COMMUNITY FINANCIAL SYSTEM, INC. (CBU) Business

Item 1. Business

​

Community Financial System, Inc. (the “Company”) was incorporated on April 15, 1983, under the Delaware General Corporation Law. Its principal office is located at 333 Butternut Drive, Syracuse, New York 13214. The Company’s business philosophy is to operate as a diversified financial services enterprise providing a broad array of banking and other financial services to retail, commercial, institutional and governmental customers. The Company is a registered financial holding company which wholly-owns two significant subsidiaries: Community Bank, N.A. (the “Bank” or “CBNA”), and Benefit Plans Administrative Services, Inc. (“BPAS”). As of December 31, 2025, BPAS owns five subsidiaries: Benefit Plans Administrative Services, LLC (“BPA”), a provider of defined contribution plan administration services; Northeast Retirement Services, LLC (“NRS”), a provider of institutional transfer agency, master recordkeeping services, fund administration, trust, and retirement plan services; BPAS Actuarial & Pension Services, LLC (“BPAS-APS”), a provider of actuarial and benefit consulting services; BPAS Trust Company of Puerto Rico, a provider of trust and benefit plan administration services; and Hand Benefits & Trust Company (“HB&T”), a provider of collective investment fund administration and institutional trust services. NRS owns one subsidiary, Global Trust Company, Inc. (“GTC”), a non-depository trust company which provides fiduciary services for collective investment trusts and other products. HB&T owns one subsidiary, Hand Securities, Inc. (“HSI”), an introducing broker-dealer.

​

As of December 31, 2025, the Bank operates 192 full-service branches and 8 drive-thru only locations throughout 42 counties of Upstate New York, 9 counties of Northeastern Pennsylvania, 12 counties of Vermont, 1 county of Western Massachusetts and 1 county of Southern New Hampshire, offering a range of commercial and retail banking services. The Bank owns the following operating subsidiaries: CBNA Preferred Funding Corporation (“PFC”), CBNA Treasury Management Corporation (“TMC”), Nottingham Investment Services, Inc. (“NISI”), Nottingham Advisors, Inc. (“Nottingham Advisors”), OneGroup NY, Inc. (“OneGroup”), Nottingham Wealth Partners, Inc. (“Wealth Partners”) and Oneida Preferred Funding II LLC (“OPFC II”). OneGroup is a full-service insurance agency offering personal and commercial lines of insurance and other risk management products and services. PFC and OPFC II primarily act as investors in residential and commercial real estate activities. TMC provides cash management, investment, and treasury services to the Bank. NISI and Wealth Partners provide broker-dealer and investment advisory services. Nottingham Advisors provides asset management services to individuals, corporations, corporate pension and profit sharing plans, and foundations.

​

The Company maintains a website at https://communityfinancialsystem.com. Annual reports on Form 10-K, quarterly reports on Form 10-Q, current reports on Form 8-K, and amendments to those reports, are available on the Company’s website free of charge as soon as reasonably practicable after such reports or amendments are electronically filed with or furnished to the Securities and Exchange Commission (“SEC”). The information posted on the website is not incorporated into or a part of this filing. Copies of all documents filed with the SEC can also be obtained by visiting the SEC’s Public Reference Room at 100 F Street, NE, Washington, DC 20549, by calling the SEC at 1-800-SEC-0330 or by accessing the SEC’s website at https://www.sec.gov.

​

Current Year Acquisitions

​

7 Branches from Santander Bank, N.A. in the Lehigh Valley Market

​

On November 7, 2025, the Company, through its subsidiary CBNA, completed the acquisition of seven branch locations in the Allentown, Pennsylvania area from Santander Bank, N.A. (“Santander”), including certain branch-related loans and deposits, acquiring $31.9 million of loans and $543.7 million of deposits. Total cash consideration was $80.9 million, including a deposit premium of 8%, or $43.5 million, and the Company recorded core deposit intangibles of $11.9 million and goodwill of $32.0 million.

​

​

3

Table of Contents

Financial Services Companies

​

During 2025, the Company, through its subsidiaries OneGroup, BPA, BPAS-APS and NISI, completed the acquisitions of certain assets of financial services companies. The assets were acquired from companies that provide insurance, employee benefit and wealth management services. Total aggregate consideration for these acquisitions was $11.2 million, including $4.5 million in cash and $6.7 million in contingent consideration arrangements. The Company recognized $8.4 million of customer list intangible assets and $2.9 million of goodwill in conjunction with these acquisitions.

​

Segment Information

​

The Company has identified four reportable operating business segments: Banking and Corporate, Employee Benefit Services, Insurance Services and Wealth Management Services. Information about the Company’s reportable business segments is included in Note U of the “Notes to Consolidated Financial Statements” filed herewith in Part II.

