BLUE RIDGE BANKSHARES, INC. (BRBS) Business

ITEM 1: BUSINESS

General

Blue Ridge Bankshares, Inc. (the “Company”) is a bank holding company headquartered in Richmond, Virginia. The Company provides commercial and consumer banking and financial services through its wholly-owned bank subsidiary, Blue Ridge Bank, National Association (the “Bank”), and its wealth and trust management subsidiary, BRB Financial Group, Inc. (the “Financial Group”). The Company was incorporated under the laws of the Commonwealth of Virginia in July 1988.

The Bank is a federally chartered national bank with its main office in Martinsville, Virginia that traces its roots to Page Valley Bank of Virginia, which opened for business in 1893. At December 31, 2025, the Bank operated twenty-seven full-service banking offices across its footprint, which stretches from the Shenandoah Valley across the Piedmont region through Richmond and into the coastal peninsulas and the Hampton Roads region of Virginia and into central North Carolina.

The Bank serves businesses, professionals, consumers, nonprofits, and municipalities with a wide variety of financial services, including retail and commercial banking. Banking products include checking accounts, savings accounts, money market accounts, cash management accounts, certificates of deposit, individual retirement accounts, commercial and industrial loans, residential mortgages, commercial mortgages, home equity loans, consumer installment loans, credit cards, online banking, telephone banking, and mobile banking. Deposits of the Bank are insured by the Deposit Insurance Fund (the “DIF”) of the Federal Deposit Insurance Corporation (the “FDIC”) to the full extent of the limits of the DIF.

The Company, through the Financial Group, offers investment and wealth management and management services for personal and corporate trusts, including estate planning, estate settlement, trust administration, and life insurance products. The Company, through its minority investment in Hammond Insurance Agency, Incorporated, offers property and casualty insurance to individuals and businesses.

The Company's primary source of revenue is interest income from its lending activities. The Company's other sources of revenue are interest and dividend income from investments, interest income from its interest-earning deposit balances in other depository institutions, transactions and fee income from its lending and deposit activities, and income associated with wealth and trust management services. The Company's major expenses are interest on deposits and general and administrative expenses, such as employee salaries and benefits, FDIC assessments, data processing expenses, technology costs, and professional services expenses.

The Company historically had partnerships with financial technology ("fintech") providers, through which it provided indirect depository services (referred to as banking-as-a-service or "BaaS") to both consumers and businesses. Fintech companies provided technologies to enable the delivery of digital bank services and were a source of interest and fee income, and deposits. During 2024, the Company, through an orderly wind down, exited its BaaS depository operations; therefore, as of December 31, 2025, the Company had no active end-users attained through fintech channels. The Company provides indirect lending services through fintech partnerships. In these arrangements, the fintech partner sources the loans, which the Bank then originates. The loans are then purchased by the fintech partner or other third-party generally up to three days from origination. As of December 31, 2025, the Company offered indirect fintech lending services conducted through Upgrade, Inc. As of December 31, 2024, the Company offered indirect fintech lending services conducted through Upgrade, Inc., Best Egg, Inc., Kashable, LLC, and Grow Credit, Inc. The Company has been terminating its indirect fintech lending relationships and expects to be completely exited in 2026.

As of December 31, 2025, the Company had total assets of approximately $2.43 billion, total gross loans of approximately $1.87 billion, total deposits of approximately $1.91 billion, and stockholders’ equity of approximately $323.7 million.

Regulatory Matters

During much of 2025, the Bank was subject to a Consent Order (the "Consent Order") issued on January 24, 2024 by its primary regulator, the Office of the Comptroller of the Currency (the "OCC"). The Consent Order primarily concerned the Bank’s fintech operations and required the Bank to continue enhancing its controls for assessing and managing risks stemming from its fintech partnerships and added time frames for meeting certain of the directives, required the Bank to submit a strategic plan and a capital plan, and required the Bank to maintain a leverage ratio of 10.0% and a total capital ratio

1

of 13.0%, referred to as minimum capital ratios. On November 13, 2025, the OCC issued an order terminating the Consent Order effective the same date.

Complete copies of the Consent Order and the Order Terminating the Consent Order issued by the OCC are included as Exhibits 10.9 and 99.1, respectively, to this Annual Report on Form 10-K.

Special Cash Dividend

On October 27, 2025, the Company announced a special cash dividend of $0.25 per share of the Company's common stock totaling approximately $29.1 million. Of this amount, $22.6 million was paid on November 21, 2025, to shareholders of record as of the close of business on November 7, 2025. The remaining $6.5 million was established as a liability and will be paid if and when warrants to purchase common stock are exercised and if and when performance-based restricted stock awards ("PSAs") vest (collectively, the "Special Cash Dividend").

Share Repurchase Program

On August 25, 2025, the Company announced the adoption of a share repurchase program (the “Repurchase Program”) pursuant to which the Company may purchase up to $15.0 million of the Company’s common stock.

Repurchases may be made in open market purchases, block trades, or privately negotiated transactions, including upon the exercise of outstanding warrants to purchase common stock. The Company cannot predict when or if it will repurchase additional shares of common stock as the Repurchase Program will depend on a number of factors, including constraints specified in any Securities and Exchange Commission Rule 10b5-1 trading plans, price, and general business and market conditions.

For the year ended December 31, 2025, the Company repurchased 802,735 shares of its common stock at a weighted average price of $4.17 per share totaling $3.4 million. Additionally, the Company repurchased outstanding warrants to purchase 3,229,000 shares of its common stock at a weighted average price of $1.90 per warrant totaling $6.1 million. For additional information regarding the Repurchase Program, see Part II, Item 5 of this Form 10-K.

