Truist Financial Corporation 29 Truist Financial Corporation 29 Truist Financial Corporation 29 Truist Financial Corporation 29 Truist Financial Corporation 29 In recent years, well-publicized incidents involving the inappropriate disclosure, collection, use, sharing, storage, and other processing of personal information have led to expanded governmental scrutiny of practices relating to the safeguarding of personal information by companies. That scrutiny has in some cases resulted in, and could in the future lead to, the adoption of stricter statutes, rules, and regulations relating to the disclosure, collection, use, sharing, storage, and other processing of personal information. Truist will likely be subject to new and evolving data privacy, data protection, and cybersecurity statutes, rules, and regulations in the U.S. and abroad, which could result in additional costs of compliance, litigation, regulatory fines, and enforcement actions. These types of statutes, rules, and regulations could prohibit or significantly restrict financial services firms such as Truist from sharing information among affiliates or with third parties or could restrict Truist's use of personal information when developing, offering, or marketing products or services to clients. For more information concerning our legal and regulatory obligations with respect to data privacy, data protection, and cybersecurity, please see "Privacy, Data Protection, and Cybersecurity" in Item 1 "Business." The use of AI in our products and services, as well as our business and the industry more broadly, may negatively impact our business, operations, financial condition, results of operations, prospects, and reputation. Our industry is subject to rapid and significant technological change. To compete effectively, the Company uses new and evolving technologies, including AI, to help improve our marketing, referrals, products, services, and client service, to increase productivity for internal code and software development and testing, and to automate certain business decisions and risk management practices, such as fraud identification. The Company's use of AI is subject to risks that models, prompts, algorithms, and datasets, as well as related decisions, predictions, analysis, and other output, are flawed, inaccurate, of poor quality, insufficient, biased, or otherwise erroneous or inadequate, any of which may not be easily detectable. In addition, the models and processes relating to AI are not always transparent, which could increase the risk of unintended deficiencies. Ineffective implementation of AI by us or our third-party providers could subject us to additional risks that we cannot adequately predict or mitigate. Further, inappropriate or controversial data practices by developers and end-users, or other factors adversely affecting public opinion of AI and machine learning, could impair the acceptance and use of AI. If any of these risks are realized, we could suffer business and operational disruptions, operational inefficiencies, competitive harm, legal liability, increased regulatory scrutiny, reputational harm, or other consequences that the Company cannot predict, any of which could negatively affect the Company's financial condition and results of operations. Regulatory and other legal frameworks surrounding AI continue to evolve and remain uncertain. If we do not have sufficient rights to use models, prompts, algorithms, and datasets on which our AI technologies rely or the related decisions, predictions, analysis, or other output, we could incur significant damages, substantial fees, deprivation of access, or considerable expense through a violation of applicable law, third-party intellectual property, privacy, or other rights, or other violations. New or changing statutes, regulations, or industry standards and practices may increase costs, restrict use cases, or require significant changes to our deployment or our existing systems and controls. If we fail to appropriately respond to changes within the AI landscape, including changing public sentiment, we could face legal, regulatory, or brand and stakeholder risk that may negatively impact our business, operations, financial results, financial condition, or reputation. In addition, the use of AI by companies has resulted in, and may in the future result in, cybersecurity breaches, attacks, and other similar incidents as well as data privacy violations. --- ## Modified: Strategic Risks **Key changes:** - Reworded sentence: "•Ineffective execution of strategic initiatives could adversely affect investor sentiment and the Company's business, financial condition, results of operations, prospects, and reputation." **Prior (2025):** •Ineffective execution of strategic initiatives could adversely affect investor sentiment and our business and financial results. •Competition may reduce Truist's client base or cause Truist to modify the pricing or other terms for products and services, which could have an adverse impact on our business and financial results. •Acquisitions, mergers, and divestitures introduce a broad range of anticipated and unanticipated risks, including unforeseen or negative consequences from supervisory or regulatory action that may limit Truist's ability to pursue and complete them. •Truist has businesses other than banking that are subject to a variety of risks. **Current (2026):** •Ineffective execution of strategic initiatives could adversely affect investor sentiment and the Company's business, financial condition, results of operations, prospects, and reputation. •Competition may reduce Truist's client base or cause Truist to modify the pricing or other terms for products and services, or require significant investments to maintain competitiveness, which could have an adverse impact on our business and financial results. •Acquisitions, mergers, and divestitures introduce a broad range of anticipated and unanticipated risks, including unforeseen or negative consequences from supervisory or regulatory action that may limit Truist's ability to pursue and complete them, which may impair the Company's ability to expand or grow its client base, or execute on its strategic initiatives and compete effectively. •Truist has businesses other than banking that are subject to a variety of risks that may affect our financial condition and results of operations. --- ## Modified: Market Risks **Key changes:** - Removed sentence: "•The levels of or changes in interest rates could adversely affect our results of operations and financial condition." - Removed sentence: "•The Company's hedging strategies may not be successful in mitigating our interest rate, foreign exchange, and market risks, which could adversely affect our financial results." - Reworded sentence: "•Our financial results, the value of loans and debt securities we hold, and lending and other business activities have in the past, and may in the future, be adversely affected by weak or deteriorating economic conditions." - Added sentence: "•Changes in interest rates have affected our net interest income and other financial results in the past and could in the future adversely affect us." - Added sentence: "•The Company's hedging strategies may not be successful in mitigating our interest rate, foreign exchange, and market risks, which could adversely affect our results of operations and financial condition." **Prior (2025):** •The levels of or changes in interest rates could adversely affect our results of operations and financial condition. •The Company's hedging strategies may not be successful in mitigating our interest rate, foreign exchange, and market risks, which could adversely affect our financial results. •Changes in monetary, fiscal, and other policies, and changes in the U.S. political environment, could adversely affect us. •Financial results, lending, and other business activities could be adversely affected by weak or deteriorating economic conditions. •Geopolitical conditions, the outbreak or escalation of hostilities, acts or threats of terrorism, and related volatility and instability in global economic and market conditions could adversely affect us. **Current (2026):** •Changes in monetary, fiscal, and other policies, and changes in the U.S. political environment, could adversely affect us. •Our financial results, the value of loans and debt securities we hold, and lending and other business activities have in the past, and may in the future, be adversely affected by weak or deteriorating economic conditions. •Geopolitical conditions, the outbreak or escalation of hostilities, acts or threats of terrorism, and related volatility and instability in global economic and market conditions could adversely affect us. •Changes in interest rates have affected our net interest income and other financial results in the past and could in the future adversely affect us. •The Company's hedging strategies may not be successful in mitigating our interest rate, foreign exchange, and market risks, which could adversely affect our results of operations and financial condition. --- ## Modified: Risks Related to Estimates and Assumptions **Key changes:** - Reworded sentence: "•Truist's business and operations rely significantly on the use of models, and any deficiencies in the design, implementation, or use of models could adversely affect our business, results of operations, and financial condition." **Prior (2025):** •Our business and operations make extensive use of models, and we could be adversely affected if our design, implementation, or use of models is flawed. •We use estimates and assumptions in determining the value or amount of many of our assets and liabilities, and our business, financial condition, results of operations, and prospects could be adversely affected if these prove to be incorrect. •Depressed market values for the Company's stock and adverse economic conditions sustained over a period of time may require the Company to write down all or some portion of the Company's goodwill. **Current (2026):** •Truist's business and operations rely significantly on the use of models, and any deficiencies in the design, implementation, or use of models could adversely affect our business, results of operations, and financial condition. •Truist employs estimates and assumptions to determine the value or amount of many of our assets and liabilities, and if these estimates or assumptions prove inaccurate, our business, financial condition, results of operations, and prospects could be adversely affected. •Depressed market values for the Company's stock and adverse economic conditions sustained over a period of time may require the Company to write down all or some portion of the Company's goodwill. --- ## Modified: Compliance, Regulatory, and Legal Risks **Key changes:** - Reworded sentence: "Truist is subject to supervision, regulation, and examination by the FRB, the FDIC, the NCCOB, the SEC, the CFTC, the CFPB, FINRA, the MSRB, the NFA, and various other federal and state regulatory agencies." - Reworded sentence: "In addition to banking statutes and regulations, Truist is subject to various other laws that directly or indirectly affect its business and operations, including the products and services it may offer and the manner in which it may offer them and its ability to make distributions to shareholders." - Reworded sentence: "Statutes and regulations that are applicable to us, and Truist's inability to act in certain instances without receiving prior regulatory approval, affect Truist's lending and deposit practices, capital structure, investment practices, dividend policy, ability to repurchase common stock, ability to pursue strategic acquisitions, and other activities." - Removed sentence: "Any potential new regulations or modifications to existing regulations would likely necessitate changes to Truist's existing regulatory compliance and risk management infrastructure and could result in increased compliance costs." - Reworded sentence: "No assurance can be given that applicable laws and policies will not be amended or construed differently, that new laws and policies will not be adopted, or that any of these laws and policies will not be enforced more aggressively, including as a result of changes to control of branches of the U.S." **Prior (2025):** Truist is subject to extensive and evolving government regulation and supervision, which could adversely affect our business, financial condition, results of operations, and prospects. The banking and financial services industries are highly regulated. Truist is subject to supervision, regulation, and examination by regulators, including the FRB, FDIC, NCCOB, SEC, CFTC, CFPB, FINRA, MSRB, NFA, and various other federal and state regulatory agencies. The regulatory and supervisory framework applicable to banking organizations is intended primarily for the protection of depositors and other customers, the DIF, the broader economy, and the stability of the U.S. financial system, rather than for the protection of shareholders and non-deposit creditors. In addition to banking statutes, regulations, and other laws, Truist is subject to various other laws that directly or indirectly affect its business and operations, including its ability to make distributions to shareholders. Governmental agencies and self-regulatory organizations also issue policy statements, interpretive letters, guidance, and other documents and communications that similarly impact Truist. The scope, complexity, intensity, and interpretation of these laws, documents, communications, and actions can vary based on such factors as the state of the economy, the prevailing political environment, and the performance of business and operations by us and other financial institutions. Truist is also subject to heightened requirements under the enhanced prudential standards and increased supervisory scrutiny, including, for example, single counterparty credit limits, heightened expectations with respect to governance, risk management and internal controls, and additional capital and liquidity requirements. These compliance risks relate to a wide variety of laws, rules, and regulations varying across Truist's lines of business, corporate functions, and jurisdictions, and include risks related to financial products and services, relationships and interactions with clients, and teammate activities. Compliance risks include those associated with anti-money laundering compliance, trading activities, market conduct, and the laws, rules, and regulations related to the offering