​

Business Segments

​

Banking

​

The Bank is a community bank committed to the philosophy of serving the financial needs of customers in local communities. The Bank’s branches are located in towns and cities within its geographic market areas of Upstate New York, Northeastern Pennsylvania, Vermont, Western Massachusetts and Southern New Hampshire. The Bank is nearing completion of its process of expanding its branch presence in more densely populated markets within its geographic footprint including the Albany, Buffalo, Rochester and Syracuse regions of New York, the Lehigh Valley region of Pennsylvania, Southern New Hampshire and Springfield, Massachusetts. The Company believes that the local character of its business, knowledge of the customers and their needs, and its comprehensive retail and business products, together with responsive decision-making at the branch and regional levels and its digital banking service offerings, enable the Bank to compete effectively in its geographic market. The Bank is a member of the Federal Reserve System, the Federal Home Loan Bank of New York and the Federal Home Loan Bank of Boston (as a non-member bank) (collectively, referred to as “FHLB”), and its deposits are insured by the Federal Deposit Insurance Corporation (“FDIC”) up to applicable limits.

​

Employee Benefit Services

​

Through BPAS and its subsidiaries, the Company operates a national practice that provides employee benefit trust, collective investment fund, retirement plan and health savings account administration, fund administration, transfer agency, actuarial, and health and welfare consulting services to a diverse array of clients spanning the United States and the Commonwealth of Puerto Rico.

​

Insurance Services

​

Through OneGroup, the Company offers personal and commercial lines of insurance and other risk management products and services. In addition, OneGroup offers employee benefit related services. OneGroup represents many leading and specialty insurance companies.

​

Wealth Management Services

​

Through the Bank’s Nottingham Trust division, NISI, Nottingham Advisors, and Wealth Partners, the Company provides wealth management, retirement planning, higher educational planning, fiduciary, risk management, trust services and personal financial planning services. The Company offers a range of investment products including stocks, bonds, exchange-traded funds, mutual funds, insurance and advisory products.

​

​

​

4

Table of Contents

Competition

​

The banking and financial services industry is highly competitive in the New York, Pennsylvania, Vermont, Massachusetts and New Hampshire markets. The Company competes actively for loans, deposits, and financial services relationships with other national and state banks, thrift institutions, credit unions, retail brokerage firms, mortgage bankers, finance companies, including financial technology companies, insurance agencies, and other regulated and unregulated providers of financial services. In order to compete with other financial service providers, the Company stresses the community nature of its operations and the development of profitable customer relationships across all lines of business.

​

The Company’s employee benefits, trust and plan administration business competes on a national scale and provides geographic diversification for the Company. Certain lines of business are marketed primarily through unaffiliated financial advisors, while others are marketed directly to plan sponsors and fund companies. In order to compete with large national firms, the Company stresses its consultative approach to complex engagements.

The Company utilizes the Community Connect program, which is a joint initiative between the four operating business segments to facilitate cross-selling opportunities and connections with commercial clients between the functional areas of the business. The program intends to provide customers with interconnected solutions and enhance customer retention.

​

Human Capital Resources

​

The Company’s employees are asked to embody the core values of integrity, excellence, teamwork and humility.  These values are foundational to sustaining the strength of the Company’s culture.  As of December 31, 2025, the Company had 3,001 total employees, which included 2,853 full-time employees and 148 part-time and temporary employees. Of the Company’s 3,001 employees, 2,157 are in the Banking and Corporate segment (2,028 full-time employees and 129 part-time and temporary employees), 479 employees are in the Employee Benefit Services segment (471 full-time employees and 8 part-time and temporary employees), 256 are in the Insurance Services segment (246 full-time employees and 10 part-time and temporary employees), and 109 employees are in the Wealth Management Services segment (108 full-time employees and 1 part-time temporary employee).  The Company’s employee base is concentrated in New York, Pennsylvania and New England where the Bank maintains its retail bank branch presence, with approximately 2,136 employees in New York, 312 in Pennsylvania and 323 in Vermont, Massachusetts and New Hampshire. Approximately 230 of the Company’s employee base is located outside of its retail banking footprint.

​

The Company considers its relationship with its employees to be strong. None of the Company’s employees are represented by a labor union or are represented by a collective bargaining agreement.

​

Oversight

​

The Board of Directors (the “Board”) has ultimate responsibility for the strategy of the Company. The Board’s Compensation Committee is responsible for the oversight of executive compensation, company culture, diversity, and employee engagement. The Company proactively identifies potential human capital related risks, such as succession planning, labor market shortage, increased labor costs, and employee retention strategies to mitigate those risks. Strong human capital management is viewed as integral to the Company’s business strategy.

​

Compensation and Benefits

​

The success and growth of the Company’s business is largely dependent on its ability to attract, develop, and retain a population of skilled and high-performing employees with varied backgrounds and skill sets at all levels of the organization. Accordingly, the Company’s compensation philosophy includes elements that reinforce the Company’s core values, reward employees for their achievements and maximize continued performance with long-term retention. The Company employs benchmarking measures to ensure employees are paid fairly based on their job and performance. The Company conducts workforce planning sessions periodically across all business areas to ensure competitive market pay for employees and actions to support commitment to the professional development of employees.