Sale of Mortgage Division

On March 27, 2025, the Company completed the sale of its mortgage division operating as Monarch Mortgage. The sale, which included the transfer of certain assets and leases to an unrelated mortgage company, resulted in a $0.2 million loss.

Private Placements

In the second quarter of 2024, the Company closed private placements in which it issued and sold shares of its common and preferred stock for gross proceeds of $161.6 million (collectively, the "Private Placements"). In June 2024, the Company’s shareholders approved an amendment to the Company's articles of incorporation authorizing the issuance of additional shares of common stock, thus enabling the conversion of the preferred shares issued in the Private Placements into shares of the Company’s common stock. The conversion occurred on June 28, 2024 and November 7, 2024. Capital proceeds received, net of issuance costs, from the Private Placements totaled $152.1 million. The Private Placements also included the issuance of warrants to purchase common stock at $2.50 per share. For additional information see Part II, Item 8, Note 1 - Organization and Basis of Presentation of this Form 10-K.

Other Matters

As a bank holding company incorporated under the laws of the Commonwealth of Virginia, the Company is subject to regulation by the Board of Governors of the Federal Reserve System (the “Federal Reserve”) and the Bureau of Financial Institutions of the Virginia State Corporation Commission (the “Virginia SCC”). The Bank’s primary federal regulator is the OCC.

The Company qualifies as a "smaller reporting company" ("SRC") as defined in federal securities laws, and will remain a SRC until the fiscal year following the determination that the market value of its common stock held by non-affiliates is more than $250 million measured on the last business day of its second fiscal quarter, or its annual revenues are less than $100 million during the most recently completed fiscal year and the market value of its common stock held by non-affiliates is more than $700 million measured on the last business day of its second fiscal quarter. SRCs have reduced disclosure obligations, such as the ability to provide simplified executive compensation information and only two years of audited financial statements.

2

The principal executive offices of the Company are located at 1801 Bayberry Court, Suite 101, Richmond, Virginia 23226, and its telephone number is (888) 331-6521.

The Company files annual, quarterly and current reports, proxy statements and other information with the Securities and Exchange Commission (“SEC”). The Company’s SEC filings are filed electronically and are available to the public over the Internet at the SEC’s website at http://www.sec.gov. The Company’s website can be accessed at https://www.blueridgebankshares.com. The Company makes its SEC filings available free of charge through this website under “Investor Relations,” “Financial Documents,” “Documents” as soon as practicable after filing or furnishing the material to the SEC. Copies of documents can also be obtained free of charge by writing to the Company’s Corporate Secretary at P.O. Box 609, 17 West Main Street, Luray, Virginia 22835, or by calling (540) 743-6521. Information on the Company’s website does not constitute part of, and is not incorporated into, this report or any other filing the Company makes with the SEC.

Market Area

The Bank currently has branches in Callao, Charlottesville, Chester, Colonial Heights, Culpeper, Fredericksburg, Gordonsville, Harrisonburg, Hartfield, Henrico, Kilmarnock, Louisa, Luray, Martinsville, Midlothian, Mineral, Montross, Orange, Petersburg, Richmond, Shenandoah, Suffolk, Virginia Beach, Warsaw, and White Stone, Virginia, and in Greensboro, North Carolina. Additionally, the Company has offices located in Winchester and Norfolk, Virginia, to support its commercial lending operations. Interstates 40, 64, 66, 73, 74, 81, 85, and 95 and ancillary major highways pass through the Bank’s market area and provide efficient access to other regions of Virginia, North Carolina, and beyond. The Company’s primary market area stretches from the Shenandoah Valley across the Piedmont region through Richmond and into the coastal peninsulas and the Hampton Roads region of Virginia and into central North Carolina.

Products and Services

Mortgage Loans on Real Estate. The Company’s mortgage loans on real estate comprise the largest segment of its loan portfolio. Mortgage loans on real estate include those on primary residential properties, multi-family investment properties, home equity loans, commercial properties, and owner-occupied commercial properties.

Construction Loans. The Company also makes loans on properties under construction to qualified individuals and builders. These loans are for the construction period and funds are disbursed as construction progresses and verified by the Company. Loans are for varying terms and may be at fixed or adjustable interest rates.

Commercial Real Estate Loans. Loans in this category include loans on real estate used for commercial purposes. Loans in this segment are underwritten in accordance with loan policy, which has guidelines to mitigate declines in real estate values, changes in the underlying cash flows from the properties, and general economic conditions.

Commercial and Industrial Loans. Loans in this category include business loans, asset-based loans, and other secured and unsecured loans and lines of credit. Commercial and industrial loans may entail greater risk than mortgage loans on real estate, and are underwritten in accordance with loan policy, which sets risk management standards. Among the criteria for determining the borrower’s ability to repay is a cash flow analysis of the business and valuation of the business collateral.

Small Business Administration Loans. Loans in this category provide the Bank's customers access to capital and provide more flexible terms as compared to conventional commercial loans. Loans in this category are underwritten pursuant to U.S. Small Business Administration ("SBA") guidelines and afford the Company guarantees under these programs. The guaranteed portion of SBA loans may be sold, in whole or in part, to secondary market buyers.

Consumer Loans. Consumer lending services include automobile lending, home equity lines of credit, credit cards, and other unsecured personal loans. These consumer loans historically entail greater risk than loans secured by real estate.

Consumer Deposit Services. Consumer deposit products offered by the Company include checking accounts, savings accounts, money market accounts, certificates of deposit, online banking, mobile banking, and electronic statements.

Commercial Banking Services. The Company offers a variety of commercial banking services, including deposit accounts, treasury management solutions, wire services, online banking, fraud prevention services, procurement cards, and a wide range of commercial lending options. The Company can also offer property and casualty insurance through its minority interest in Hammond Insurance Agency, Inc.

