Synovus has a robust corporate compliance program to ensure sales practices are conducted in an ethical manner and products and services are accurately communicated and marketed to clients. We adhere to all relevant legal and regulatory policies for our jurisdictions and collect feedback from clients to improve their experience and understanding of our services. Any issues are escalated and ultimately reported to senior management through a formal customer complaints process.
We have undertaken efforts to ensure that our incentive compensation plans do not encourage inappropriate risks, consistent with three key principles - that incentive compensation arrangements should appropriately balance risk and financial rewards, be compatible with effective controls and risk management, and be supported by strong corporate governance.
We monitor customer feedback closely and make changes accordingly to ensure we are continuously improving our processes and customer experience. With increased inquiries in 2020, we revamped our mortgage service standards and developed additional tools to guide our staff. Our leadership team reviews a complaints dashboard and escalated issues monthly to ensure compliance.
We are committed to complying with all regulations and laws protecting the rights of consumers related to transparency in disclosures and fair lending practices and to providing affordable and accessible banking products and services.
Data Security and Customer Privacy
Information security is a significant operational risk for financial institutions which may lead to financial losses and negatively affect the reputation of and confidence in our business. We continue to enhance our information security program and capabilities to identify and mitigate threats to the confidentiality, availability, and integrity of our information systems. Our page on Safety and Security outlines specific ways we protect customer data and information, tips for customers and small businesses, and how to report data or privacy issues.
Our Board is actively engaged in the oversight of Synovus’ information security risk management and cybersecurity programs. The Risk Committee receives regular updates from the company’s chief information security officer on our information security and cyber risk strategy, cyber defense initiatives, cyber event preparedness, and cybersecurity risk assessments. The Risk Committee annually approves the information security program. In addition to an annual report on these issues with the full Board, the Board regularly consults with outside cybersecurity experts.
We keep computer forensics, legal, and security firms on retainer in case of a cyber breach event. We engage independent third parties to perform annual penetration tests against our network. We also conduct incident response exercises at least once per quarter.
Training and Awareness
We provide regular education and training to our Board and team members on cybersecurity and social engineering to mitigate risk and conduct exercises to test their effectiveness. Internally, we have a Security Response Team of cross-functional areas such as IT, legal, communications and risk compliance. Our internal platform also houses a portal with videos, phishing exercises, quizzes, and podcasts to engage team members on this topic. We have a robust education program for our team members on cybersecurity and social engineering to mitigate risk, including required annual training, quarterly training on critical topics and bimonthly security awareness communications. We conduct monthly exercises to test their effectiveness throughout the year.
Certifications and Audits
We follow widely accepted cybersecurity policies and best practices to define and measure our security program. We are externally audited annually and certified on information security standards, including System and Organizational Controls (SOC) and Payment Card Industry Data Security Standard (PCI DSS). Our program is reviewed periodically against the Federal Financial Institutions Examination Council's (FFIEC) Cybersecurity Assessment Tool and the National Institute of Standards and Technology Cybersecurity Framework to measure our cybersecurity preparedness, evaluate whether cybersecurity preparedness is aligned with risks, determine risk management practices and controls that are needed or need enhancement and to inform our risk management strategies.
We employ a risk management framework to identify, assess, monitor, and test cyber risk and controls. This formal process of risk assessment, treatment, acceptance, communication, consultation, monitoring and review is designed following the ISO 27005 Standard. We also perform comprehensive due diligence and ongoing oversight of third-party relationships, including vendors.
We are members of financial sector organizations, including the Financial Services Information Sharing and Analysis Center (FS-ISAC), that share cyber and physical threat, vulnerability, and incident information for the good of the membership. Our information security program employs various technologies intended to secure our operations and proprietary information. This in-depth defense strategy is designed to protect our networks, systems, data, and facilities from attacks or unauthorized access. We have a dedicated Cybersecurity Fusion Center for monitoring and responding to cyber events.
We make ongoing investments in developing and enhancing our security processes and controls and maintaining our technology infrastructure, including a Business Continuity and Disaster Recovery program, which is tested on a regular basis. We also maintain a risk management insurance policy related to our cybersecurity and information security risks intended to defray the costs and losses of any related loss.
Our privacy statements disclose how we collect, share, and use customer information. We participate in annual risk and compliance audits to ensure our practices are consistent with our policies. We have a robust customer complaint process and use it to guide process improvements related to customer information security. Customers also provide feedback on their interactions with the bank. We have a wide array of resources to point customers to questions regarding the information we collect, why we collect it, and what we do with the information we collect from or about them through various digital platforms including our mobile app.
Synovus Bank utilizes credit bureau data in underwriting activities. Use of this data is regulated under the Fair Credit Reporting Act and Regulation V on a uniform, nationwide basis, including credit reporting, prescreening, and sharing of information between affiliates and the use of credit data. The Fair and Accurate Credit Transactions Act, which amended the Fair Credit Reporting Act, permits states to enact identity theft laws that are not inconsistent with the conduct required by the provisions of that Act. We are also required to have an information security program to safeguard the confidentiality and security of customer information and to ensure proper disposal. Customers must be notified when unauthorized disclosure involves sensitive customer information that may be misused.
Supply Chain Management
As detailed in our Code of Business Conduct and Ethics for Suppliers, our values of corporate citizenship and sustainability extend to our partners and vendors. We expect our suppliers and partners to comply fully with all applicable laws and regulations in the conduct of their business, especially concerning human rights, ethics, health and safety and the environment.
Supplier Diversity Program
We also have a Supplier Diversity Program for qualified minorities, women, veteran and service-disabled-owned businesses in our sourcing supply chain that promotes innovation, creates economic impact and is reflective of our local communities, while maintaining a high standard of quality in the products and services we provide. Historically under-represented businesses, along with their owners and team members, represent an important portion of our regional demographics and customer base.
A strong and diverse supplier base is reflective of our hallmark values of leadership, relationships, and excellence in service. During 2021, we continued to advance our diversity program by implementing diversity requirements within our vendor search process and engaging internal business units on core tenants of increasing diversity within third-party partnerships. We hold several membership affiliations with regional organizations to ensure access to a wider pool of diverse suppliers. These include the National Minority Supplier Development Council, the Women’s Business Enterprise Council and Financial Services Roundtable for Supplier Diversity.
You are about to leave the Synovus web site for a third-party site
Third-party sites aren't under our control, and we are not responsible for any of the content or additional links they contain. We don't endorse to guarantee the goods or information provided by third-party sites, and we're not responsible for any failures or inaccuracies. Third-party sites may contain less security and may have different privacy policies from ours.