​

​

5

Table of Contents

Growth and Development

​

The Company continues to broaden the scope of its talent development initiatives across its widening and geographically diverse footprint in order to sustain a value-driven and growth-oriented environment where employees can perform at their peak and the next generation of leaders are prepared. The Company offers a wide range of learning and development programs, both internally and externally, that support a broad scope of the Company’s talent development initiatives making continuous learning a part of each employee’s relationship with the Company in a growth-oriented environment. The Company maintains a strong performance culture through its performance management program. The program supports setting clear expectations for all employees via annual goal setting and encourages ongoing and frequent feedback. These dialogues are intended to achieve higher performance, engagement and commitment, improving outcomes and productivity. The Company has invested in an on-line skills development platform that will expand and enhance the ability to build critical skills for today and in the future.

​

Culture and Attracting a Talented Workforce

​

The Company is committed to fostering an inclusive environment where there is a sense of purpose, belonging, and ownership, guided by the Company’s core values and dedication to serving customers.  The Company empowers its workforce to achieve their full potential by supporting the development of job-related skills and personal growth within a culture that prioritizes employees’ wellbeing and fosters inclusivity.  In this environment, employees feel safe to share ideas, receive support, and take thoughtful risks without the fear of judgment or retaliation.

​

The goal of the Company’s recruitment efforts is to provide fair opportunities to all candidates and to build a strong and positive reputation both internally and externally. To support this objective, leaders across the business and the Company’s human resource professionals share increased responsibility in recruitment and selection processes, supported by a committed Talent Acquisition team that focuses exclusively on recruitment and talent attraction to deliver a consistent, strategic and candidate-centered experience. The Company’s long-standing presence and proven track record offer candidates the stability of a well-established organization, while its forward-looking strategy continues to drive expansion into diverse geographic locations and new markets. This balanced approach provides opportunities for career growth, innovation, and meaningful impact, complemented by a comprehensive benefits package that supports employee well-being, financial security, and work-life balance. To further support effective hiring decisions, the Company initiated the use of assessments within the recruitment process. These assessments are intended to promote objectivity, alignment with role requirements, and a positive candidate experience. The Company remains committed to continuing to grow, refine, and develop these assessment practices as part of its ongoing investment in talent acquisition excellence.

​

Engagement

​

The Company is committed to creating a top-tier workplace filled with highly satisfied and engaged employees. The Company believes that open and honest communication among employees, managers and executive leadership fosters an open and collaborative work environment where everyone can participate, develop, and thrive. The Company continues to conduct a survey annually to maintain a feedback loop with employees. In 2023, the Company selected Engagement Champions whose role is to support leaders and managers in the ongoing engagement efforts and initiatives. In 2024, the CEO instituted a Company-wide employee townhall to enhance communication and transparency relative to the Company’s strategy and priorities. The townhalls include a Q&A segment where the CEO answers questions on a variety of topics. The town halls are conducted twice a year and continue to serve as a key component of transparent communication with all employees.

​

Health and Safety

​

The health and safety of the Company’s employees is of utmost importance. The Company is committed to providing tools and resources to support employees’ overall health and wellbeing. This includes offering a variety of health and welfare benefits as well as a holistic wellbeing program.

​

​

6

Table of Contents

Supervision and Regulation

​

General

​

The banking industry is highly regulated with numerous statutory and regulatory requirements that are designed primarily for the protection of depositors and the financial system. Set forth below is a description of the material laws and regulations applicable to the Company and the Bank. This summary is not complete and the reader should refer to these laws and regulations for more detailed information. The Company’s and its subsidiaries’ failure to comply with applicable laws and regulations could result in a range of sanctions and administrative actions imposed upon the Company and/or its subsidiaries, including restrictions on merger and acquisition activity, the imposition of civil money penalties, formal agreements and cease and desist orders. New laws and regulations, more complex regulations, and changes in regulators’ interpretations and application of existing laws and regulations cannot be predicted and may have a material adverse effect on the Company’s businesses and results.

​

The Company and its subsidiaries are subject to the laws and regulations of the federal government and, where applicable, the states and jurisdictions in which they conduct business. The Company, as a financial holding company, is subject to extensive regulation and supervision by the Board of Governors of the Federal Reserve System (“FRB” or “Federal Reserve”) as its primary federal regulator. The Bank is a federally chartered national bank and is subject to extensive regulation and supervision by the Office of the Comptroller of the Currency (“OCC”) as its primary federal regulator, and as to certain matters, the FRB, the Consumer Financial Protection Bureau (“CFPB”), and the FDIC. The Company expects the current federal government administration will continue to implement a regulatory reform agenda that impacts the rulemaking, supervision, examination and enforcement priorities of the federal banking agencies.