Wealth and Trust Services. The Company, through the Financial Group, offers investment and wealth management services and management services for personal and corporate trusts, including estate planning, estate settlement, trust administration, and life insurance products.

3

Competition

The financial services industry is highly competitive. The Company competes for loans, deposits, and other financial services directly with other bank and nonbank institutions, including credit unions, located within its markets, internet-based banks, out-of-market banks, and fintech companies that advertise in or otherwise serve its markets, along with money market and mutual funds, brokerage houses, mortgage companies, and insurance companies or other commercial entities that offer financial services products. Competition involves efforts to retain current customers and to obtain new loans and deposits, and differentiators include the scope and type of services offered, interest rates paid on deposits and charged on loans, and the customer service experience. The financial services industry continues to undergo rapid technological change with introductions of new technologies and services, including new ways that customers can make payments or manage their accounts, including through use of stablecoins and other forms of cryptocurrency, tokens, and other digital assets or alternative payment systems. Many of the Company’s competitors enjoy competitive advantages, including greater financial resources, a wider geographic presence, more accessible branch office locations, greater technology, the ability to offer additional services, lower regulatory compliance burden, more favorable pricing alternatives, and lower origination and operating costs. The Company believes that its competitive pricing, personalized service, and community involvement enable it to effectively compete in the communities in which it operates.

Governance and Human Capital

The Company operates under a governance structure that starts with an independent chairman of the board of directors who is independent from management. The Company believes effective oversight by the board of directors is an essential element of a financially sound and well-managed company. The board of directors establishes the Company’s risk philosophy, ensures that it has an appropriate risk-management framework, including a sound independent audit function, determines the overall business strategy, and monitors implementation of strategy. Employees operate under policies approved by the Company’s board of directors. Additionally, the Company upholds the highest workplace conduct standards and provides annual training on topics including, but not limited to, harassment prevention, workplace safety, data confidentiality, sound banking practices, and maintaining ethical practices.

As further discussed in the following Supervision and Regulation section, the Bank is subject to the Community Reinvestment Act (the "CRA"), under which the appropriate federal banking agency periodically assesses the Bank’s record in meeting the credit needs of the communities it serves, including low and moderate income neighborhoods. The Bank has a designated CRA Officer who monitors the Bank’s compliance under the CRA.

Management believes in giving back to the communities in which the Company serves. In 2025, the Company committed approximately $265 thousand of financial donations to community and not-for-profit organizations, including first responders, colleges and universities, youth athletics, and the arts. In addition, during 2025 the Company's employees donated over 550 hours volunteering in their communities, business associations, and helping the underserved.

Management believes that its employees are the cornerstone of the Company’s success. Their dedication, talent, and commitment are what drive the Company’s achievements. Management believes that the Company's compensation programs offer competitive salaries and performance-based bonuses, and a comprehensive benefits package including paid time off, health, dental, and vision coverage, disability insurance, paid parental leave, and a 401(k) retirement plan. The Company goes beyond compensation by investing in its employees' growth and development through professional development programs, ongoing training, and tuition reimbursement. The Company’s commitment extends to creating a fair and respectful work environment where everyone can thrive and contribute to the Company’s shared success.

The Company had 292 full-time and 10 part-time employees as of December 31, 2025.

Supervision and Regulation

The Company and the Bank are extensively regulated under federal and state laws. The following information describes certain aspects of that regulation applicable to the Company and the Bank and does not purport to be complete. Proposals to change the laws, regulations, and policies governing the banking industry are frequently raised in the U.S. Congress, in state legislatures, and before the various bank regulatory agencies. The likelihood and timing of any changes and the impact such changes might have on the Company and the Bank are impossible to determine with any certainty. A change in applicable laws, regulations or policies, or a change in the way such laws, regulations, or policies are interpreted by regulatory agencies or courts, may have a material impact on the business, operations, and earnings of the Company and the Bank.

4

As with other financial institutions, the earnings of the Bank are affected by general economic conditions and by the monetary policies of the Federal Reserve. The Federal Reserve exerts a substantial influence on interest rates and credit conditions, primarily through open market operations in U.S. government securities, setting the reserve requirements of member banks, and establishing the discount rate on member bank borrowings. The policies of the Federal Reserve have a direct impact on loan and deposit growth and the interest rates charged and paid thereon. They also affect the source, cost of funds, and the rates of return on investments. Changes in the Federal Reserve’s monetary policies have had a significant impact on the operating results of the Bank and other financial institutions and are expected to continue to do so in the future.

Blue Ridge Bankshares, Inc.

The Company is qualified as a bank holding company within the meaning of the Bank Holding Company Act of 1956, as amended (the “BHC Act”), and is registered as such with the Federal Reserve. As a bank holding company, the Company is subject to supervision, regulation, and examination by the Federal Reserve and is required to file various reports and additional information with the Federal Reserve. The Company is also registered under the bank holding company laws of Virginia and is subject to supervision, regulations, and examination by the Virginia SCC.

Under the Gramm-Leach-Bliley Act of 1999 (the “GLB Act”), a bank holding company may elect to become a financial holding company and thereby engage in a broader range of financial and other activities than are permissible for traditional bank holding companies. In order to qualify for the election, all of the depository institution subsidiaries of the bank holding company must be well capitalized, well managed, and have achieved a rating of “satisfactory” or better under the CRA. Financial holding companies are permitted to engage in activities that are “financial in nature” or incidental or complementary thereto as determined by the Federal Reserve. The GLB Act identifies several activities as “financial in nature,” including insurance underwriting and sales, investment advisory services, merchant banking and underwriting, and dealing or making a market in securities. The Company has not elected to become a financial holding company and has no immediate plans to become a financial holding company.