of financial products and services. Compliance risk is also inherent in Truist's fiduciary activities, including the failure to exercise the applicable standard of care to act in the best interest of fiduciary clients or to treat fiduciary clients fairly. The regulation and supervision of Truist significantly affects the way that we conduct our business and operations. Laws and regulations that are applicable to us, and Truist's inability to act in certain instances without receiving prior regulatory approval, affect Truist's lending practices, capital structure, investment practices, dividend policy, ability to repurchase common stock, and ability to pursue strategic acquisitions, among other activities. Changes to statutes, regulations, or regulatory policies or their interpretation or implementation and the continued heightening of regulatory requirements could affect Truist in substantial and unpredictable ways. Federal and state banking regulators also possess broad powers to take supervisory actions as they deem appropriate. These supervisory actions may result in higher capital and liquidity requirements, higher deposit insurance premiums, higher compliance expenses, changes to our business or operations, and monetary penalties. These actions could also negatively impact the products and services that we offer and our ability to engage in business opportunities. The restrictions imposed by any of these actions could have an adverse effect on our operations, strategy, profitability, and reputation. Truist has elected to be treated as an FHC, which permits us to engage in a number of financial and related activities beyond banking, including securities, advisory, and merchant banking activities. Truist and Truist Bank are subject to ongoing requirements for Truist to qualify as an FHC. If a BHC or any of its insured depository institutions were found not to be well capitalized or well managed, as defined under applicable law, the BHC can be restricted from engaging in the broader range of financial and related activities permitted for FHCs, including the ability to acquire companies engaged in those activities, and can be required to discontinue these activities or even divest any of its insured depository institutions. In addition, if an insured-depository-institution subsidiary of a BHC were to fail to achieve a satisfactory or better rating under the CRA, the ability of the BHC to expand its financial and related activities or make acquisitions could be restricted. 30 Truist Financial Corporation 30 Truist Financial Corporation 30 Truist Financial Corporation 30 Truist Financial Corporation 30 Truist Financial Corporation 30 Truist Financial Corporation Financial regulators' prudential and supervisory authority gives them broad power and discretion to direct Truist's actions, and they have assumed an active oversight, examination, and enforcement role across the financial services industry on both the federal and state levels. Areas of focus in the recent past have been with respect to climate change, deposits, interest-rate risk management, commercial real estate, risk governance and controls, capital, liquidity, long-term debt requirements, consumer loan practices, data privacy, data protection, cybersecurity, overdraft and other fees, retention and recordkeeping of electronic communications, reimbursement for fraudulent transactions, and other compliance matters. Truist must comply with laws and regulations relating to AML, economic sanctions, embargo programs, and anti-corruption, which can increase its risks of non-compliance and costs associated with the implementation and maintenance of complex compliance programs. These laws and regulations are designed to protect the financial system, consumers, and financial institutions from bad actors and illicit activities by requiring financial institutions to develop and implement programs designed to deter and when possible detect and prevent the use of the financial system to facilitate the funding of criminal activities. Federal law grants substantial enforcement powers to federal financial institution regulators, OFAC, and the U.S. DOJ, among other government agencies, with respect to these laws and regulations. This enforcement authority includes, among other things, the ability to: assess significant civil or criminal monetary penalties, fines, or restitution; issue cease and desist or prohibition orders; and initiate injunctive actions against financial institutions and institution-affiliated parties, including individual teammates. These enforcement actions may be initiated for violations of laws and regulations or unsafe and unsound practices. Additionally, actual or alleged misconduct by teammates, including unethical, fraudulent, improper, or illegal conduct, or unfair, deceptive, abusive, or discriminatory practices, can result in litigation, or government investigations and enforcement actions, and cause significant reputational harm to Truist, even if allegations are ultimately unsubstantiated. The Company and other large financial institutions have become subject to increased scrutiny, more intense supervision and regulation, and more supervisory findings and actions, with increased operational and compliance costs, as well as impacts on geographic expansion and acquisitions, which may continue. The financial services industry has faced and may continue to face a stricter and more aggressive enforcement of laws at federal, state, and local levels - particularly in connection with business and other practices that may harm or appear to harm consumers or affect the financial system more broadly. Truist expects to remain subject to extensive regulation and supervision. Any potential new regulations or modifications to existing regulations would likely necessitate changes to Truist's existing regulatory compliance and risk management infrastructure and could result in increased compliance costs. Our regulatory and supervisory environments, whether at federal, state, or local levels, are not static. No assurance can be given that applicable statutes, regulations, and other laws will not be amended or construed differently, that new laws will not be adopted, or that any of these laws will not be enforced more aggressively, including as a result of changes to control of branches of the U.S. government. Truist could become subject to future legislation and regulatory requirements beyond those currently proposed, adopted, or contemplated in the U.S. or abroad, including limits on acquisitions, more stringent capital and liquidity requirements, policies and rulemaking related to emerging technologies, cybersecurity, and data, and climate risk management, governance, and reporting, including emissions and sustainability disclosure. In addition, concerns over climate change may prompt changes in regulations that, in turn, could have an adverse impact on asset values and the financial performance of Truist's businesses and its clients. The cumulative effect of such legislation and regulations on Truist's business, operations, and profitability cannot be accurately predicted. Such regulatory changes may reduce Truist's revenues, limit the types of financial services and products it may offer, alter the investments it makes, affect the manner in which it operates its businesses, increase its litigation and regulatory costs, and increase the ability of nonbanks to offer competing financial services and products. Further, our noncompliance with applicable laws, whether as a result of changes in interpretation or enforcement, system or human errors, or otherwise and, in some cases, regardless of whether noncompliance was inadvertent, can result in the suspension or revocation of authority to conduct business operations and in the initiation of supervisory actions, enforcement proceedings, or private litigation. Truist also relies upon third parties who may expose the Company to compliance and legal risk. New or existing legal requirements also could heighten the reputational impact of perceived misuses of client data by the Company and third parties. See additional disclosures in the "Regulatory Considerations" section in Item 1 "Business." Regulatory capital and liquidity standards and future revisions to them may negatively impact our business and financial results. Truist is subject to regulatory capital and liquidity requirements established by the FRB and the FDIC. These regulatory capital and liquidity requirements are typically developed at an international level by the BCBS and then applied, with adjustments, in each country by the appropriate domestic regulatory bodies. Domestic regulatory agencies have the ability to apply stricter capital and liquidity standards than those developed by the BCBS. In several instances, the U.S. banking agencies have done so with respect to U.S. banking organizations. Truist Financial Corporation 31 Truist Financial Corporation 31 Truist Financial Corporation 31 Truist Financial Corporation 31 Truist Financial Corporation 31 Truist Financial Corporation 31 Requirements to maintain specified levels of capital and liquidity and regulatory expectations as to the quality of the Company's capital and liquidity may prevent the Company from taking advantage of opportunities in the best interest of shareholders or force the Company to take actions contrary to their interests. For example, Truist may be limited in its ability to pay or increase dividends or otherwise return capital to shareholders. In addition, these requirements may impact the amount and type of loans the Company is able to make. Truist may be constrained in its ability to expand, either organically or through mergers and acquisitions. These requirements may cause the Company to sell or refrain from acquiring assets where the capital requirements appear inconsistent with the assets' underlying risks. In addition, liquidity standards require the Company to maintain holdings of highly liquid investments, thereby reducing the Company's ability to invest in less liquid assets, even if more desirable from a balance sheet return or interest rate risk management perspective. As a Category III banking organization, Truist is subject to additional capital and liquidity requirements. For example, Truist is subject to a requirement to submit capital plans to the Federal Reserve for review that include, among other things, projected dividend payments and repurchases of capital stock. As part of the capital planning and stress testing processes, our capital actions are assessed against our ability to satisfy applicable capital requirements in the event of a stressed market environment. If we fail to satisfy applicable capital requirements, including the SCB, our ability to undertake capital actions may be restricted. In addition to the regulatory capital and liquidity requirements applicable to Truist and Truist Bank, the Company's broker-dealer subsidiaries are subject to capital requirements established by the SEC. Regulatory capital and liquidity requirements receive periodic review and revision by the BCBS and the U.S. banking agencies. Proposed changes to applicable capital and liquidity requirements, such as the Basel III proposal and the long-term debt proposal, could result in increased expenses or cost of funding, which could negatively affect our financial results or our ability to pay dividends and engage in share repurchases. For more information concerning our legal and regulatory obligations with respect to Basel III and long-term debt requirements, please see "Regulatory Considerations" in Item 1 "Business." Truist is subject to risks related to originating and selling loans, including repurchase and indemnification obligations. When loans are sold or securitized, it is customary to make representations and warranties to the purchaser about the loans, including the manner in which they were originated, and to agree to repurchase the loans or indemnify the buyer in the event of a breach of the sale agreement, including a breach of these representations or warranties. An increase in the number of repurchase and indemnity demands from purchasers related to representations and warranties on sold loans could result in an increase in the amount of losses for loan repurchases. Truist also bears a risk of loss from borrower defaults for multi-family commercial mortgage loans sold to FNMA. In addition to repurchase claims from GSEs, Truist could be subject to indemnification claims from non-GSE purchasers of the Company's loans. Claims could be made if the loans sold fail to conform to statements about their quality, the manner in which the loans were originated and underwritten, or their compliance with state and federal law. Additional factors affecting the extent to which we may securitize loans and receivables in the future include the overall credit quality of our loans and receivables, the costs of securitizing our loans and receivables, the demand for consumer asset-backed securities and the legal, regulatory, accounting or tax rules affecting securitization transactions and asset-backed securities, generally. In addition, proposals regarding reform to the U.S. housing finance market could impact our decisions regarding which loans should be securitized in the future. Truist faces risks as a servicer of loans. The Company acts as servicer for a range of assets and products, primarily for loans in securitizations and unsecuritized loans owned by investors. As servicer for loans, the Company has certain contractual obligations to the securitization trusts, investors, or other third parties, including foreclosing on defaulted loans or, to the extent consistent with the applicable securitization or other investor agreement, considering alternatives to foreclosure such as loan modifications or short sales. Generally, the Company's servicing obligations are set by contract, for which the Company receives a contractual fee. However, GSEs can amend their servicing guidelines unilaterally for certain government guaranteed mortgages, which can increase the scope or costs of the services required without any corresponding increase in the Company's servicing fee. Federal and state laws that impose additional servicing requirements could increase the scope and cost of the Company's servicing obligations. As a servicer, the Company also advances expenses on behalf of investors, which it may be unable to collect. 