​

The Company is also subject to the jurisdiction of the SEC and is subject to disclosure and regulatory requirements under the Securities Act of 1933, as amended, and the Securities Exchange Act of 1934, as amended. The Company’s common stock is listed on the New York Stock Exchange (“NYSE”) and it is subject to NYSE’s rules for listed companies. Affiliated entities, including BPAS, BPA, NRS, GTC, HB&T, HSI, BPAS Trust Company of Puerto Rico, Nottingham Advisors, NISI, OneGroup, and Wealth Partners are subject to the jurisdiction of certain state and federal regulators and self-regulatory organizations including, but not limited to, the SEC, the Texas Department of Banking, the State of Maine Bureau of Financial Institutions, the Financial Industry Regulatory Authority (“FINRA”), Puerto Rico Office of the Commissioner of Financial Institutions, the U.S. Department of Labor, and state securities and insurance regulators.

​

Federal Bank Holding Company Regulation

​

As the Company is classified as a financial holding company, the Company can affiliate with securities firms and insurance companies and engage in other activities that are “financial in nature” or “incidental” or “complementary” to activities that are financial in nature, as long as it continues to meet the eligibility requirements for financial holding companies (including requirements that the financial holding company and its depository institution subsidiary maintain their status as “well capitalized” and “well managed”).

​

Generally, FRB approval is not required for the Company to acquire a company (other than a bank holding company, bank or savings association) engaged in activities that are financial in nature or incidental to activities that are financial in nature, as determined by the FRB. Prior notice to the FRB may be required, however, if the company to be acquired has total consolidated assets of $10 billion or more. Prior FRB approval is required before the Company may acquire the beneficial ownership or control of more than 5% of the voting shares or substantially all of the assets of a bank holding company, bank or savings association.

​

As the Company is a financial holding company, if the Bank were to not maintain a Satisfactory or better rating under the Community Reinvestment Act of 1977, as amended (“CRA”), the Company would be prohibited, until the rating is raised to Satisfactory or better, from engaging in new activities or acquiring companies other than bank holding companies, banks or savings associations, except that the Company could engage in new activities, or acquire companies engaged in activities, that are considered “closely related to banking” under the Bank Holding Company Act of 1956, (the “BHC Act”). The Bank’s most recent CRA rating was “Satisfactory”. In addition, if the FRB determines that the Company or the Bank is not well capitalized or well managed, the Company would be required to enter into an agreement with the FRB to comply with all applicable capital and management requirements and may contain additional limitations or conditions. Until corrected, the Company could be prohibited from engaging in any new activity or acquiring companies engaged in activities that are not closely related to banking, absent prior FRB approval.

7

Table of Contents

Federal Reserve System Regulation

​

As the Company is a financial holding company, it is subject to regulatory capital requirements. The Bank is under similar capital requirements administered by the OCC as discussed below. FRB policy has historically required a financial holding company to act as a source of financial and managerial strength to its subsidiary banks. The Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (the “Dodd-Frank Act”) codifies this historical policy as a statutory requirement. To the extent the Bank is in need of regulatory capital, the Company would be expected to provide additional capital, including borrowings from the FRB for such purpose. Both the Company and the Bank are subject to extensive supervision and regulation, which focus on, among other things, the protection of depositors’ funds.

​

The FRB also regulates the national supply of bank credit in order to influence general economic conditions. These policies have a significant influence on overall growth and distribution of loans, investments and deposits, and affect the interest rates charged on loans or paid for deposits.

​

Fluctuations in interest rates, which may result from government fiscal policies and the monetary policies of the FRB, have a strong impact on the income derived from loans and securities, and interest paid on deposits and borrowings. While the Company and the Bank strive to model various interest rate changes and adjust its strategies for such changes, the level of earnings can be materially affected by economic circumstances beyond its control.

​

The Office of the Comptroller of the Currency Regulation (“OCC”)

​

The Bank is supervised by the OCC. OCC supervision consists of multiple examinations of the Bank’s activities over the course of its annual supervisory cycle. The various laws and regulations administered by the OCC affect the Company’s practices such as payment of dividends, incurring debt, and acquisition of financial institutions and other companies. It also affects the Bank’s business practices, such as payment of interest on deposits, the charging of interest on loans, types of business conducted and the location of its offices. The OCC generally prohibits a depository institution from making any capital distributions, including the payment of a dividend, or paying any management fee to its parent holding company if the depository institution would become undercapitalized due to the payment. Undercapitalized institutions are subject to growth limitations and are required to submit a capital restoration plan to the OCC. The OCC may take enforcement actions for a variety of supervisory concerns, including violations of laws, rules or regulations and unsafe and unsound practices. As a result, the OCC could also establish individual minimum capital ratios (“IMCR”) for the Bank that are higher than the regulatory minimums. This would impair the Bank’s ability to pay dividends to the Company. The Bank is well capitalized under regulatory standards administered by the OCC. For additional information on the Company’s capital requirements see “Management’s Discussion and Analysis of Financial Condition and Results of Operations – Shareholders’ Equity and Regulatory Capital” and Note P to the Financial Statements.