Blue Ridge Bank, National Association

The Bank is a federally chartered national bank. The Bank is subject to supervision, regulation, and examination by the OCC and is required to file various reports and additional information with the OCC and the FDIC. The OCC has primary supervisory and regulatory authority over the operations of the Bank. Because the Bank accepts insured deposits from the public, it is also subject to examination by the FDIC.

Depository institutions, including the Bank, are subject to extensive federal and state regulations that significantly affect their businesses and activities. Regulatory bodies have broad authority to implement standards and initiate proceedings designed to prohibit depository institutions from engaging in unsafe and unsound banking practices. The standards relate generally to operations and management, asset quality, interest rate exposure, liquidity, and capital. The bank regulatory agencies are authorized to take action against institutions that fail to meet such standards.

The Dodd-Frank Act

The Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (the “Dodd-Frank Act”), signed into law in July 2010, significantly restructured the financial regulatory regime in the United States and has had a broad impact on the financial services industry as a result of the significant regulatory and compliance changes required under the act.

The Economic Growth, Regulatory Relief and Consumer Protection Act of 2018 (the “EGRRCPA”), which became effective May 24, 2018, amended the Dodd-Frank Act to provide regulatory relief for certain smaller and regional financial institutions, such as the Company and the Bank. The EGRRCPA, among other things, provides financial institutions with less than $10 billion in total consolidated assets with relief from certain capital requirements and exempts banks with less than $250 billion in total consolidated assets from the enhanced prudential standards and the company-run and supervisory stress tests required under the Dodd-Frank Act.

The Dodd-Frank Act has had, and may in the future have, a material impact on the Company’s operations, particularly through increased compliance costs resulting from current and possible future consumer and fair lending regulations.

Deposit Insurance

The deposits of the Bank are insured up to applicable limits by the DIF and are subject to deposit insurance assessments to maintain the DIF. The deposit insurance assessment base is based on average total assets minus average tangible equity. Deposit insurance pricing is a “financial ratios method” based on “CAMELS” composite ratings to determine assessment

5

rates for small established institutions with less than $10 billion in assets. The CAMELS rating system is a supervisory rating system designed to take into account and reflect all financial and operational risks that a bank may face, including capital adequacy, asset quality, management capability, earnings, liquidity, and sensitivity to market risk (“CAMELS”).

On October 18, 2022, the FDIC adopted a final rule to increase base deposit insurance assessment rate schedules uniformly by two basis points beginning in the first quarterly assessment period of 2023. The increase was instituted to account for extraordinary growth in insured deposits during the first and second quarters of 2020, which caused a substantial decrease in the “reserve ratio” of the DIF to total industry deposits. The FDIC has indicated that the new assessment rate schedules will remain in effect until the DIF reserve ratio meets or exceeds two percent. In the years ended December 31, 2025 and 2024, the Company recorded expense of $2.8 million and $5.5 million, respectively, for FDIC insurance premiums.

Capital Requirements

The Federal Reserve, the OCC, and the FDIC have issued substantially similar capital requirements applicable to all banks and bank holding companies. In addition, these regulatory agencies may from time to time require that a banking organization maintain capital above the minimum levels because of its financial condition or actual or anticipated growth.

The Bank is subject to the Basel III capital framework and certain related provisions of the Dodd-Frank Act (the “Basel III Capital Rules”). Under the Basel III Capital Rules, banks must hold a "capital conservation buffer" of 2.50% above the adequately capitalized risk-based capital ratios for all ratios, except the tier 1 leverage ratio. The Basel III Capital Rules require the Company and the Bank to comply with the following minimum capital ratios: (i) a ratio of common equity Tier 1 to risk-weighted assets of at least 4.50%, plus a 2.50% capital conservation buffer (resulting in a minimum common equity Tier 1 ratio of 7.00%), (ii) a ratio of Tier 1 capital to risk-weighted assets of at least 6.00%, plus the 2.50% capital conservation buffer (resulting in a minimum Tier 1 capital ratio of 8.50%), (iii) a ratio of total capital to risk-weighted assets of at least 8.00%, plus the 2.50% capital conservation buffer (effectively resulting in a minimum total capital ratio of 10.50%), and (iv) a leverage ratio of 4.00%, calculated as the ratio of Tier 1 capital to average assets ("Tier 1 leverage ratio"). The capital conservation buffer is designed to absorb losses during periods of economic stress. Banking institutions with a ratio of common equity Tier 1 to risk-weighted assets above the minimum but below the conservation buffer face constraints on dividends, equity repurchases, and compensation, based on the amount of the shortfall.

With respect to banks, the “prompt corrective action” regulations pursuant to Section 38 of the Federal Deposit Insurance Act ("FDI Act") specify that to be well capitalized under these regulations a bank must have the following minimum capital ratios: (i) a common equity Tier 1 capital ratio of at least 6.50%; (ii) a Tier 1 capital to risk-weighted assets ratio of at least 8.00%; (iii) a total capital to risk-weighted assets ratio of at least 10.00%; and (iv) a Tier 1 leverage ratio of at least 5.00%.

In September 2019, the federal banking agencies jointly issued a final rule required by the EGRRCPA that permits qualifying banks and bank holding companies that have less than $10 billion in consolidated assets to elect to be subject to a 9% leverage ratio that would be applied using less complex leverage calculations (commonly referred to as the community bank leverage ratio or “CBLR”). Under the rule, which became effective on January 1, 2020, banks and bank holding companies that opt into the CBLR framework and maintain a CBLR of greater than 9% are not subject to other risk-based and leverage capital requirements under the Basel III Capital Rules and would be deemed to have met the well capitalized ratio requirements under the “prompt corrective action” framework. The Bank has not opted into the CBLR framework.