32 Truist Financial Corporation 32 Truist Financial Corporation 32 Truist Financial Corporation 32 Truist Financial Corporation 32 Truist Financial Corporation 32 Truist Financial Corporation A material breach of the Company's obligations as servicer may result in contract termination if the breach is not cured within a specified period of time following notice, causing the Company to lose servicing income. In addition, the Company may be required to indemnify the securitization trustee or other holder of the loan against losses from any failure by the Company, as a servicer, to perform the Company's servicing obligations or any act or omission on the Company's part that involves willful misfeasance, bad faith, or gross negligence. For certain investors and certain transactions, Truist may be contractually obligated to repurchase a loan or reimburse the investor for credit losses incurred on the loan as a remedy for servicing errors with respect to the loan. The Company may be subject to increased repurchase or indemnity obligations as a result of claims made that the Company did not satisfy its obligations as a servicer. The Company may also experience increased loss severity on repurchases, which may require a material increase to the Company's repurchase reserve. While the number of such indemnification claims has been small, these could increase in the future. Truist faces substantial risks in safeguarding personal and other sensitive information. Truist's businesses are subject to complex and evolving laws, rules, and regulations governing data privacy, data protection, and cybersecurity, particularly with respect to the privacy and protection of personal information of individuals. Individuals whose personal information may be protected by law can include the Company's clients (and in some cases its clients' clients), prospective clients, job applicants, teammates, and the employees of the Company's vendors, and other third parties. Complying with the laws, rules, and regulations applicable to the Company's disclosure, collection, use, sharing, storage, and other processing of personal information can increase operating costs, impact the development of new products or services, and reduce operational efficiency. Any mishandling or misuse of personal information by the Company or a third-party affiliated with the Company could expose the Company to litigation or regulatory fines, penalties, or other sanctions. Additional risks could arise from the failure of the Company or third parties to provide adequate disclosure or transparency to the Company's clients about the personal information collected from them and the use of such information; to receive, document, and honor the privacy preferences expressed by the Company's clients; to protect personal information from unauthorized disclosure; or to maintain training on data privacy, data protection, or cybersecurity practices for all teammates or third parties who have access to personal information. Concerns regarding the effectiveness of Truist's measures to safeguard personal information, or even the perception that those measures are inadequate, could cause Truist to lose existing or potential clients, and thereby reduce Truist's revenues. Furthermore, any failure or perceived failure by the Company to comply with applicable data privacy, data protection, or cybersecurity laws, rules, or regulations may subject it to inquiries, examinations, and investigations that could result in requirements to modify or cease certain operations or practices, significant liabilities or regulatory fines, penalties, or other sanctions. Any of these could damage Truist's reputation and otherwise adversely affect its businesses. In recent years, well-publicized incidents involving the inappropriate disclosure, collection, use, sharing, storage, and other processing of personal information have led to expanded governmental scrutiny of practices relating to the safeguarding of personal information by companies. That scrutiny has in some cases resulted in, and could in the future lead to, the adoption of stricter laws, rules, and regulations relating to the disclosure, collection, use, sharing, storage, and other processing of personal information. Truist will likely be subject to new and evolving data privacy, data protection, and cybersecurity laws, rules, and regulations in the U.S. and abroad, which could result in additional costs of compliance, litigation, regulatory fines, and enforcement actions. These types of laws, rules, and regulations could prohibit or significantly restrict financial services firms such as Truist from sharing information among affiliates or with third parties such as vendors, and thereby increase compliance costs, or could restrict Truist's use of personal information when developing or offering products or services to clients. These restrictions could also inhibit Truist's development or marketing of certain products or services or increase the costs of offering them to clients. For more information concerning our legal and regulatory obligations with respect to data privacy, data protection, and cybersecurity, please see "Privacy, Data Protection, and Cybersecurity" in Item 1 "Business." Differences in regulation and supervision can affect the Company's ability to compete effectively. The content and application of laws and regulations affecting financial services firms sometimes vary according to factors such as the size of the firm, the jurisdiction in which it is organized or operates, and other criteria. Large institutions, such as the Company, often are subject to more stringent regulatory requirements and supervision than smaller institutions. In addition, financial technology companies and other non-traditional competitors may not be subject to banking regulation or may be supervised by a national or state regulatory agency that does not have the same regulatory priorities or supervisory requirements as the Company's regulators. These differences in regulation can impair the Company's ability to compete effectively with competitors that are less regulated and do not have similar compliance costs. Truist Financial Corporation 33 Truist Financial Corporation 33 Truist Financial Corporation 33 Truist Financial Corporation 33 Truist Financial Corporation 33 Truist Financial Corporation 33 **Current (2026):** Truist is subject to extensive and evolving government regulation and supervision, which could adversely affect our business, financial condition, results of operations, and prospects. The banking and financial services industries are highly regulated. Truist is subject to supervision, regulation, and examination by the FRB, the FDIC, the NCCOB, the SEC, the CFTC, the CFPB, FINRA, the MSRB, the NFA, and various other federal and state regulatory agencies. The regulatory and supervisory framework applicable to banking organizations is intended primarily for the protection of depositors and other customers, the DIF, and the role and stability of the U.S. financial system, rather than for the protection of shareholders and non-deposit creditors. In addition to banking statutes and regulations, Truist is subject to various other laws that directly or indirectly affect its business and operations, including the products and services it may offer and the manner in which it may offer them and its ability to make distributions to shareholders. The regulation and supervision of Truist significantly affects the way that we conduct our business and operations. Statutes and regulations that are applicable to us, and Truist's inability to act in certain instances without receiving prior regulatory approval, affect Truist's lending and deposit practices, capital structure, investment practices, dividend policy, ability to repurchase common stock, ability to pursue strategic acquisitions, and other activities. Regulatory policies and supervisory expectations can have this effect as well. Changes to statutes, regulations, or regulatory policies or their interpretation or implementation by supervisors or other governmental authorities can affect Truist in substantial and unpredictable ways. We have in the past and may in the future be subject to formal or informal enforcement or supervisory actions as a result of one or more of our supervisors determining that we have failed to comply with applicable law, comport with safe and sound practices, or meet supervisory expectations. These actions, some of which are considered confidential supervisory information, can result in higher capital and liquidity requirements, higher deposit insurance premiums, higher compliance expenses, changes to our business or operations, and monetary penalties. These actions also can negatively impact the products and services that we offer and our ability to engage in business opportunities. The restrictions imposed by any of these actions could have an adverse effect on our strategy, profitability, and reputation. Truist has elected to be treated as an FHC, which permits us to engage in a number of financial and related activities beyond banking such as securities underwriting and merchant banking. FHCs and their IDI subsidiaries are subject to ongoing requirements to continue to qualify as an FHC. If an FHC or any of its IDIs were found not to be well-capitalized or well managed as defined by applicable law, the FRB may impose corrective capital and managerial requirements on the FHC, which could impact resources and limit amounts otherwise available to creditors and shareholders. In such a situation, the FRB may also place limitations on the ability of the FHC to conduct certain business activities that FHCs are generally permitted to conduct as well as the FHC's ability to make certain acquisitions. If the failure to meet these standards persists, the FHC may be required to divest its IDI subsidiaries or cease all activities other than those activities that may be conducted by BHCs that are not FHCs. Furthermore, if an IDI subsidiary of an FHC has not maintained a satisfactory CRA rating, the FHC would not be able to commence any new financial activities or acquire a company that engages in such activities, although the FHC would still be allowed to engage in activities closely related to banking and make investments in the ordinary course of conducting banking activities. U.S. BHCs, including Truist, are subject to a range of prudential standards and requirements based on their size and complexity. Truist is subject to more stringent liquidity and capital requirements, leverage limits, internal and supervisory stress testing requirements, single-counterparty credit limits, resolution planning requirements, and enhanced risk management standards compared to smaller institutions, while certain larger or more complex banking organizations are subject to even more stringent prudential standards and requirements than Truist. These differing standards and requirements can put Truist at a competitive disadvantage compared to other banking organizations. 32 Truist Financial Corporation 32 Truist Financial Corporation 32 Truist Financial Corporation 32 Truist Financial Corporation 32 Truist Financial Corporation 32 Truist Financial Corporation Financial regulators' prudential and supervisory authority gives them broad power and discretion to direct Truist's actions, and they have assumed an active oversight, examination, and enforcement role across the financial services industry on both the federal and state levels. Areas of focus in the recent past have included fair access to banking, deposits, interest-rate risk management, commercial real estate, risk governance and controls, capital, liquidity, long-term debt requirements, consumer loan practices, data privacy, data protection, cybersecurity, overdraft and other fees, retention and recordkeeping of electronic communications, reimbursement for fraudulent transactions, and other compliance matters. The content of the regulatory framework and the intensity of supervision have in the past and are likely in the future to vary over time based on factors such as prevailing economic and political conditions, the policy preferences of the relevant government agencies, the perceived performance of the financial services industry, the size of the company, and the jurisdiction in which a company is organized or operates. This variation has in the recent past and may in the future be frequent and volatile. In times of heightened legislative, regulatory, or supervisory focus on the financial services industry, the Company and other large financial institutions are subject to increased scrutiny, more intense supervision and regulation, and more supervisory findings and actions, with increased operational and compliance costs as well as impacts on business and geographic expansion and acquisitions. The financial services industry also has faced and may continue to face varying degrees of enforcement of laws at federal, state, and local levels - particularly in connection with business and other practices that may harm or appear to harm consumers or affect the financial system more broadly. Truist expects to remain subject to extensive regulation and supervision. Our regulatory and supervisory environments, whether at federal, state, or local levels, are not static. No assurance can be given that applicable laws and policies will not be amended or construed differently, that new laws and policies will not be adopted, or that any of these laws and policies will not be enforced more aggressively, including as a result of changes to control of branches of the U.S. government. Moreover, political and policy goals of elected and appointed officials may change over time, which could impact the rulemaking, supervision, examination, and enforcement priorities of federal and state regulators. It is possible that expected changes in law and policy do not occur or are reversed subsequently or that the regulatory measures ultimately adopted deliver fewer or no competitive advantages to us and significant competitive advantages to financial services providers that are larger or smaller, are structured differently, or serve different markets than us. Truist could become subject to future legislation and regulatory requirements beyond those currently proposed, adopted, or contemplated in the U.S. or abroad, including limits on acquisitions, more stringent capital and liquidity requirements, and policies and rulemaking related to emerging technologies such as stablecoins and digital assets, cybersecurity, and AI and data. The cumulative effect of such legislation and regulations on Truist's business, operations, and profitability cannot be accurately