​

During 2025, the OCC announced a number of initiatives intended to tailor regulatory and supervisory expectations for community banks, including the release of a notice of proposed rulemaking to expand the definition of community banks to include institutions with less than $30 billion in total assets. These initiatives are focused on reducing the regulatory burden on smaller, lower risk national banks and include refinements to examination processes, supervisory practices, and certain data collection requirements. The OCC has indicated that these changes are designed to improve examination efficiency, enhance supervisory clarity, and focus regulatory attention on areas of heightened or material risk. While these initiatives may reduce certain compliance and operational burdens, the Company remains subject to comprehensive prudential regulation and supervisory oversight, and changes in regulatory priorities or expectations could continue to affect the Company’s operations, compliance costs, and strategic planning. Additionally, some of the administration’s policy initiatives could have unforeseen negative consequences directly on the bank’s operations or the credit markets that it lends. If deposit alternatives, such as stablecoin, were to gain significant market share among retail and commercial depositors, it could have a significant negative impact on the Bank’s liquidity and funding costs.

​

​

8

Table of Contents

Federal Home Loan Bank (“FHLB”)

​

The Bank is a member of the FHLB, which provides a central credit facility primarily for member institutions for home mortgage and neighborhood lending. The Bank is subject to certain rules and requirements as a member institution of the FHLB, including the purchase of shares of FHLB activity-based stock in the amount of 4.5% of the dollar amount of outstanding advances and FHLB capital stock in an amount equal to the greater of $1,000 or the sum of 0.15% of the mortgage-related assets held by the Bank based upon the previous year-end financial information. The Bank was in compliance with the rules and requirements of the FHLB at December 31, 2025.

​

Deposit Insurance

​

Deposits of the Bank are insured up to the applicable limits by the Deposit Insurance Fund (“DIF”) and are subject to deposit insurance assessments to maintain the DIF. The Dodd-Frank Act permanently increased the maximum amount of deposit insurance to $250,000 per deposit category, per depositor, per institution. A depository institution’s DIF assessment is calculated by multiplying its assessment rate by the assessment base, which is defined as the average consolidated total assets less the average tangible equity of the depository institution. The Bank’s deposit insurance assessment is based on a large institution classification. For large insured depository institutions, generally defined as those with at least $10 billion in total assets, the FDIC uses capital and supervisory ratings (“CAMELS”) and financial measures from two scorecards to calculate assessment rates. Each scorecard has two components - a performance score and loss severity score, which are combined and converted to an initial assessment rate. The FDIC has the ability to adjust a large or highly complex insured depository institution’s total score by a maximum of 15 points, up or down, based upon significant risk factors that are not captured by the scorecard. Under the assessment rate schedule effective for 2025, the initial base assessment rate for large and highly complex insured depository institutions ranges from five to 32 basis points, and the total base assessment rate, after applying the unsecured debt and brokered deposit adjustments, ranges from two and one-half to 42 basis points. The Bank’s FDIC insurance for 2025 was based on assessment rates ranging between six and seven basis points compared to assessment rates ranging between five and seven basis points for 2024 and five and six basis points for 2023.

​

Under the Federal Deposit Insurance Act (“FDIA”), if the FDIC finds that an institution has engaged in unsafe and unsound practices, is in an unsafe or unsound condition to continue operations, or has violated any applicable law, regulation, rule, order or condition imposed by the FDIC, the FDIC may determine that such violation or unsafe or unsound practice or condition require the termination of deposit insurance.

​

The FDIA requires federal bank regulatory agencies to prescribe, by regulation or guideline, operational and managerial standards for all insured depository institutions that relate to, among other things: (i) internal controls, information systems and audit systems; (ii) loan documentation; (iii) credit underwriting; (iv) interest rate exposure; (v) asset growth and quality; and (vi) compensation and benefits. Federal banking agencies have adopted regulations and Interagency Guidelines Prescribing Standards for Safety and Soundness to implement these requirements, which regulators use to identify and address problems at insured depository institutions before capital becomes impaired. If a regulator determines that a bank fails to meet any standards prescribed by the guidelines, the bank may be required to submit an acceptable plan to achieve compliance and agree to specific deadlines for the submission to and review by the regulator of reports confirming progress in implementing the safety and soundness compliance plan. Failure to implement such a plan may result in an enforcement action against the bank.

​

Enforcement actions against the Company, the Bank and their respective officers and directors may include the issuance of a written directive, the issuance of a cease-and-desist order that can be judicially enforced, the imposition of civil money penalties, the issuance of directives to increase capital, the issuance of formal and informal agreements, the issuance of removal and prohibition orders against officers or other institution-affiliated parties, the imposition of restrictions and sanctions under prompt corrective action regulations, the termination of deposit insurance (in the case of the Bank) and the appointment of a conservator or receiver for the Bank. Civil money penalties can be over $2 million for each day a violation continues.