As of December 31, 2025, the Bank's total capital to risk-weighted asset ratio was 19.16%; its Tier 1 capital ratio was 18.18%; its common equity Tier 1 capital ratio was 18.18%; and the Bank's Tier 1 leverage ratio was 13.04%. The Bank exceeded the threshold to be considered well capitalized as of December 31, 2025. As of December 31, 2025, the Company's total capital to risk-weighted asset ratio was 20.69%; its Tier 1 capital ratio was 19.22%; its common equity Tier 1 capital ratio was 19.22%; and its Tier 1 leverage ratio was 13.81%.

In addition to the foregoing capital requirements, and prior to the termination of the Consent Order in the fourth quarter of 2025, the Bank was subject to minimum capital ratios set forth in the Consent Order that were higher than those required for capital adequacy purposes generally. The Bank was required to maintain a leverage ratio of 10.00% and a total capital ratio of 13.00%. As of December 31, 2024, the Bank met the then applicable minimum capital ratios.

Dividends

Generally, the Company’s principal source of cash flow, including cash flow to pay dividends to its shareholders, is dividends it receives from the Bank. Statutory and regulatory limitations apply to the Bank’s payment of dividends to the Company and the Company's payment of dividends to its shareholders.

6

As a general rule, without prior regulatory approval, the amount of dividends that a national bank may declare in any calendar year may not exceed the sum of its net income for that year to date and its retained net income for the immediately preceding two calendar years. In addition, a national bank may not pay a dividend if the payment would cause the institution to become “undercapitalized”, as defined by applicable regulations, if it already is “undercapitalized”, or if the OCC determines that the payment would constitute an unsafe and unsound banking practice. In certain circumstances, where supervisory considerations warrant, a national bank may be required to obtain the OCC’s prior approval or supervisory non-objection before declaring or paying a dividend.

The Company, as a Virginia corporation, generally may not authorize and make distributions if, after giving effect to the distribution, it would be unable to meet its debts as they become due in the usual course of business or if the Company’s total assets would be less than the sum of its total liabilities plus the amount that would be needed, if it were dissolved at that time, to satisfy the preferential rights of shareholders whose rights are superior to the rights of those receiving the distribution.

In addition, under the current supervisory practices of the Federal Reserve, bank holding companies are expected to inform and consult with the Federal Reserve reasonably in advance of declaring or paying a dividend that exceeds earnings for the period (e.g., quarter) for which the dividend is being paid or that could result in a material adverse change to a bank holding company's capital structure.

Permitted Activities

As a bank holding company, the Company is limited to managing or controlling banks, furnishing services to or performing services for its subsidiaries, and engaging in other activities that the Federal Reserve determines by regulation or order to be so closely related to banking or managing or controlling banks as to be a proper incident thereto. In determining whether a particular activity is permissible, the Federal Reserve must consider whether the performance of such an activity reasonably can be expected to produce benefits to the public that outweigh possible adverse effects. Possible benefits include greater convenience, increased competition, and gains in efficiency. Possible adverse effects include undue concentration of resources, decreased or unfair competition, conflicts of interest, and unsound banking practices. Despite prior approval, the Federal Reserve may order a bank holding company or its subsidiaries to terminate any activity or to terminate ownership or control of any subsidiary when the Federal Reserve has reasonable cause to believe that a serious risk to the financial safety, soundness, or stability of any bank subsidiary of that bank holding company may result from such an activity.

Banking Acquisitions; Changes in Control

The BHC Act requires, among other things, the prior approval of the Federal Reserve in any case where a bank holding company proposes to (i) acquire direct or indirect ownership or control of more than 5% of the outstanding voting stock of any bank or bank holding company (unless it already owns a majority of such voting shares), (ii) acquire all or substantially all of the assets of another bank or bank holding company, or (iii) merge or consolidate with any other bank holding company. In determining whether to approve a proposed bank acquisition, the Federal Reserve will consider, among other factors, the effect of the acquisition on competition, the public benefits expected to be received from the acquisition, the projected capital ratios and levels on a post-acquisition basis, and the acquiring institution’s performance under the CRA, and its compliance with fair housing and other consumer protection laws.

Subject to certain exceptions, the BHC Act and the Change in Bank Control Act, together with the applicable regulations, require Federal Reserve approval (or, depending on the circumstances, no notice of disapproval) prior to any person or company acquiring “control” of a bank or bank holding company. A conclusive presumption of control exists if an individual or company acquires the power, directly or indirectly, to direct the management or policies of an insured depository institution or to vote 25% or more of any class of voting securities of any insured depository institution. A rebuttable presumption of control exists if a person or company acquires 10% or more but less than 25% of any class of voting securities of an insured depository institution and either the institution has registered its securities with the SEC under Section 12 of the Securities Exchange Act of 1934, as amended (the “Exchange Act”), or no other person will own a greater percentage of that class of voting securities immediately after the acquisition.

In addition, Section 18(c) of the FDI Act, commonly known as the “Bank Merger Act,” requires the prior written approval of the OCC before any national bank may (i) merge or consolidate with, (ii) purchase or otherwise acquire the assets of, or (iii) assume the deposit liabilities of, another bank if the resulting institution is to be a national bank. In determining whether to approve a proposed merger transaction, the OCC must consider the effect on competition, the financial and managerial resources and future prospects of the existing and resulting institutions, the convenience and needs of the communities to be served, and the effectiveness of each insured depository institution involved in the proposed merger transaction in combating money-laundering activities.

