STI 2018 Annual Report

20 which may increase costs and reduce profitability and may adversely impact our ability to implement our business strategies. Our success depends upon the ability to attract and retain highly motivated, well-qualified personnel. We face significant competition in the recruitment of qualified employees. Our ability to execute our business strategy and provide high quality servicemay suffer if we are unable to recruit or retain a sufficient number of qualified employees or if the costs of employee compensation or benefits increase substantially. Further, in June 2010, the Federal Reserve and other federal banking regulators jointly issued comprehensive final guidance designed to ensure that incentive compensation policies do not undermine the safety and soundness of banking organizations by encouraging employees to take imprudent risks. This regulation significantly affects the amount, form, and context in which we pay incentive compensation. Additionally, the FRB, the FDIC, the SEC, and other federal regulatory agencies have jointly proposed rules which affect incentive compensation. These rules, if finalized, may adversely affect us by imposing costs and restrictions on the form of our incentive compensation which are not imposed on our non-bank competitors. Other Risks Our framework for managing risks may not be effective in mitigating risk and loss to us. Our risk management framework seeks to mitigate risk and loss to us. We have established policies, processes, and procedures intended to identify, measure, monitor, report and analyze the types of risk to which we are subject, including liquidity, credit, market, operational, technology, reputational, legal, model, and compliance risk, among others. However, as with any risk management framework, there are inherent limitations to our risk management strategies as risks may exist, or develop in the future, that we have not appropriately anticipated or identified. The most recent financial crisis and resulting regulatory reform highlighted both the importance and some of the limitations of managing unanticipated risks. If our riskmanagement framework proves ineffective, we could suffer unexpected losses and could be materially adversely affected. Our controls and procedures may not prevent or detect all errors or acts of fraud. Our controls and procedures are designed to provide reasonable assurance that information required to be disclosed by us in reports we file or submit under the Exchange Act is accurately accumulated and communicated tomanagement, and recorded, processed, summarized, and reported within the time periods specified in the SEC's rules and forms. We believe that any disclosure controls and procedures or internal controls and procedures, no matter how well conceived and operated, can provide only reasonable, not absolute, assurance that the objectives of the control system are met, due to certain inherent limitations. These limitations include the realities that judgments in decision making can be faulty, that alternative reasoned judgments can be drawn, and that breakdowns can occur because of an error or mistake. Additionally, controls can be circumvented by the individual acts of some persons, whether within or outside of our Company, by collusion of two or more such people or by an unauthorized override of the controls. Accordingly, because of the inherent limitations in our control system, misstatements due to error or fraud may occur and not be detected, which could result in a material weakness in our internal controls over financial reporting and/or the restatement of previously filed financial statements. We are at risk of increased losses from fraud. Criminals committing fraud increasingly are using more sophisticated techniques, and in some cases, are a part of larger criminal rings, which allow them to be more effective. Fraudulent activity has taken many forms and escalates as more tools for accessing financial services emerge, such as real- time payments. Fraud schemes, including occurrences of employee fraud, information theft, or other malfeasance, are broad and continuously evolving and include such things as debit card/credit card fraud, check fraud, mechanical devices attached to ATM machines, social engineering and phishing attacks to obtain personal information, or impersonation of our clients through the use of falsified or stolen credentials. For instance, in our Quarterly Report on Form 10-Q for the period ended March 31, 2018, we announced an investigation of a potential theft by a former employee of information from some of our contact lists. We proactively notified approximately 1.5 million clients that certain information, such as name, address, phone number, and certain account balances may have been exposed. The contact lists did not include personally identifying information, such as social security number, account number, PIN, user ID, password, or driver’s license information. We heightened our monitoring of accounts and increased other related security measures to help prevent similar occurrences. Additionally, individuals or business entities may properly identify themselves, yet seek to establish a business relationship for the purpose of perpetrating fraud. An emerging type of fraud even involves the creation of synthetic identification in which bad actors “create” individuals for the purpose of perpetrating fraud. Further, in addition to fraud committed against us, we may suffer losses as a result of fraudulent activity committed against third parties. Increased deployment of technologies, such as chip card technology, defray and reduce aspects of fraud; however, criminals are turning to other sources to steal personally identifiable information, such as unaffiliated healthcare providers and government entities, in order to impersonate the consumer to commit fraud. Many of these data compromises have been widely reported in the media. Further, as a result of the increased sophistication of fraud activity, we have increased our spending on systems, resources, and controls to detect and prevent fraud, as well as increased spending to provide certain credit monitoring and identity theft protection services to our Consumer clients. This will result in continued ongoing investments in the future.