​

Various proposals are under active consideration by policymakers that could affect the scope of deposit insurance coverage. For example, bipartisan legislation has been introduced in the U.S. Senate that would significantly raise the deposit insurance limit for certain noninterest-bearing transaction accounts, subject to legislative approval and funding determinations. In addition, Congress and the FDIC have conducted oversight hearings and agency analyses exploring broader deposit insurance reform alternatives, including adjusting coverage limits and targeted insurance frameworks for specific account types. The ultimate outcome, timing, and scope of any changes remain uncertain and could materially affect deposit flows, competitive dynamics, and regulatory costs.

9

Table of Contents

Transactions with Affiliates and Insiders

​

The Bank is subject to Section 23A of the Federal Reserve Act, as amended (the "FRA") which places limits on, among other covered transactions, the amount of loans or extensions of credit to affiliates that may be made by the Bank. Extensions of credit to affiliates must be adequately collateralized by specified amounts and types of collateral. Section 23A also limits the amount of loans or advances made by the Bank to third-party borrowers that are collateralized by securities or obligations of the Bank's affiliates. The Bank is also subject to Section 23B of the FRA, which, among other things, prohibits an institution from engaging in transactions with affiliates unless the transactions are on terms substantially the same, or at least as favorable to such institution or its subsidiaries, as those prevailing at the time for comparable transactions with non-affiliates.

​

The Company is subject to restrictions on extensions of credit to insiders (namely executive officers, directors, and 10% stockholders) and their related interests. These restrictions are contained in the FRA and Federal Reserve Regulation O and apply to all insured depository institutions as well as their subsidiaries and holding companies. These restrictions include limits on loans to any individual insider and such insider's related interests and certain conditions that must be met before such loans can be made. There is also an aggregate limitation on all loans to insiders and their related interests, which cannot exceed the institution's total unimpaired capital and surplus, unless the FDIC determines that a lesser amount is appropriate. Insiders are subject to enforcement actions for knowingly accepting loans in violation of applicable restrictions.

​

Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010

​

On July 21, 2010, the Dodd-Frank Act was signed into law, which resulted in significant changes to the banking industry. The Dodd-Frank Act contains numerous provisions that affect all banks and bank holding companies and impacts how the Company and the Bank handle their operations. The Dodd-Frank Act requires various federal agencies, including those that regulate the Company and the Bank, to promulgate rules and regulations and to conduct various studies and reports for Congress. The federal agencies have either completed or are in the process of completing these rules and regulations and have been given significant discretion in drafting such rules and regulations. Several of the provisions of the Dodd-Frank Act have the consequence of increasing the Bank’s expenses, decreasing its revenues, and changing the activities in which it chooses to engage. The specific impact of the Dodd-Frank Act on the Company’s current activities or new financial activities the Company may consider in the future, the Company’s financial performance, and the markets in which the Company operates depends on the manner in which the relevant agencies continue to develop and implement the required rules and regulations and the reaction of market participants to these regulatory developments.

​

Pursuant to FRB regulations mandated by the Dodd-Frank Act, interchange fees on debit card transactions are limited to a maximum of $0.21 per transaction plus 5 basis points of the transaction amount. A debit card issuer may recover an additional one cent per transaction for fraud prevention purposes if the issuer complies with certain fraud-related requirements prescribed by the FRB. The FRB also adopted requirements in the final rule that issuers include two unaffiliated networks for routing debit transactions that are applicable to the Company and the Bank. On October 25, 2023, the FRB proposed to lower the maximum interchange fee that a large debit card issuer can receive for a debit card transaction. The proposal would also establish a regular process for updating the maximum amount every other year going forward. The Company continues to monitor the development of these proposed rule revisions.

​

The Dodd-Frank Act established the CFPB and empowered it to exercise broad rulemaking, supervision, and enforcement authority for a wide range of consumer protection laws. Because the Bank’s total consolidated assets exceed $10 billion, the Bank is subject to the direct supervision of the CFPB. If the CFPB were to implement rules that negatively impacted the Bank’s products or services, it could have a material negative impact on its operations.

​

​

10

Table of Contents

The CFPB has broad powers to supervise and enforce consumer protection laws, including laws that apply to banks in order to prohibit unfair, deceptive or abusive acts or practices (“UDAAP”). The Dodd-Frank Act also clarified the federal preemption rules that are applicable to national banks and gives state attorney generals for the states certain powers to enforce federal consumer protection laws. A violation of the consumer protection and privacy laws, and in particular UDAAP, could have serious legal, financial, and reputational consequences.

​

The CFPB, FRB, and OCC are also authorized to collect fines and provide consumer restitution in the event of violations, engage in consumer financial education, track consumer complaints, request data and promote the availability of financial services to underserved consumers and communities. The CFPB is authorized to pursue administrative proceedings or litigation for violations of federal consumer financial laws. In these proceedings, the CFPB can obtain cease and desist orders (which can include orders for restitution or rescission of contracts, as well as other kinds of affirmative relief) and monetary penalties.