predicted, but any of these impacts would likely necessitate changes to Truist's existing regulatory compliance and risk management infrastructure and could result in increased compliance costs. Such legislation and regulation also may reduce Truist's revenues, limit the types of financial services and products it may offer, alter the investments it makes, affect the manner in which it operates its businesses, increase its litigation and regulatory costs, and enhance the ability of nonbanks to offer competitive financial services and products. Further, our noncompliance with applicable laws, whether as a result of changes in interpretation or enforcement, system or human errors, or otherwise and, in some cases, regardless of whether noncompliance was inadvertent, can result in the suspension or revocation of authority to conduct business operations and in the initiation of supervisory actions, enforcement proceedings, or private litigation. Truist also relies upon third parties who may expose the Company to compliance and legal risk. The Company may incur damages, fines, and penalties and face other negative consequences from supervisory actions and regulatory or other legal violations, including inadvertent or unintentional violations. Truist's compliance risks relate to a wide variety of statutes, rules, regulations, and other laws spanning its lines of business, corporate functions, and jurisdictions, including risks related to financial products and services, relationships and interactions with clients, teammate activities, anti-money laundering compliance, trading activities, and market conduct. Compliance risk is also inherent in Truist's fiduciary activities, including applicable requirements to act in the best interest of fiduciary clients and to treat fiduciary clients fairly. Truist maintains systems and procedures designed to support its compliance with applicable statutes, regulations, and other laws, but there can be no assurance that these systems and procedures will be effective. In addition to fines and penalties, the Company may suffer other negative consequences from supervisory actions and regulatory violations, including restrictions on certain activities and damage to the Company's reputation, which in turn might adversely affect the Company's business and results of operations. Truist Financial Corporation 33 Truist Financial Corporation 33 Truist Financial Corporation 33 Truist Financial Corporation 33 Truist Financial Corporation 33 Truist Financial Corporation 33 Federal and state law grants substantial enforcement and supervisory powers to federal and state regulators and law enforcement agencies if they determine that regulated entities have failed to comply with applicable law, comport with safe and sound practices, or meet supervisory expectations. This enforcement and supervisory authority includes the ability to assess significant civil or criminal monetary penalties, fines, or restitution; to issue cease and desist or removal orders; to issue formal and informal enforcement orders; and to initiate injunctive actions against banking organizations and institution-affiliated parties. Additionally, actual or alleged misconduct by teammates, including unethical, fraudulent, improper, or illegal conduct, or unfair, deceptive, abusive, or discriminatory practices, can result in litigation, government investigations, and enforcement actions and cause significant reputational harm to Truist, even if allegations are ultimately unsubstantiated. In addition, governmental authorities have, at times, sought criminal penalties against companies in the financial services sector for violations, and, at times, have required an admission of wrongdoing, criminal pleas, or other extraordinary terms from financial institutions in connection with resolving such matters. Criminal convictions or criminal pleas or admissions of wrongdoing in a settlement with the government can lead to greater exposure in civil litigation, reputational harm, and other significant collateral consequences, such as restrictions on engaging in new activities or acquisitions, loss of clients, restrictions on the ability to access the capital markets, and the inability to operate certain businesses or offer certain products for a period of time. The Company is regularly subject to regulatory investigations, examinations, and other initiatives by governmental authorities that, if adversely determined against the Company, may subject us to litigation, settlements, fines, penalties, or other sanctions and may require us to engage in remediation, provide restitution to clients, restructure our operations and activities, or cease offering certain products or services. Any of these potential outcomes could harm the Company's business, financial condition, results of operations, prospects, or reputation or could result in collateral or ancillary consequences. In addition, our exposure to legal and regulatory matters can be unpredictable and could, in some cases, exceed the Company's accruals for those matters. Pending or threatened legal proceedings and other matters may adversely affect the Company's business, financial condition, results of operations, prospects, and reputation. In the ordinary course of its business, the Company is subject to lawsuits, claims, and formal and informal enforcement activity, including regulatory investigations, either directly or indirectly through our ownership interests in other entities. The volume of legal proceedings against participants in the financial services industry, including the Company, is substantial, and enforcement actions by regulatory authorities can vary with the regulatory environment. Legal proceedings against financial services firms may increase depending on factors such as prevailing economic and political conditions, the policy preferences of the relevant government agencies, and changes in law. Heightened regulatory scrutiny or the results of an investigation or examination may lead to additional regulatory investigations or enforcement actions. Those actions could result in regulatory settlements or enforcement orders against Truist. Furthermore, a single event involving a potential violation of law may give rise to numerous and overlapping investigations and proceedings by multiple federal and state agencies and officials. In addition, if one or more financial institutions are found to have violated a law relating to certain business activities, this could lead to investigations by regulators or other governmental agencies of the same or similar activities by other financial institutions, including Truist, and large fines and remedial measures that may have been imposed in resolving earlier investigations for the same or similar activities at other financial institutions may be used as the basis for future settlements. Truist can also be subject to lawsuits, claims, and enforcement activity indirectly through its ownership of interests in other entities. These other entities can themselves be subject to government regulation, supervision, and examination, and determinations that they have failed to comply with applicable law, comport with safe and sound practices, or meet supervisory expectations could have negative consequences for Truist, including a decrease in the value of Truist's investment in the other entity, damage to Truist's reputation from being an owner or otherwise associated with the other entity, or a requirement for Truist and the other owners to contribute funds to pay for judgments, settlements, fines, or client redress arising from the lawsuits, claims, or enforcement activity. In addition, these determinations could lead to lawsuits, claims, or enforcement activity directly against the owners of the other entity, including Truist. Claims and legal actions, including class action lawsuits and enforcement proceedings, could involve large monetary amounts and significant defense costs and could result in settlements, judgments, or orders that include penalties, fines, injunctions, or other forms of relief that are adverse to the Company. Responding to inquiries, investigations, lawsuits, and other proceedings is time-consuming and expensive and can divert management attention from Truist's business and operations. The outcome of any claims and legal actions, as well as the timing of any ultimate resolutions, may be difficult to predict or estimate. Actual legal and other costs arising from claims and legal actions may be greater than the Company's accruals. Further, the Company may not have accruals for all claims and legal actions where we face a risk of significant loss. The ultimate resolution of a pending claim or legal action could adversely affect the Company's results of operations and financial condition or cause significant reputational harm, which may adversely impact the Company's business and prospects. Further, the Company may be exposed to substantial uninsured liabilities, which could adversely affect the Company's results of operations and financial condition. Refer to the "Legal Proceedings and Other Legal Matters" section in "Note 16. Commitments and Contingencies" for additional information. 34 Truist Financial Corporation 34 Truist Financial Corporation 34 Truist Financial Corporation 34 Truist Financial Corporation 34 Truist Financial Corporation 34 Truist Financial Corporation Regulatory capital and liquidity standards applicable to large banking organizations and future revisions to existing standards may negatively impact our business, financial results, financial condition, growth, profitability, or our ability to return capital to shareholders. Truist and Truist Bank are subject to risk-based and leverage regulatory capital requirements, which are established by the FRB for Truist and by the FDIC for Truist Bank. Failure of an FHC or an IDI to be well-capitalized as defined by applicable law or to meet minimum capital requirements can result in enforcement and other supervisory actions and have a significantly adverse impact on the institution's business and operations. Certain BHCs and their bank subsidiaries, including Truist and Truist Bank, are subject to a minimum LCR and NSFR. The U.S. risk-based regulatory capital rules are based on the Basel Framework developed by the BCBS for strengthening the regulation, supervision, and risk management of banks as well as certain provisions of the Dodd-Frank Act. These rules prescribe minimum capital levels and allow the FRB and the FDIC to impose incremental capital requirements on a banking organization based on its size, complexity, or risk profile to enhance its ability to operate in a safe and sound manner. In several instances, the U.S. banking agencies have applied stricter capital and liquidity standards to U.S. banking organizations. Requirements to maintain specified levels of capital and liquidity and regulatory expectations as to the quality of the Company's capital and liquidity may prevent the Company from taking advantage of opportunities in the best interest of shareholders or force the Company to take actions contrary to their interests. For example, Truist may be required to take steps to increase its capital, increase its investment security holdings, or otherwise change aspects of its capital or liquidity measures, including in ways that could be dilutive to shareholders or could limit our ability to pay or increase dividends or to engage in share repurchases. In addition, these requirements may impact the amount and type of loans the Company is able to make. Truist may also be constrained in its ability to expand, either organically or through mergers and acquisitions. These requirements may cause the Company to sell or refrain from acquiring assets where the capital requirements appear inconsistent with the assets' underlying risks. In addition, liquidity standards require the Company to maintain holdings of highly liquid investments, thereby reducing the Company's ability to invest in less liquid assets, even if more desirable from a balance sheet return or interest rate risk management perspective. As a Category III banking organization, Truist is subject to additional capital and liquidity requirements. For example, Truist is subject to a requirement to submit capital plans to the FRB for review that include, among other things, projected dividend payments and repurchases of capital stock. As part of the capital planning and stress testing processes, our planned capital actions are assessed against our projected ability to satisfy applicable capital requirements under a hypothetical scenario reflecting severe stress in the broader economy. If we are projected to fail to satisfy applicable capital requirements over the stress test horizon, including the SCB, our ability to undertake capital actions may be restricted. In addition to the regulatory capital and liquidity requirements applicable to Truist and Truist Bank, the Company's broker-dealer subsidiaries are subject to capital requirements established by the SEC. Regulatory capital and liquidity requirements receive periodic review and revision by the BCBS and the U.S. banking agencies. Differences in, or changes to, regulation and supervision and industry disruption can affect the Company's ability to compete effectively, which may adversely affect our business, financial condition, financial results, or growth. Because prudential standards and requirements are typically based on the size and complexity of the firm, large institutions, such as the Company, often are subject to more stringent regulatory requirements and supervision than smaller and less complex institutions. Changes in capital requirements, including any easing of capital requirements for our larger bank competitors, may result in increased competition and challenge our ability to execute on our growth strategies and branch expansion. Competition is arising from limited purpose banks and nonbanks involved in digital assets, stablecoins, cryptocurrencies, tokenization, and similar products, services, and technologies that enable financial services and transactions without or with less intermediation by commercial banks. Stablecoins, digital assets, and distributed ledger technologies are being designed to enable lower-cost payments and transactions, with quicker settlement, that may shift deposits, lending, and payment flows to limited purpose banks and nonbanks. These limited purpose bank and nonbank competitors may not be subject to banking regulation, may be subject to less stringent regulation, or may be