7

In addition, Virginia law requires the prior approval of the Virginia SCC for (i) the acquisition of more than 5% of the voting shares of a Virginia bank or any holding company that controls a Virginia bank, or (ii) the acquisition by a Virginia bank holding company of a bank or its holding company domiciled outside Virginia.

Source of Strength

Federal Reserve policy has historically required bank holding companies to act as a source of financial and managerial strength to their subsidiary banks. The Dodd-Frank Act codified this policy as a statutory requirement. Under this requirement, the Company is expected to commit resources to support the Bank, including at times when the Company may not be in a financial position to provide such resources. Any capital loans by a bank holding company to any of its subsidiary banks are subordinate in right of payment to depositors and to certain other indebtedness of such subsidiary banks. In the event of a bank holding company’s bankruptcy, any commitment by the bank holding company to a federal bank regulatory agency to maintain the capital of a subsidiary bank will be assumed by the bankruptcy trustee and entitled to priority of payment.

The Federal Deposit Insurance Corporation Improvement Act

Under the Federal Deposit Insurance Corporation Improvement Act of 1991 (“FDICIA”), the federal bank regulatory agencies possess broad powers to take prompt corrective action to resolve problems of insured depository institutions. The extent of these powers depends upon whether the institution is “well capitalized,” “adequately capitalized,” “undercapitalized,” “significantly undercapitalized,” or “critically undercapitalized,” as defined by the law.

As required by FDICIA, the federal bank regulatory agencies also have adopted guidelines prescribing safety and soundness standards relating to, among other things, internal controls and information systems, internal audit systems, loan documentation, credit underwriting, and interest rate exposure. In general, the guidelines require appropriate systems and practices to identify and manage the risks and exposures specified in the guidelines. In addition, the agencies adopted regulations that authorize, but do not require, an institution that has been notified that it is not in compliance with safety and soundness standard to submit a compliance plan. If, after being so notified, an institution fails to submit an acceptable compliance plan, the agency must issue an order directing action to correct the deficiency and may issue an order directing other actions of the types to which an undercapitalized institution is subject under the prompt corrective action provisions described above.

Transactions with Affiliates

Pursuant to Sections 23A and 23B of the Federal Reserve Act and Regulation W, the authority of the Bank to engage in transactions with related parties or “affiliates” or to make loans to insiders is limited. Loan transactions with an affiliate generally must be collateralized at a specified level, and certain transactions between the Bank and its affiliates, including the sale of assets, the payment of money, or the provision of services, must be on terms and conditions that are substantially the same, or at least as favorable to the Bank, as those prevailing for comparable nonaffiliated transactions. In addition, the Bank generally may not purchase securities issued or underwritten by affiliates.

Loans to executive officers, directors, or to any person who directly or indirectly, or acting through or in concert with one or more persons, owns, controls or has the power to vote more than 10% of any class of voting securities of a bank, are subject to Sections 22(g) and 22(h) of the Federal Reserve Act and their corresponding regulations (Regulation O) and Section 13(k) of the Exchange Act relating to the prohibition on personal loans to executives (which exempts financial institutions in compliance with the insider lending restrictions of Section 22(h) of the Federal Reserve Act). Among other things, these loans must be made on terms substantially the same as those prevailing on transactions made to unaffiliated individuals, and certain extensions of credit to those persons must first be approved in advance by a disinterested majority of the entire board of directors. Section 22(h) of the Federal Reserve Act prohibits loans to any of those individuals where the aggregate amount exceeds an amount equal to 15% of an institution’s unimpaired capital and surplus plus an additional 10% of unimpaired capital and surplus in the case of loans that are fully secured by readily marketable collateral, or when the aggregate amount on all of the extensions of credit outstanding to all of these persons would exceed the Bank’s unimpaired capital and unimpaired surplus. Section 22(g) of the Federal Reserve Act identifies limited circumstances in which the Bank is permitted to extend credit to executive officers.

Consumer Financial Protection

The Company is subject to a number of federal and state consumer protection laws that extensively govern its relationship with its customers. These laws include the Equal Credit Opportunity Act, the Fair Credit Reporting Act, the

8

Truth in Lending Act, the Truth in Savings Act, the Electronic Fund Transfer Act, the Expedited Funds Availability Act, the Home Mortgage Disclosure Act, the Fair Housing Act, the Real Estate Settlement Procedures Act, the Fair Debt Collection Practices Act, the Service Members Civil Relief Act, laws governing flood insurance, federal and state laws prohibiting unfair and deceptive business practices, foreclosure laws, and various regulations that implement some or all of the foregoing. These laws and regulations mandate certain disclosure requirements and regulate the manner in which financial institutions must deal with customers when taking deposits, making loans, collecting loans, and providing other services. For example, mortgage lenders are required to make a reasonable and good faith determination based on verified and documented information that a consumer applying for a mortgage loan has a reasonable ability to repay the loan according to its terms, either by considering underwriting factors prescribed by Regulation Z or by originating loans that meet the definition of a “qualified mortgage.” If the Company fails to comply with these laws and regulations, it may be subject to various penalties. Failure to comply with consumer protection requirements may also result in failure to obtain any required bank regulatory approval for merger or acquisition transactions or in being prohibited from engaging in such transactions even if approval is not required.

Community Reinvestment Act

The CRA requires the appropriate federal banking agency, in connection with its examination of a bank, to assess the bank’s record in meeting the credit needs of the communities served by the bank, including low- and moderate-income neighborhoods. Furthermore, such assessment is also required of banks that have applied, among other things, to merge or consolidate with or acquire the assets or assume the liabilities of an insured depository institution, or to open or relocate a branch. In the case of a bank holding company applying for approval to acquire a bank or bank holding company, the record of each subsidiary bank of the applicant bank holding company is subject to assessment in considering the application. Under the CRA, institutions are assigned a rating of “outstanding,” “satisfactory,” “needs to improve,” or “substantial non-compliance.” The Bank was rated “satisfactory” in its most recent CRA evaluation.