​

The final rules issued by the FRB, SEC, OCC, FDIC, and Commodity Futures Trading Commission implementing Section 619 of the Dodd-Frank Act (commonly known as the Volcker Rule) prohibit insured depository institutions and companies affiliated with insured depository institutions from (1) engaging in short-term proprietary trading of certain securities, derivatives, commodity futures and options on these instruments, for their own account and (2) sponsoring certain covered funds, subject to certain limited exceptions. The final rules of the Volcker Rule are not material to the Company’s investing and trading activities.

​

The Dodd-Frank Act requires U.S. financial regulators, including the FRB and the SEC, to adopt rules on incentive-based payment arrangements at specified regulated entities having at least $1 billion in total assets. In 2016, the federal banking regulators, the SEC, the Federal Housing Finance Agency and the National Credit Union Administration proposed revised rules on incentive-based compensation practices, which have not yet been finalized. If these or other regulations are adopted in a form similar to what has been proposed, they will impose limitations on the manner in which the Company may structure compensation for its employees, which could adversely affect the Company’s ability to hire, retain and motivate key employees.

​

The ongoing effects of the Dodd-Frank Act, as well as the recent and possible future changes to the regulatory framework as a result of the Economic Growth Act and future proposals make it difficult to assess the overall financial impact of the Dodd-Frank Act and related regulatory developments on the Company and the banking industry. As a result, the Company cannot predict the ultimate impact of the Dodd-Frank Act on the Company or the Bank, including the extent to which it could increase costs or limit the Company’s ability to pursue business opportunities in an efficient manner, or otherwise adversely affect its business, financial condition and results of operations. Nor can the Company predict the impact or substance of other future legislation or regulation. However, it is expected that future legislation or regulation at a minimum will increase the Company’s and the Bank’s operating and compliance costs. As rules and regulations continue to be implemented or issued, the Company may need to dedicate additional resources to ensure compliance, which may increase its costs of operations and adversely impact the Company’s earnings.

​

Capital Requirements

​

The Company and the Bank are required to comply with applicable capital adequacy standards established by the federal banking agencies (the “Capital Rules”) which are based on the Basel Committee on Banking Supervision’s (the “Basel Committee”) 2010 final capital framework for strengthening international capital standards, referred to as “Basel III”.

​

The Capital Rules, among other things, impose a capital measure called “Common Equity Tier 1,” (“CET1”) to which most deductions/adjustments to regulatory capital measures are to be made. In addition, the Capital Rules specify that Tier 1 capital consists of CET1 and “Additional Tier 1 capital” instruments meeting certain specified requirements.

​

Under the Capital Rules, the minimum capital ratios are as follows:

​

​

​

11

Table of Contents

The Capital Rules require the Company and the Bank to maintain a “capital conservation buffer” composed entirely of CET1. Banking organizations are required to maintain a minimum capital conservation buffer of 2.5% (CET1 to total risk-weighted assets), in addition to the minimum risk-based capital ratios. Therefore, to satisfy both the minimum risk-based capital ratios and the capital conservation buffer, a banking organization is required to maintain the following: (i) CET1 to total risk-weighted assets of at least 7%, (ii) Tier 1 capital to total risk-weighted assets of at least 8.5%, and (iii) Total capital (Tier 1 capital plus Tier 2 capital) to total risk-weighted assets of at least 10.5%. The capital conservation buffer is designed to absorb losses during periods of economic stress. Banking institutions that do not maintain a capital conservation buffer of 2.5% or more will face constraints on dividends, common share repurchases and incentive compensation based on the amount of the shortfall.

​

The Capital Rules provide for a number of deductions from and adjustments to CET1. These include, for example, the requirement that mortgage servicing rights, deferred tax assets dependent upon future taxable income and significant investments in non-consolidated financial entities be deducted from CET1 to the extent that any one such category exceeds 10% of CET1 or all such categories in the aggregate exceed 15% of CET1. Under the Capital Rules, the effects of certain accumulated other comprehensive income or loss items are not excluded for the purposes of determining regulatory capital; however, banks not using the advanced approach, including the Company and the Bank, were permitted to, and in the case of the Company and the Bank did, make a one-time permanent election to continue to exclude these items.

​

With respect to the Bank, the Capital Rules also revised the prompt corrective action (“PCA”) regulations established pursuant to Section 38 of the Federal Deposit Insurance Act, establishing the CET1 ratio at 6.5% for well-capitalized status and the Tier 1 capital ratio at 8.0% for well-capitalized status. The Capital Rules do not change the total risk-based PCA capital requirement for any capital category.

​

The Capital Rules prescribe a standardized approach for risk weighted-assets that expands the risk-weight categories from the four Basel I-derived categories (0%, 20%, 50% and 100%) to a larger and more risk-sensitive number of categories, depending on the nature of the asset. The risk-weight categories generally range from 0% for U.S. government and agency securities, to 1,250% for certain securitized exposures, and result in higher risk weights for a variety of asset categories. The standardized approach requires financial institutions to transition assets that are 90 days or more past due or on nonaccrual from their original risk weight to 150 percent. Additionally, loans designated as high volatility commercial real estate (“HVCRE”) are assigned a risk-weighting of 150 percent.