supervised by a federal or state regulatory agency that does not have the same regulatory priorities or supervisory requirements as the Company's regulators. These differences in regulation can impair the Company's ability to compete effectively with competitors that are less regulated and do not have similar compliance costs. Actions or initiatives by federal and state governmental authorities, including the U.S. banking agencies, may also provide competitors with increased opportunities to derive competitive advantages and may create new competitors. These actions or initiatives may include more accommodative positions on the processing and approval of traditional bank charters and deposit insurance, expanded access to the banking and payments systems through the approval of competitors, including competitors with novel business models, to hold specialized charters, or more accommodative positions on novel activities performed by banks or nonbanks. Truist Financial Corporation 35 Truist Financial Corporation 35 Truist Financial Corporation 35 Truist Financial Corporation 35 Truist Financial Corporation 35 Truist Financial Corporation 35 Truist faces risks of non-compliance and may incur additional operational and compliance costs under laws relating to anti-money laundering, economic sanctions, embargo programs, anti-bribery, and anti-corruption. Truist must comply with statutes and regulations relating to anti-money laundering, economic sanctions, embargo programs, anti-bribery, and anti-corruption, which increases the risk of non-compliance with applicable law and costs associated with the implementation and maintenance of complex compliance programs. The rapid evolution of technology, including the growth of digital assets, stablecoins, cryptocurrencies, tokenization, and blockchain and other distributed ledger technologies, introduce additional challenges to traditional client due diligence, transaction monitoring, and suspicious activity reporting required by applicable law. The BSA, as amended by the Patriot Act, and its implementing regulations require financial institutions, including IDIs such as Truist Bank, broker-dealers, and other financial institutions, to develop and implement BSA/AML compliance programs that detect and report financial crimes. The BSA and its implementing regulations also strengthen the ability of U.S. law enforcement agencies and the intelligence community to disrupt and prevent money laundering, the financing of terrorism, and related crimes. In addition, U.S. persons, including entities like Truist, must comply with sanctions programs administered by OFAC and the U.S. Department of State. These sanctions programs prohibit, among other things, financial transactions involving certain individuals, entities, countries, and territories that are the subject of U.S. economic sanctions and impose other restrictions on certain investments and dealings, including requirements to block assets. Federal law grants substantial enforcement powers to U.S. banking agencies, FinCEN, OFAC, the U.S. DOJ, and other government agencies with respect to BSA and OFAC compliance, including through examination and ongoing monitoring. This enforcement authority includes the ability to assess significant civil and criminal monetary penalties, fines, and restitution; to issue cease and desist or prohibition orders; to initiate injunctive actions against financial institutions and institution-affiliated parties; and to impose restrictions on business, including bank and BHC mergers and acquisitions. These enforcement actions may be initiated for violations of statutes and regulations or for unsafe and unsound practices and could result in substantial negative shareholder reaction, reputational damage, and adverse effects on our financial condition and results. Given the rapid development and cross-border nature of these criminal activities that are enabled by evolving technologies, any failure to adapt and modernize our BSA/AML compliance program, processes, and procedures may result in material compliance gaps, adverse enforcement actions, and civil and legal penalties. --- ## Modified: Additional Risks **Key changes:** - Reworded sentence: "Negative public opinion, whether or not warranted, could damage the Company's brand in the market and relationships with stakeholders, and adversely impact our business, financial condition, results of operations, and prospects." - Reworded sentence: "Transition risks, including changes in consumer preferences, longer-term shifts in market dynamics, changes in or additional regulatory requirements or taxes, and additional counterparty or client requirements, could have an adverse impact on asset values and the financial performance of Truist's businesses, and those of its clients, and could be exacerbated in specific industries that may be more sensitive or vulnerable to a transition to a lower-carbon economy." - Reworded sentence: "While material impact from climate change is expected to occur over a longer time horizon, the acceleration of a transition to a lower-carbon economy could present idiosyncratic risks for individual companies." - Reworded sentence: "Additionally, the Company faces potential brand and stakeholder risks as a result of its practices related to climate change, including as a result of the Company's direct or indirect involvement, or lack of involvement, in certain industries, in particular those involved in fossil fuels, as well as any decisions management makes in response to managing climate risk, especially as views on climate-related matters become subject to increased polarization." - Reworded sentence: "Truist may incur additional costs and require additional resources as it evolves its strategy, practices, and related disclosures with respect to these matters." **Prior (2025):** Physical, transition, and other risks associated with climate change, together with governmental responses to them, may negatively impact our business, operations, reputation, and clients. Climate change presents physical risks from the direct impacts of changing climate patterns and acute weather events, such as damage to physical assets and service disruptions, and transition risks from changes in regulations, disruptive technologies, and shifting market dynamics towards a lower carbon economy. The physical risks of climate change include discrete events, such as flooding, hurricanes, tornadoes, and wildfires, and longer-term shifts in climate patterns, such as extreme heat, sea level rise, and more frequent and prolonged drought. Physical risks may alter the Company's strategic direction in order to mitigate certain financial risks. Such events could also disrupt the Company's operations or those of its clients or third parties the Company relies on, not only through direct damage to assets, but also from indirect impacts due to supply chain disruption and market volatility. Physical risks ultimately could result in declines in asset values (which could be exacerbated by specific portfolio or geographic concentrations), reduced availability and therefore increased costs of insurance for our clients and third parties, interruptions of supply chains and business operations, and population migration or depressed economies and increased unemployment in affected regions, any or all of which could result in increased credit risk to Truist or have other negative impacts. Transition risks, including changes in consumer preferences, longer-term shifts in market dynamics, additional regulatory requirements or taxes, and additional counterparty or client requirements, could have an adverse impact on asset values and the financial performance of Truist's businesses, and those of its clients, and could be exacerbated in specific industries that may be more sensitive or vulnerable to a transition to a low carbon economy. Climate change could also present incremental risks to the execution of the Company's long-term strategy. While material impact from climate change is expected to occur over a longer time horizon, the acceleration of a transition to a low-carbon economy could present idiosyncratic risks for individual companies. Additionally, transitioning to a low-carbon economy will entail extensive policy, legal, technology, and market initiatives. Transition risks could result in the sudden devaluation of assets, increased costs for energy and operations, and therefore could have unforeseen and negative consequences on business models for us, our clients and other third parties. Governments have been focused on the effects of climate change and environmental issues, and how they act to mitigate related risks could have an adverse effect on our business and financial results. This focus could ultimately result in legislation or regulations that could, among other things: directly or indirectly compel us to alter our businesses or operations in ways that would be detrimental to our results of operations and prospects; negatively impact our capital plans; or cause us to incur additional capital, compliance, and other costs. Additionally, the Company faces potential reputational risks as a result of its practices related to climate change, including as a result of the Company's direct or indirect involvement, or lack of involvement, in certain industries, as well as any decisions management makes in response to managing climate risk, especially as views on climate-related matters become subject to increased polarization. Further, there is increased scrutiny of climate change-related policies, goals, and disclosures, which could result in litigation and regulatory investigations and actions or reputational damage. We may incur additional costs and require additional resources as we evolve our strategy, practices, and related disclosures with respect to these matters. The Company is at risk of increased losses from fraud. Increased and evolving activity perpetrated by bad actors intending to defraud, misappropriate property, or circumvent the law using different channels, products. and means may outpace and outmaneuver the Truist control environment and monitoring activities impacting clients, teammates, and stakeholders. Fraud attacks in the banking sector have surged in recent years, driven by increasingly sophisticated and rapid techniques. Many bad actors, often linked to large criminal organizations, share strategies to execute schemes, such as debit and credit card fraud, peer-to-peer payment fraud, counterfeit checks, social engineering, ATM skimming, and phishing, and recent advances in artificial intelligence may make it more difficult to detect fraud. Fraudulent schemes exploit products like real-time payments, ACH, and wire transfers to steal funds. Fraudsters impersonate legitimate clients using stolen identities, employ other individuals to interact with Truist, or create fraudulent identities. In some cases, fraud is even committed by existing clients. A failure to detect, prevent, and address fraud could result in financial loss to the Company or its clients, loss of confidence in the Company's security measures, client dissatisfaction, litigation exposure, regulatory investigations, fines, penalties or intervention, reimbursement, or other compensatory costs (including the costs of credit monitoring services), additional compliance costs, and harm to the Company's reputation, all of which could adversely affect the Company. Truist Financial Corporation 29 Truist Financial Corporation 29 Truist Financial Corporation 29 Truist Financial Corporation 29 Truist Financial Corporation 29 Truist Financial Corporation 29 Natural disasters, pandemics, and other catastrophic events could adversely impact us. The occurrence of, or increased severity and frequency of, natural disasters, extreme weather events, health crises, disease outbreaks or pandemics, or other catastrophic events, as well as government actions or other restrictions in connection with such events, could adversely affect the Company's financial condition or results of operations. Truist has significant operations and clients along the Gulf and Atlantic coasts as well as other regions of the U.S., which could be adversely impacted by hurricanes, wildfires, flooding, tornadoes, and other severe weather in those areas. Rising insurance costs as well as decreasing insurance provider options resulting from natural disasters, extreme weather events, and other catastrophic events could cause supply chain issues, population migration, or the weakening of economic conditions in certain regions. In addition, natural and other types of disasters, including as a result of climate change, could disrupt the Company's operations or the ability or willingness of the Company's clients to access the financial services offered by Truist, and could adversely impact Company borrowers' ability to timely repay their loans and the value of any collateral held. These events could reduce the Company's earnings and cause volatility in the Company's financial results for any fiscal quarter or year and have an adverse effect on the Company's business, financial condition and results of operations. Although Truist has business continuity plans and other safeguards in place, there can be no assurance that such business continuity plans will be effective. **Current (2026):** Negative public opinion, whether or not warranted, could damage the Company's brand in the market and relationships with stakeholders, and adversely impact our business, financial condition, results of operations, and prospects. Truist's earnings, capital, and stock price are subject to risks associated with negative public opinion. Negative public opinion could result from the Company's actual or alleged conduct or activities, including lending, sales, training, quality assurance, client complaint resolution, and other operating practices, incentive compensation design and governance, corporate governance, acquisitions, the disclosure, collection, use, sharing, storage, and other processing of client or teammate information, client expectations regarding any product or service provided by the Company, and the Company's ability to comply with applicable statutes or regulatory requirements or related to new or changed business activities. There can be no assurance that the Company's conduct and activities will meet regulatory or other stakeholders' standards or expectations. Negative public opinion could result based on allegations that are factually incorrect or arise from isolated incidents. In addition, the public perception that