321 added · 300 removed between the two most recent 10-Ks. The risks a company starts — or stops — disclosing are often the story.
Newly disclosed
DOJ has withdrawn its 1995 Bank Merger Guidelines, which focused primarily on concentrations of deposits and branches, and clarified that it will assess competition considerations in connection with bank and BHC mergers using its 2023 Merger Guidelines and 2024 Banking Addendum.
The 2023 Merger Guidelines are a general merger review framework used to evaluate transactions in all segments of the economy, and the 2024 Banking Addendum allows for consideration of theories of harm and relevant markets not considered in the 1995 Bank Merger Guidelines.
The CISA proposed a rule under the CIRCIA in April 2024 that would clarify the scope of cyber incidents to be reported and would further define covered entities subject to the CIRCIA to include banking organizations like Truist.
For example, under the BHCA, a BHC may not directly or indirectly acquire ownership or control of more than 5% of the voting shares or substantially all of the assets of any BHC or bank or merge or consolidate with another BHC without the prior approval of the FRB.
If certain conditions are met, FHCs may acquire shares of nonbank companies, with any acquisition of a nonbank company or voting shares of a nonbank company with total consolidated assets of $10 billion or more subject to the prior approval of the FRB.
The FRB’s market share limitations impose conditions that the acquiring BHC, after and as a result of the acquisition, control no more than 10% of the total amount of deposits of IDIs in the U.S. and no more than 30%, subject to variation by state law, of such deposits in applicable states.
Truist and certain of its subsidiaries are subject to federal and state laws governing derivatives transactions, securities underwriting, market making, brokerage, and investment advisory activities and are regulated and supervised by the SEC, the CFTC, FINRA, the MSRB, and the NFA.
After a bank has established branches in a state through an interstate merger transaction, the bank may establish and acquire additional branches at any location in the state where a bank headquartered in that state could have established or acquired branches under applicable federal or state law.
The NCCOB also has the authority to take possession of a North Carolina state bank in certain circumstances, including when it appears that the bank has violated its charter or applicable law, is conducting its business in an unauthorized or unsafe manner, is in an unsafe or unsound condition to transact its business, or has an impairment of its capital stock.
CFPB regulations and supervisory actions may impact Truist or Truist Bank, including by reducing the fees that Truist and Truist Bank receive, altering the way products and services are provided, or increasing the risk of private litigation or regulatory enforcement action.
Truist Financial Corporation 13 In addition, once implementing regulations are finalized, the Cyber Incident Reporting for Critical Infrastructure Act (“CIRCIA”) will require, among other things, covered entities to report significant cyber incidents, including ransomware attacks, to the Cybersecurity and Infrastructure Security Agency (“CISA”) within 72 hours from the time the covered entity reasonably believes the incident occurred (and within 24 hours of making a ransom payment as a result of a ransomware attack).
These statutes and regulations, as well as proposed legislation and regulation regarding privacy, data protection, and cybersecurity, are subject to revision or formal guidance and may be interpreted or applied in a manner inconsistent with the Company’s understanding, which may result in further uncertainty and require Truist to incur additional costs to comply.
No longer disclosed
For example, in 2023 we settled a lawsuit brought by another financial institution alleging that our mobile remote deposit capture systems infringed patents owned by the other financial institution.
For example, in 2024, maintaining and growing deposits continued to be challenging with the FRB continuing to reduce the size of its balance sheet through quantitative tightening and sustained increased interest rates giving clients an incentive to move deposits to money market funds and other higher-yielding alternatives.
Truist is also subject to heightened requirements under the enhanced prudential standards and increased supervisory scrutiny, including, for example, single counterparty credit limits, heightened expectations with respect to governance, risk management and internal controls, and additional capital and liquidity requirements.
Such an event could damage the performance and value of our business, prompt regulatory intervention and private litigation, harm our reputation, and cause a loss of client and investor confidence, and if the condition were to persist for any appreciable period of time, our viability as a going concern could be threatened.
Credit ratings may also be influenced by other factors, some of which are outside the Company’s control, such as recent and anticipated economic trends, geopolitical risk, legislative and regulatory developments, including implied levels of government support during a crisis, environmental, social, and governance considerations, and litigation, as well as changes to the rating agencies’ methodologies.
Any third-party technology failure, other information or security breach, termination, or constraint could, among other things, adversely affect the Company’s ability to conduct transactions, service the Company’s clients, manage the Company’s exposure to risk, or expand the Company’s business.
In addition, cybersecurity risks have significantly increased in recent years in part due to the increased sophistication and activities of organized crime affiliates, terrorist organizations, hostile foreign governments, state-sponsored actors, disgruntled teammates or vendors, hackers, activists, and other external parties, including those involved in corporate espionage, any of which may see their effectiveness enhanced by the use of AI, including the use of generative AI to conduct more sophisticated social engineering attacks on the Company or its clients.
A successful penetration or circumvention of system or network security could cause serious negative consequences, including loss of clients and business opportunities; costs associated with maintaining business relationships after a cyberattack or security breach; significant disruption to the Company’s operations and business; misappropriation, exposure or destruction of the Company’s confidential, proprietary, and other sensitive information, including personal information, and funds and those of the Company’s clients; damage to the Company’s or the Company’s clients’ or third parties’ computers, systems, or networks; and a violation of applicable laws and regulations, including those related to data privacy, data protection, and cybersecurity.
This could result in litigation exposure, regulatory fines, penalties, loss of confidence in the Company’s security measures, reputational damage, reimbursement or other compensatory costs, and additional compliance costs, which could adversely impact the Company’s results of operations, liquidity, and financial condition.
Any of these, in turn, can cause a significant increase in the complexity and costs of our operations and expose us to enforcement and other supervisory actions, related litigation by private plaintiffs, reputational damage, and a loss of client or investor confidence. 28 Truist Financial Corporation Other External Risks Physical, transition, and other risks associated with climate change, together with governmental responses to them, may negatively impact our business, operations, reputation, and clients.
Many bad actors, often linked to large criminal organizations, share strategies to execute schemes, such as debit and credit card fraud, peer-to-peer payment fraud, counterfeit checks, social engineering, ATM skimming, and phishing, and recent advances in artificial intelligence may make it more difficult to detect fraud.
A failure to detect, prevent, and address fraud could result in financial loss to the Company or its clients, loss of confidence in the Company’s security measures, client dissatisfaction, litigation exposure, regulatory investigations, fines, penalties or intervention, reimbursement, or other compensatory costs (including the costs of credit monitoring services), additional compliance costs, and harm to the Company’s reputation, all of which could adversely affect the Company.