Anti-Money Laundering Legislation

The Company is subject to several federal laws that are designed to combat money laundering, terrorist financing, and transactions with persons, companies or foreign governments designated by U.S. authorities (the “AML laws”). This category of laws includes the Bank Secrecy Act of 1970, the Money Laundering Control Act of 1986, the USA PATRIOT Act of 2001, and the Anti-Money Laundering Act of 2020.

The AML laws and their implementing regulations require insured depository institutions, broker-dealers, and certain other financial institutions to have policies, procedures, and controls to detect, prevent, and report potential money laundering and terrorist financing. The AML laws and their regulations also provide for information sharing, subject to conditions, between federal law enforcement agencies and financial institutions, as well as among financial institutions, for counter-terrorism purposes. Federal banking regulators are required, when reviewing bank holding company acquisition and bank merger applications, to take into account the effectiveness of the anti-money laundering activities of the applicants. Compliance with AML laws are onerous and costly.

Office of Foreign Assets Control

The U.S. Treasury Department’s Office of Foreign Assets Control (“OFAC”) is responsible for administering and enforcing economic and trade sanctions against specified foreign parties, including countries and regimes, foreign individuals, and other foreign organizations and entities. OFAC publishes lists of prohibited parties that are regularly consulted by the Company in the conduct of its business in order to assure compliance. The Company is responsible for, among other things, blocking accounts of, and transactions with, prohibited parties identified by OFAC, avoiding unlicensed trade and financial transactions with such parties, and reporting blocked transactions after their occurrence. Failure to comply with OFAC requirements could have serious legal, financial, and reputational consequences for the Company.

Privacy Legislation

Several recent laws, including the Right to Financial Privacy Act, and related regulations issued by the federal bank regulatory agencies, provide new protections against the transfer and use of customer information by financial institutions. A financial institution must provide to its customers information regarding its policies and procedures with respect to the handling of customers’ personal information. Each institution must conduct an internal risk assessment of its ability to protect customer information. These privacy provisions generally prohibit a financial institution from providing a customer’s personal financial information to unaffiliated parties without prior notice and approval from the customer.

In October 2024, the Consumer Financial Protection Bureau ("CFPB") adopted a new rule that requires financial services providers, such as the Bank, to make certain data available to consumers upon request regarding the products or services they

9

obtain from the provider. The rule is intended to give consumers control over their financial data, including with whom it is shared, and encourage competition in the provision of consumer financial products and services. Compliance is required beginning April 1, 2028 for depository institutions with at least $3 billion in total assets and beginning April 1, 2029 for depository institutions with at least $1.5 billion in total assets.

Incentive Compensation

In June 2010, the federal bank regulatory agencies issued final Interagency Guidance on Sound Incentive Compensation Policies intended to ensure that the incentive compensation policies of financial institutions do not undermine the safety and soundness of such institutions by encouraging excessive risk-taking. The Interagency Guidance on Sound Incentive Compensation Policies covers all employees who have the ability to materially affect the risk profile of a financial institution, either individually or as part of a group, and is based upon the key principles that a financial institution’s incentive compensation arrangements should (i) provide incentives that do not encourage risk-taking beyond the institution’s ability to effectively identify and manage risks, (ii) be compatible with effective internal controls and risk management, and (iii) be supported by strong corporate governance, including active and effective oversight by the financial institution’s board of directors.

The Dodd-Frank Act requires the federal banking agencies and the SEC to establish joint regulations or guidelines prohibiting incentive-based payment arrangements at specified regulated entities that encourage inappropriate risk-taking by providing an executive officer, employee, director, or principal shareholder with excessive compensation, fees, or benefits or that could lead to material financial loss to the entity. As of December 31, 2025, such regulations or guidelines have not been finalized.

The Federal Reserve will review, as part of the regular risk-focused examination process, the incentive compensation arrangements of financial institutions, such as the Company, that are not “large complex banking organizations.” These reviews are tailored to each financial institution based on the scope and complexity of the institution’s activities and the prevalence of incentive compensation arrangements. The findings of the supervisory initiatives are included in reports of examination. Deficiencies are incorporated into the institution’s supervisory ratings, which can affect the institution’s ability to make acquisitions and take other actions. Enforcement actions may be taken against a financial institution if its incentive compensation arrangements, or related risk-management control or governance processes, pose a risk to the institution’s safety and soundness and the financial institution is not taking prompt and effective measures to correct the deficiencies. As of December 31, 2025, the Company had not been made aware of any instances of non-compliance with the guidance.

Ability-to-Repay and Qualified Mortgage Rule

Pursuant to the Dodd-Frank Act, the CFPB issued a final rule effective in January 2014, amending Regulation Z as implemented by the Truth in Lending Act, requiring mortgage lenders to make a reasonable and good faith determination based on verified and documented information that a consumer applying for a mortgage loan has a reasonable ability to repay the loan according to its terms. Mortgage lenders are required to determine consumers’ ability to repay in one of two ways. The first alternative requires the mortgage lender to consider the following eight underwriting factors when making the credit decision: (i) current or reasonably expected income or assets; (ii) current employment status; (iii) the monthly payment on the covered transaction; (iv) the monthly payment on any simultaneous loan; (v) the monthly payment for mortgage-related obligations; (vi) current debt obligations, alimony, and child support; (vii) the monthly debt-to-income ratio or residual income; and (viii) credit history. Alternatively, the mortgage lender can originate “qualified mortgages,” which are entitled to a presumption that the creditor making the loan satisfied the ability-to-repay requirements. In general, a “qualified mortgage” is a mortgage loan without negative amortization, interest-only payments, balloon payments, or term exceeding 30 years. In addition, a qualified mortgage generally must meet certain price-based thresholds, and the points and fees paid by a consumer cannot exceed 3% of the total loan amount. Qualified mortgages that are “higher-priced” (e.g., subprime loans) garner a rebuttable presumption of compliance with the ability-to-repay rules, while qualified mortgages that are not “higher-priced” (e.g., prime loans) are given a safe harbor of compliance. The Company is predominantly an originator of compliant qualified mortgages.