a cyber-attack on the Company's systems has been successful, whether or not this perception is correct, may damage the Company's reputation with clients and third parties with whom the Company does business. Any cybersecurity breaches, attacks, and other similar incidents, including the compromise of personal information, could significantly harm Truist's reputation, which could adversely affect the Company's financial condition and results of operations. Negative public opinion could also result from heightened and differing stakeholder expectations regarding environmental and social considerations that may affect Truist and clients of Truist. Standards and expectations relating to environmental and social matters are evolving and often inconsistent across regulators, investors, clients, and other stakeholders. Actions taken by the Company in these areas may be viewed favorably by some groups and criticized by others, creating tradeoffs that increase compliance, legal, and regulatory risk or cause reputational harm. Truist Financial Corporation 39 Truist Financial Corporation 39 Truist Financial Corporation 39 Truist Financial Corporation 39 Truist Financial Corporation 39 Truist Financial Corporation 39 The proliferation of social media and the speed at which information spreads on social media may increase the likelihood that negative public opinion from any real or perceived events relating to the Company could impact our reputation and business. Negative public opinion could adversely affect the Company's ability to attract and retain clients and teammates and can result in litigation and regulatory actions. Actual or alleged conduct by one of the Company's businesses can result in negative public opinion about the Company's other businesses. Actual or alleged conduct by another financial services company can result in negative public opinion about the financial services industry in general and, as a result, adversely affect Truist. Our efforts to identify, measure, and monitor brand and stakeholder risk and communicate, internally and externally, such risks to key stakeholders may be ineffective, untimely, or otherwise result in adverse effects on the Company. We could be harmed by an inability to attract, develop, retain, and motivate qualified teammates while effectively managing recruiting and compensation costs amid highly competitive and rapidly changing market conditions. The Company's success depends, to a large degree, upon the continued services of executive officers and other key teammates who have extensive experience and expertise in the industry, and the Company's ability to attract, develop, and retain high performing and well-qualified teammates, particularly those in critical, high-demand roles or possessing specialized skills. The Company faces significant competition in the recruitment of highly motivated teammates who can deliver Truist's purpose, mission, and values. Changes in Truist's expectations regarding workstyles and teammate preferences for work environments, including the desire of some teammates to work remotely for some or all of their hours, have been associated with and may continue to be associated with challenges in attracting and retaining teammates. The Company's business or its ability to execute its strategic initiatives may suffer due to the loss of key or highly-skilled teammates or a failure to successfully transition key roles; if the Company is unable to recruit, develop, or retain a sufficient number of qualified teammates; or if the costs of teammate compensation or benefits increase substantially. The U.S. banking agencies have jointly issued comprehensive guidance to support incentive compensation policies and practices that do not undermine the safety and soundness of banking organizations by encouraging teammates to take imprudent risks. This guidance significantly affects the amount, form, and other terms of incentive compensation that may be provided to teammates and could negatively affect Truist's ability to compete for talent relative to nonbanking companies or those with different applicable regulations. In addition, advances in technology, such as automation and AI, may lead us to modify our workforce strategy. This could require Truist to invest in additional teammate training, manage impacts on morale and retention, and compete for candidates who possess more advanced technological skills, all of which could have a negative impact on Truist's business and operations. The Company relies on its ability, and the ability of key external parties, to maintain appropriately staffed workforces and on the competence, trustworthiness, health, and safety of teammates. Truist's ability to operate its businesses efficiently and profitably, to offer products and services that meet the expectations of its clients, and to maintain an effective risk management framework is highly dependent on its ability to staff its operations appropriately and on the competence, integrity, health, and safety of its teammates. Truist is similarly dependent on the workforces of other parties which support its operations, including vendors and other service providers. Changes in law in jurisdictions in which our operations are located that affect teammates may also adversely affect our ability to hire, develop, and retain qualified teammates in those jurisdictions. In addition, the Company's business could be adversely impacted by a significant operational breakdown or failure, theft, fraud, or other unlawful conduct, or other negative outcomes caused by human error or misconduct by a teammate of Truist or a teammate of another party which supports Truist's operations. Truist's operations could also be impaired if the measures taken by it or by governmental authorities to support the health and safety of its teammates are ineffective, or if any external party which supports Truist fails to take appropriate and effective actions to protect the health and safety of its teammates. 40 Truist Financial Corporation 40 Truist Financial Corporation 40 Truist Financial Corporation 40 Truist Financial Corporation 40 Truist Financial Corporation 40 Truist Financial Corporation The Company is at risk of losses from fraud which could result in financial loss and reputational harm. Increased and evolving activity perpetrated by bad actors intending to defraud, misappropriate property, or circumvent the law using different channels, products, and means may outpace and outmaneuver the Truist control environment and monitoring activities impacting clients, teammates, and stakeholders. Fraud attacks in the banking sector have surged in recent years, driven by increasingly sophisticated and rapid techniques. Many bad actors, often linked to large criminal organizations, share strategies to execute schemes, such as debit and credit card fraud, peer-to-peer payment fraud, counterfeit checks, social engineering attacks (such as phishing and smishing), and ATM skimming, and recent advances in AI may make it easier to engage in such schemes and more difficult to detect fraud. Fraudulent schemes exploit products like real-time payments, ACH, and wire transfers to steal funds. Fraudsters impersonate legitimate clients using stolen identities, employ other individuals to interact with Truist, or create fraudulent identities. In some cases, fraud is even committed by existing clients. The increasing sophistication of AI technologies poses heightened risk of identity fraud as malicious actors may exploit AI to create convincing false identities or manipulate verification processes. A failure to detect, prevent, and address fraud has in the past and could in the future result in financial loss to the Company or its clients, loss of confidence in the Company's security measures, client dissatisfaction, litigation exposure, regulatory investigations, fines, penalties or intervention, reimbursement, or other compensatory costs (including the costs of credit monitoring services), additional compliance costs, and harm to the Company's reputation, all of which could adversely affect the Company. Physical, transition, and other risks associated with climate change, together with governmental responses to such risks, may negatively impact our business, financial condition, operations, reputation, and clients. Climate change presents physical risks from the direct impacts of changing climate patterns and acute weather events, such as damage to physical assets and service disruptions, and transition risks from changes in regulations, disruptive technologies, and shifting market dynamics towards a lower-carbon economy. The physical risks of climate change include discrete events, such as flooding, hurricanes, tornadoes, and wildfires, and longer-term shifts in climate patterns, such as extreme heat, sea level rise, and more frequent and prolonged drought. Physical risks may alter the Company's strategic direction in order to mitigate certain financial risks. Such events could also disrupt the Company's operations or those of its clients or third parties the Company relies on, not only through direct damage to assets, but also from indirect impacts due to supply chain disruption and market volatility. Physical risks ultimately could result in declines in asset values (which could be exacerbated by specific portfolio or geographic concentrations), reduced availability and therefore increased costs of insurance for our clients and third parties, interruptions of supply chains and business operations, and population migration or depressed economies and increased unemployment in affected regions, any or all of which could result in increased credit risk to Truist or have other negative impacts. Transition risks, including changes in consumer preferences, longer-term shifts in market dynamics, changes in or additional regulatory requirements or taxes, and additional counterparty or client requirements, could have an adverse impact on asset values and the financial performance of Truist's businesses, and those of its clients, and could be exacerbated in specific industries that may be more sensitive or vulnerable to a transition to a lower-carbon economy. Climate change could also present incremental risks to the execution of the Company's long-term strategy. While material impact from climate change is expected to occur over a longer time horizon, the acceleration of a transition to a lower-carbon economy could present idiosyncratic risks for individual companies. Additionally, transitioning to a lower-carbon economy will entail extensive policy, legal, technology, and market initiatives. Transition risks could result in the sudden devaluation of assets, increased costs for energy and operations, and therefore could have unforeseen and negative consequences on business models for us, our clients, and other third parties. Governments have been focused on the effects of climate change and environmental issues, and how they act to mitigate related risks could have an adverse effect on our business and financial results. This focus could ultimately result in legislation or regulations that could, among other things: directly or indirectly compel us to alter our businesses or operations in ways that would be detrimental to our results of operations and prospects; negatively impact our capital plans; or cause us to incur additional capital, compliance, and other costs. Additionally, the Company faces potential brand and stakeholder risks as a result of its practices related to climate change, including as a result of the Company's direct or indirect involvement, or lack of involvement, in certain industries, in particular those involved in fossil fuels, as well as any decisions management makes in response to managing climate risk, especially as views on climate-related matters become subject to increased polarization. Conflicting state-level regulation, including with respect to fair access laws, could increase Truist's compliance costs or risks of non-compliance. Further, there is increased scrutiny of climate change-related policies, goals, and disclosures, which could result in litigation and regulatory investigations and actions or reputational damage. Truist may incur additional costs and require additional resources as it evolves its strategy, practices, and related disclosures with respect to these matters. Truist Financial Corporation 41 Truist Financial Corporation 41 Truist Financial Corporation 41 Truist Financial Corporation 41 Truist Financial Corporation 41 Truist Financial Corporation 41 Natural disasters, pandemics, extreme weather events, and other catastrophic events could adversely affect our financial condition and results of operations. Natural disasters, pandemics, extreme weather events, and other catastrophic events, as well as government actions or other restrictions in connection with such events, could adversely affect the Company's financial condition and results of operations. The frequency and severity of natural disasters, pandemics, extreme weather events, and other catastrophic events could interrupt Truist's operations, damage facilities, impair technology and data availability, disrupt third parties and service providers, or limit client access to services. Such events may also strain critical dependencies, including power, telecommunications, transportation, and workforce ability, and reduce loan performance or collateral values. Truist has significant operations and clients along the Gulf and Atlantic coasts as well as other regions of the U.S., which could be adversely impacted by hurricanes, wildfires, flooding, tornadoes, and other severe weather. Rising insurance costs, as well as decreasing insurance provider options and insurance program coverage resulting from natural disasters, extreme weather events, and other catastrophic events could also lead to population migration, or the weakening of economic conditions in certain regions. These events could reduce the Company's earnings and cause volatility in the Company's financial results and have an adverse effect on the Company's business, financial condition, and results of operations. While Truist maintains an enterprise resilience program and other safeguards designed to mitigate the impact of natural disasters, pandemics, extreme weather events, and other catastrophic events, no resilience measures can fully eliminate risk or assure uninterrupted operations during such events. --- ## Modified: Additional Risks **Key changes:** - Reworded sentence: "•Negative public opinion, whether or not warranted, could damage the Company's brand in the market and relationships with stakeholders, and adversely impact our business, financial condition, results of operations, and prospects." **Prior (2025):** •Physical, transition, and other risks associated with climate change, together with governmental responses to them, may negatively impact our business, operations, reputation, and clients. •The Company is at risk of increased losses from fraud. •Natural disasters, pandemics, and other catastrophic events could adversely impact us. 20 Truist Financial Corporation 20 Truist Financial Corporation 20 Truist Financial Corporation 20 Truist Financial Corporation 20 Truist Financial Corporation 20 Truist Financial Corporation **Current (2026):** •Negative public opinion, whether or not warranted, could damage the Company's brand in the market and relationships with stakeholders, and adversely impact our business, financial condition, results of operations, and prospects. •We could be harmed by an inability to attract, develop, retain, and motivate qualified teammates while effectively managing recruiting and compensation costs amid highly competitive and rapidly changing market conditions. •The Company relies on its ability, and the ability of key external parties, to maintain appropriately staffed workforces and on the competence, trustworthiness, health, and safety of teammates. •The Company is at risk of losses from fraud which could result in financial loss and reputational harm. •Physical, transition, and other risks associated with climate change, together with governmental responses to such risks, may negatively impact our business, financial condition, operations, reputation, and clients. •Natural disasters, pandemics, extreme weather events, and other catastrophic events could adversely affect our financial condition and results of operations. 20 Truist Financial Corporation 20 Truist Financial Corporation 20 Truist Financial Corporation 20 Truist Financial Corporation 20 Truist Financial Corporation 20 Truist Financial Corporation --- ## Modified: Operational Risks **Key changes:** - Reworded sentence: "Truist relies on third parties to support key components of the Company's business and operational infrastructure, and their failure to perform to our standards or our failure to appropriately assess and manage these relationships could adversely affect us." - Reworded sentence: "Our use of third-party service providers exposes us to the risk that such third parties may not comply with their contractual obligations to us and to the risk that we may not satisfy applicable regulatory responsibilities regarding the management and oversight of third parties." - Reworded sentence: "In addition, a failure to appropriately assess and manage our relationships with third parties, especially those supporting significant banking functions, shared services, or other critical activities, could adversely affect Truist by resulting in potential harm to clients and any liability associated with that harm; supervisory actions, regulatory fines, penalties, or other sanctions; lower revenues and the opportunity cost from lost revenues; increased operational costs; or harm to Truist's reputation." - Reworded sentence: "Moreover, as the risks we face continue to evolve, despite our ongoing efforts to improve the design and implementation of our risk framework, those efforts may not be adequate or effective." **Prior (2025):** Truist relies extensively on third parties to provide key components of the Company's business infrastructure, and their failure to perform to our standards or our failure to appropriately assess and manage these relationships could adversely affect us. Third parties provide key components of the Company's business infrastructure and while we have implemented a supplier risk management program, we do not control third-party service providers, their actions, or their businesses. No assurance can be provided that third-party service providers will perform to our standards, adequately represent our brand, comply with applicable law, appropriately manage their own risks, including cybersecurity, remain financially or operationally viable, abide by their contractual obligations, or continue to provide us with the services that we require. Our use of third-party service providers exposes us to the risk that such third parties may not comply with their servicing and other contractual obligations and to the risk that we may not satisfy applicable regulatory responsibilities regarding the management and oversight of third parties. We may need to incur substantial expenses to address risks or issues with a service provider, and if such risks or issues cannot be acceptably resolved, we may not be able to timely or effectively replace the service provider due to contractual restrictions, the unavailability of acceptable alternative providers, or other reasons. In addition, a failure to appropriately assess and manage our relationships with third parties, especially those involving significant banking functions, shared services, or other critical activities, could adversely affect Truist by resulting in potential harm to clients, and any liability associated with that harm; supervisory actions, regulatory fines, penalties or other sanctions; lower revenues, and the opportunity cost from lost revenues; increased operational costs; or harm to Truist's reputation. The Company is not insured against all types of losses as a result of third-party-related failures, and the insurance coverage that does exist may be inadequate to protect the Company from all losses resulting from system failures or other disruptions. Failures in the Company's business infrastructure could interrupt its operations or increase the costs of doing business. The Company's risk management framework may fail to identify and manage the risks that we face. Truist has policies, processes, and procedures intended to identify, measure, monitor, report, and analyze the types of risk to which the Company is subject, including liquidity, credit, market, operational, technology, reputational, strategic, and compliance risk, among others. Notwithstanding such risk management framework, however, we cannot guarantee that we adequately or effectively identify and manage the risks in our business and operations currently, or that we will adequately or effectively identify and manage such risks in the future. For example, some of the Company's methods of identifying and managing risk are based upon the Company's use of observed historical market behavior and management's judgment. These methods may not accurately predict future exposures, which could be significantly greater than historical measures indicate. Moreover, as the risks that we face continue to evolve, despite our ongoing efforts to improve the design and implementation of our risk-management framework, those efforts may not be adequate or effective. If the Company's risk management framework fails to identify and manage the risks that we face, we could suffer unexpected losses and our financial condition and results of operations could be materially and adversely affected. Truist Financial Corporation 39 Truist Financial Corporation 39 Truist Financial Corporation 39 Truist Financial Corporation 39 Truist Financial Corporation 39 Truist Financial Corporation 39 In deciding whether to extend credit or enter into other transactions with clients and counterparties, Truist depends on the accuracy and completeness of information about clients and counterparties, and Truist could be negatively impacted if the information is not accurate or complete. In deciding whether to extend credit or enter into other transactions with clients and counterparties, Truist relies on the completeness and accuracy of representations made by and information furnished by or on behalf of clients and counterparties, including financial statements and other financial information. If the information provided is not accurate or complete, the Company's decisions about extending credit or entering into other transactions with clients or counterparties could be adversely affected, and the Company could suffer defaults, credit losses, or other negative consequences as a result. Truist can be negatively affected if it fails to identify and address operational risks associated with the introduction of or changes to products, services, and delivery platforms. When Truist launches a new product or service, introduces a new platform for the delivery or distribution of products or services (including mobile connectivity, electronic trading and cloud computing), acquires or invests in a business or makes changes to an existing product, service or delivery platform, it may not fully appreciate or identify new operational risks that may arise from those changes, or may fail to implement adequate controls to mitigate the risks associated with those changes. Any significant failure in this regard could diminish Truist's ability to operate one or more of its businesses or result in potential liability to clients and counterparties, and result in increased operating expenses. The Company could also experience higher litigation costs, including regulatory fines, penalties and other sanctions, reputational damage, impairment of Truist's liquidity, regulatory intervention, or weaker competitive standing. Any of the foregoing consequences could adversely affect Truist's businesses and results of operations. 40 Truist Financial Corporation 40 Truist Financial Corporation 40 Truist Financial Corporation 40 Truist Financial Corporation 40 Truist Financial Corporation 40 Truist Financial Corporation **Current (2026):** Truist relies on third parties to support key components of the Company's business and operational infrastructure, and their failure to perform to our standards or our failure to appropriately assess and manage these relationships could adversely affect us. Third parties support key components of the Company's business and operational infrastructure, including certain aspects of our technology functions, and while we have implemented a third-party risk management program designed to identify, assess, monitor, and mitigate third-party risks, we do not control our third-party service providers, their actions, or their businesses. No assurance can be provided that third-party service providers will perform to our standards, adequately represent our brand, comply with applicable law, appropriately manage their own risks, including cybersecurity, remain financially or operationally viable, abide by their contractual obligations, or continue to provide us with the services that we require. Our use of third-party service providers exposes us to the risk that such third parties may not comply with their contractual obligations to us and to the risk that we may not satisfy applicable regulatory responsibilities regarding the management and oversight of third parties. We may need to incur substantial expenses to address risks or issues with a service provider, and if such risks or issues cannot be acceptably resolved, we may not be able to timely or effectively replace the service provider due to contractual restrictions, the unavailability of acceptable alternative providers, or other reasons. In addition, a failure to appropriately assess and manage our relationships with third parties, especially those supporting significant banking functions, shared services, or other critical activities, could adversely affect Truist by resulting in potential harm to clients and any liability associated with that harm; supervisory actions, regulatory fines, penalties, or other sanctions; lower revenues and the opportunity cost from lost revenues; increased operational costs; or harm to Truist's reputation. 30 Truist Financial Corporation 30 Truist Financial Corporation 30 Truist Financial Corporation 30 Truist Financial Corporation 30 Truist Financial Corporation 30 Truist Financial Corporation The Company is not insured against all types of losses as a result of third-party-related failures, and the insurance coverage that does exist may be inadequate to protect the Company from all resulting losses, including business or operational interruptions or increased costs of doing business. The Company's risk and control framework may fail to identify, assess, monitor, and mitigate the risks we face and cause us to suffer unexpected losses that could adversely affect our business, financial condition, results of operations, prospects, and reputation. Truist has policies, processes, and procedures intended to identify, assess, monitor, and mitigate risks impacting the Company and to evaluate mitigating controls in place. Our risk and control framework, however, cannot guarantee that we will adequately or effectively identify, assess, monitor, and mitigate current business, operational, or other risks, or that we will adequately or effectively identify, assess, monitor, and mitigate such risks in the future. For example, some of the Company's methods of identifying, assessing, monitoring, and mitigating risk are based upon the Company's use of observed market behavior and management's judgment. These methods may not accurately predict future exposures, which could be significantly greater than historical measures indicate. Moreover, as the risks we face continue to evolve, despite our ongoing efforts to improve the design and implementation of our risk framework, those efforts may not be adequate or effective. If the Company's risk and control framework fails to enable us to identify, assess, monitor, and mitigate the risks we face, we could suffer unexpected losses and our business, financial condition, results of operations, prospects, and reputation could be materially and adversely affected. Truist can be negatively affected if it fails to identify and address operational and compliance risks associated with the introduction of or changes to products, services, and delivery platforms. When Truist launches a new product or service (including digital offerings), introduces a new platform for the delivery or distribution of products or services (including mobile connectivity, electronic trading, and cloud computing), acquires or invests in a business or makes changes to an existing product, service, or delivery platform, it may not fully appreciate or identify new operational and compliance risks that may arise from those changes or may fail to implement adequate controls to mitigate the risks associated with those changes. Any significant failure in this