Cybersecurity

In March 2015, federal regulators issued two related statements regarding cybersecurity. One statement indicates that financial institutions should design multiple layers of security controls to establish lines of defense and to ensure that their risk management processes also address the risk posed by compromised customer credentials, including security measures to reliably authenticate customers accessing internet-based services of the financial institution. The other statement indicates that a financial institution’s management is expected to maintain sufficient business continuity planning processes to ensure the rapid recovery, resumption, and maintenance of the institution’s operations after a cyber-attack involving destructive

10

malware. A financial institution is also expected to develop appropriate processes to enable recovery of data and business operations and address rebuilding network capabilities and restoring data if the institution or its critical service providers fall victim to this type of cyber-attack. If the Company fails to observe the regulatory guidance, it could be subject to various regulatory sanctions, including financial penalties.

Effective April 1, 2022, the OCC, the Federal Reserve, and the FDIC issued a joint rule imposing upon banking organizations and their service providers notification requirements for significant cybersecurity incidents. Specifically, the rule requires banking organizations to notify their primary federal regulator as soon as possible and no later than 36 hours after the discovery of a “computer-security incident” that rises to the level of a “notification incident” as those terms are defined in the rule. Banks’ service providers are required under that rule to notify any affected bank to or on behalf of which the service provider provides services “as soon as possible” after determining that it has experienced an incident that materially disrupts or degrades, or is reasonably likely to materially disrupt or degrade, covered services provided to such bank for as much as four hours.

Additionally, effective December 9, 2022, amendments to the GLB Act’s Safeguards Rule went into effect. That rule requires financial institutions to: (i) appoint a qualified individual to oversee and implement their information security programs; (ii) implement additional criteria for information security risk assessments; (iii) implement safeguards identified by assessments, including access controls, data inventory, data disposal, change management, and monitoring, among other things; (iv) implement information system monitoring in the form of either “continuous monitoring” or “periodic penetration testing;” (v) implement additional controls including training for security personnel, periodic assessment of service providers, written incident response plans, and periodic reports from the qualified individual to the board of directors. Additionally, multiple states and U.S. Congress are considering laws or regulations which could create new individual privacy rights and impose increased obligations on companies handling personal data.

The Company’s systems and those of its customers and third-party service providers are under constant threat. Risks and exposures related to cybersecurity attacks are expected to remain high for the foreseeable future due to the rapidly evolving nature and sophistication of these threats, as well as due to the expanding use of internet banking, mobile banking, and other technology-based products and services by the Company and its customers. See Item 1C, Cybersecurity, in this Form 10-K for a disclosure of the Company's cybersecurity risk management practices and governance.

Digital Assets

In July 2025, President Trump signed into law the Guiding and Establishing National Innovation for U.S. Stablecoins Act (the “GENIUS Act”), which establishes a regulatory framework for “payment stablecoins” and their issuers. The GENIUS Act permits payment stablecoins to be issued in the United States only by “permitted payment stablecoin issuers”, including the subsidiary of an insured depository institution such as the Bank. The GENIUS Act requires federal and state regulators to issue regulations on numerous topics to interpret and implement the act. The effect of the GENIUS Act on the Company and the Bank will depend on the final form of any regulations and cannot be predicted at this time. In addition, although federal banking regulators have not developed regulations governing the digital asset activities of banking organizations, the OCC has clarified that certain digital assets activities of national banks are permissible, subject to safety-and-soundness standards and the OCC’s prior approval. Digital assets activities are an area of significant focus for Congress, the current Presidential administration, and federal banking regulators. Any changes in law or in the Company’s or the Bank’s supervisory frameworks relating to digital assets cannot be predicted but may have a significant effect on the Company’s business.

Fair Access to Financial Services

In August 2025, President Trump signed Executive Order 14331, “Guaranteeing Fair Banking Access for All Americans,” which states that it is the policy of the United States that no American should be denied access to financial services because of their constitutionally or statutorily protected beliefs, affiliations, or political views. The Executive Order directs the Treasury Secretary and federal banking regulators to address politicized or unlawful debanking activities. In recent years, certain states have also enacted, or have proposed to enact, statutes, regulations, or policies that prohibit financial institutions from denying or canceling products or services to a person or business, or otherwise discriminating against a person or business in making available products or services, on the basis of certain social or political factors or other activities.

Future Legislation and Regulation

Congress may enact legislation from time to time that affects the regulation of the financial services industry, and state legislatures may enact legislation from time to time affecting the regulation of financial institutions chartered by or operating in those states. Federal and state regulatory agencies also periodically propose and adopt changes to their regulations or

11

change the manner in which existing regulations are applied. The substance or impact of pending or future legislation or regulation, or the application thereof, cannot be predicted. Enactment of legislation and changes in the application of existing legislation could impact the regulatory structure under which the Company and the Bank operate and may significantly increase costs, impede the efficiency of internal business processes, require an increase in regulatory capital, require modifications to business strategy, and limit the ability to pursue business opportunities in an efficient manner. A change in statutes, regulations, or regulatory policies applicable to the Company or the Bank could have a material adverse effect on the business, financial condition, and results of operations of the Company and the Bank.