regard could diminish Truist's ability to operate one or more of its businesses or result in potential liability to clients and counterparties, increased operating expenses, or lost revenue. The Company could also experience higher compliance or litigation costs, including regulatory fines, penalties and other sanctions, reputational harm, impairment of its financial condition, regulatory scrutiny, or weaker competitive standing. Any of the foregoing consequences could adversely affect Truist's business and results of operations. Truist is subject to risks related to originating and selling loans, including repurchase and indemnification obligations, which may adversely affect our business, results of operations, and financial condition. When loans are sold or securitized, including to GSEs, it is customary to make representations and warranties to the purchaser about the loans - including their quality, the manner in which they were originated and underwritten, and compliance with applicable law - and to agree to repurchase the loans or indemnify the purchaser in the event of a breach of the representations or warranties or other provisions of the sale agreement. An increase in the number of repurchase and indemnity demands from purchasers on sold loans could result in an increase in the amount of losses for loan repurchases, which may adversely affect our business, results of operations, and financial condition. Truist also bears a risk of loss from borrower defaults for multi-family commercial mortgage loans sold to FNMA. The ability to manage these risks is expected to affect whether Truist sells and securitizes loans and receivables in the future. Other factors influencing such a decision may include the overall credit quality of its loans and receivables, the costs of selling or securitizing its loans and receivables, the demand for bulk sales and asset-backed securities, and the legal, regulatory, accounting, or tax rules affecting these transactions. In addition, proposals regarding reform to the U.S. housing finance market could impact our decisions regarding which loans should be sold or securitized in the future. Truist faces loan servicing risks that could adversely impact the Company's business, operations, liquidity, and results of operations. The Company acts as servicer for a range of assets, primarily loans in securitizations and unsecuritized loans owned by investors. As servicer for loans, the Company has certain contractual obligations to the securitization trusts, investors, or other third parties, including foreclosing on collateral that secure defaulted loans or, to the extent consistent with the applicable securitization or other investor agreement, considering alternatives to foreclosure such as loan modifications or short sales. Generally, the Company's servicing obligations are set by contract, for which the Company receives a contractual fee. However, GSEs can amend their servicing guidelines unilaterally for certain government guaranteed mortgages, which can increase the scope or costs of the services required without any corresponding increase in the Company's servicing fee. Federal and state laws that impose additional servicing requirements could increase the scope and cost of the Company's servicing obligations. As a servicer, the Company also advances expenses on behalf of securitization trusts and investors, which it may be unable to collect. Any increase in servicing obligations without a corresponding increase in servicing fees or required advances of expenses that are not reimbursed could reduce liquidity and increase operational strain. Truist Financial Corporation 31 Truist Financial Corporation 31 Truist Financial Corporation 31 Truist Financial Corporation 31 Truist Financial Corporation 31 Truist Financial Corporation 31 A material breach of the Company's obligations as servicer may result in contract termination if the breach is not cured within a specified period of time following notice, causing the Company to lose servicing income. In addition, the Company may be required to indemnify the securitization trust or other holder of the loan against losses from any failure by the Company to perform its servicing obligations or any act or omission on the Company's part that involves willful misfeasance, bad faith, or gross negligence. For certain securitization trusts or investors and certain transactions, Truist may be contractually obligated to repurchase a loan or reimburse the securitization trust or the investor for credit losses incurred on the loan as a remedy for servicing errors with respect to the loan. Such indemnification or repurchase obligations could require significant cash outflows, reduce liquidity, and increase earnings volatility. The Company may be subject to increased repurchase or indemnity obligations as a result of claims made that the Company did not satisfy its obligations as a servicer. The Company may also experience increased loss severity on repurchases, which may require a significant increase to the Company's repurchase reserve and negatively affect results of operations. While the number of such indemnification claims has been small, these could increase in the future. --- ## Modified: Technology and Data Risks **Key changes:** - Reworded sentence: "•The Company's applications, operating systems, and infrastructure, as well as operational capabilities managed or supplied by third parties on whom we rely, could fail or be interrupted, which could adversely impact the Company's business, operations, financial condition, prospects, and reputation and cause significant legal and financial exposure." **Prior (2025):** •The Company's operating systems and infrastructure, as well as operational capabilities managed or supplied by third parties on whom we rely, could fail or be interrupted, which could disrupt the Company's business and adversely impact the Company's operations, financial condition, prospects, and reputation, and cause significant legal and financial exposure. •Truist is heavily reliant on technology, and a failure to effectively anticipate, develop, and implement new technology could negatively impact our financial results, business, operations, or security. •The Company faces risks associated with the quality, availability, and retention of key data for operational, strategic, regulatory, and compliance purposes. •The Company and its suppliers and service providers face a wide array of cybersecurity risks, which could result in the loss, alteration, or disclosure of confidential, proprietary, personal, and other sensitive information; adversely impact the Company's operations, financial condition, prospects, and reputation; and cause significant legal and financial exposure. **Current (2026):** •The Company's applications, operating systems, and infrastructure, as well as operational capabilities managed or supplied by third parties on whom we rely, could fail or be interrupted, which could adversely impact the Company's business, operations, financial condition, prospects, and reputation and cause significant legal and financial exposure. •Truist is heavily reliant on technology, and a failure to effectively anticipate, develop, and implement new or enhanced technology could negatively impact our financial results, business, operations, security, or ability to compete effectively. •The Company and its clients, suppliers, service providers, and other third parties face a wide array of cybersecurity risks, which could result in the loss, alteration, or disclosure of confidential, proprietary, personal, and other sensitive information; adversely impact the Company's business, operations, financial condition, results of operations, prospects, and reputation; and cause significant legal and financial exposure. •The Company faces risks associated with the privacy, quality, availability, and retention of key data for operational, strategic, regulatory, and compliance purposes. •Truist faces substantial risks in safeguarding personal and other sensitive information, which may negatively impact the Company's business, financial condition, results of operations, prospects, or reputation. •The use of AI in our products and services, as well as our business and the industry more broadly, may negatively impact our business, operations, financial condition, results of operations, prospects, and reputation. Truist Financial Corporation 19 Truist Financial Corporation 19 Truist Financial Corporation 19 Truist Financial Corporation 19 Truist Financial Corporation 19 Truist Financial Corporation 19 --- ## Modified: Risk Factors **Key changes:** - Reworded sentence: "The following discussion sets forth material risk factors that could affect Truist's financial condition, results of operations, business, or prospects." **Prior (2025):** The following discussion sets forth some of the more important risk factors that could materially affect Truist's financial condition and operations. When a risk factor spans several risk categories, the risks have been listed by their primary risk category. The risks described are not all inclusive. Additional risks that are not presently known or risks deemed immaterial may have an adverse effect on Truist's financial condition, results of operations, business, and prospects. **Current (2026):** The following discussion sets forth material risk factors that could affect Truist's financial condition, results of operations, business, or prospects. When a risk factor spans more than one risk category, the risk factor has been listed by its primary risk category. Any of the risk factors discussed below, either by itself or together with other risk factors, could materially and adversely affect Truist's financial condition, results of operations, business, prospects, or reputation. These risk factors do not identify all risks that we face; additional risks that are not presently known to us or risks that we currently deem immaterial may have an adverse effect on Truist's financial condition, results of operations, business, prospects, or reputation. --- ## Modified: Compliance, Regulatory, and Legal Risks **Key changes:** - Reworded sentence: "•Truist is subject to extensive and evolving government regulation and supervision, which could adversely affect our business, financial condition, results of operations, and prospects." **Prior (2025):** •The Company may incur damages, fines, penalties, and other negative consequences from past, current, or future supervisory actions and regulatory or other legal violations, including inadvertent or unintentional violations. •Pending or threatened legal proceedings and other matters may adversely affect the Company's business, financial condition, results of operations, and reputation. **Current (2026):** •Truist is subject to extensive and evolving government regulation and supervision, which could adversely affect our business, financial condition, results of operations, and prospects. •The Company may incur damages, fines, and penalties and face other negative consequences from supervisory actions and regulatory or other legal violations, including inadvertent or unintentional violations. •Pending or threatened legal proceedings and other matters may adversely affect the Company's business, financial condition, results of operations, prospects, and reputation. •Regulatory capital and liquidity standards applicable to large banking organizations and future revisions to existing standards may negatively impact our business, financial results, financial condition, growth, profitability, or our ability to return capital to shareholders. •Differences in, or changes to, regulation and supervision and industry disruption can affect the Company's ability to compete effectively, which may adversely affect our business, financial condition, financial results, or growth. •Truist faces risks of non-compliance and may incur additional operational and compliance costs under laws relating to anti-money laundering, economic sanctions, embargo programs, anti-bribery, and anti-corruption. --- ## Modified: Operational Risks **Key changes:** - Reworded sentence: "•Truist relies on third parties to support key components of the Company's business and operational infrastructure, and their failure to perform to our standards or our failure to appropriately assess and manage these relationships could adversely affect us." **Prior (2025):** •Truist relies extensively on third parties to provide key components of the Company's business infrastructure, and their failure to perform to our standards or our failure to appropriately assess and manage these relationships could adversely affect us. •The Company's risk management framework may fail to identify and manage the risks that we face. •In deciding whether to extend credit or enter into other transactions with clients and counterparties, Truist depends on the accuracy and completeness of information about clients and counterparties, and Truist could be negatively impacted if the information is not accurate or complete. •Truist can be negatively affected if it fails to identify and address operational risks associated with the introduction of or changes to products, services, and delivery platforms. Truist Financial Corporation 21 Truist Financial Corporation 21 Truist Financial Corporation 21 Truist Financial Corporation 21 Truist Financial Corporation 21 Truist Financial Corporation 21 **Current (2026):** •Truist relies on third parties to support key components of the Company's business and operational infrastructure, and their failure to perform to our standards or our failure to appropriately assess and manage these relationships could adversely affect us. •The Company's risk and control framework may fail to identify, assess, monitor, and mitigate the risks we face and cause us to suffer unexpected losses that could adversely affect our business, financial condition, results of operations, prospects, and reputation. •Truist can be negatively affected if it fails to identify and address operational and compliance risks associated with the introduction of or changes to products, services, and delivery platforms. •Truist is subject to risks related to originating and selling loans, including repurchase and indemnification obligations, which may adversely affect our business, results of operations, and financial condition. •Truist faces loan servicing risks that could adversely impact the Company's business, operations, liquidity, and results of operations. --- *Data sourced from SEC EDGAR. Last updated 2026-05-05.*