​

Requirements to maintain higher levels of capital or to maintain higher levels of liquid assets could adversely impact the Company’s net income and return on equity. The current requirements and the Company’s actual capital levels are detailed in Note P of “Notes to Consolidated Financial Statements” filed in Part II, Item 8, “Financial Statements and Supplementary Data.”

​

Consumer Protection Laws

​

In connection with its banking activities, the Bank is subject to a number of federal and state laws designed to protect consumers and promote lending to various sectors of the economy. These laws include but are not limited to the Equal Credit Opportunity Act, the Gramm-Leach-Bliley Act (“GLB Act”), the Fair Credit Reporting Act (“FCRA”), the Fair and Accurate Credit Transactions Act of 2003 (“FACT Act”), the Electronic Funds Transfer Act, the Truth in Lending Act, the Home Mortgage Disclosure Act, the Dodd-Frank Act, the Real Estate Settlement Procedures Act, the Secure and Fair Enforcement for Mortgage Licensing Act (“SAFE”), the Servicemembers Civil Relief Act (“SCRA”), the Military Lending Act (“MLA”), and various state law counterparts. These laws and regulations mandate certain disclosure requirements and regulate the manner in which financial institutions must interact with clients when taking deposits, making loans, collecting and servicing loans and providing other services. The Company is subject to regulation by the CFPB, which is responsible for promoting fairness and transparency for mortgages, credit cards, deposit accounts and other consumer financial products and services and for interpreting and enforcing the federal consumer financial laws that govern the provision of such products and services. The CFPB is also authorized to prevent any institution under its authority from engaging in an unfair, deceptive, or abusive act or practice in connection with consumer financial products and services.

​

​

12

Table of Contents

The GLB Act requires all financial institutions to adopt privacy policies, restrict the sharing of nonpublic customer data with nonaffiliated parties and establish procedures and practices to protect customer data from unauthorized access. The GLB Act also requires certain disclosures to consumers about information collection, sharing, and security practices and their right to “opt out” of the institution’s disclosure of their personal financial information to non-affiliated third-parties (with certain exceptions). In addition, the FCRA, as amended by the FACT Act, includes provisions affecting the Company, the Bank, and their affiliates, including provisions concerning obtaining consumer reports, furnishing information to consumer reporting agencies, maintaining a program to prevent identity theft, sharing of certain information among affiliated companies, and other provisions. The FACT Act requires persons subject to FCRA to notify their customers if they report negative information about them to a credit bureau or if they are granted credit on terms less favorable than those generally available. The FRB and the Federal Trade Commission have extensive rulemaking authority under the FACT Act, and the Company and the Bank are subject to the rules that have been created under the FACT Act, including rules regarding limitations on affiliate marketing and implementation of programs to identify, detect and mitigate certain identity theft red flags. The SCRA protects persons called to active military service and their dependents from undue hardship resulting from their military service, and the MLA extends specific protections if an accountholder, at the time of account opening, is a covered active duty member of the military or certain family members thereof. The SCRA applies to all debts incurred prior to the commencement of active duty and limits the amount of interest, including service and renewal charges and any other fees or charges (other than bona fide insurance) that are related to the obligation or liability. The MLA applies to certain consumer loans and extends specific protections if an accountholder, at the time of account opening, is a covered active duty member of the military or certain family members thereof. The Company and the Bank are also subject to data security standards and data breach notice requirements issued by various states, the OCC and other regulatory agencies. The Bank has created policies and procedures to comply with these consumer protection requirements.

​

The CFPB has implemented the ability-to-repay and qualified mortgage (QM) provisions of the Truth in Lending Act (the “QM Rule”) and has taken steps to modify the QM Rule. The ability-to-repay provision requires creditors to make reasonable, good faith determinations that borrowers are able to repay their mortgages before extending credit based on a number of factors and consideration of financial information about the borrower derived from reasonably reliable third-party documents. Under the Dodd-Frank Act and the QM Rule, loans meeting the definition of “qualified mortgage” are entitled to a presumption that the lender satisfied the ability-to-repay requirements. The presumption is a conclusive presumption/safe harbor for loans meeting the QM requirements, and a rebuttable presumption for higher-priced loans meeting the QM requirements. The Bank has created policies and procedures to comply with these consumer protection requirements and continues to monitor developments relative to future changes to the QM Rule.

​

Among other provisions, the federal banking rule under the Electronic Fund Transfer Act prohibits financial institutions from charging consumers fees for paying overdrafts on automated teller machines and one-time debit card transactions, unless a consumer consents, or opts in, to the overdraft service for those types of transactions. The rule does not govern overdraft fees on the payment of checks and certain other forms of bill payments.

​

In recent periods, the CFPB has finalized and proposed rules related to consumer financial data access, fee practices and other aspects of consumer banking. Certain of these rules are subject to legal challenge or further regulatory action and their ultimate scope, timing and applicability remain uncertain.

​

In May 2024, the SEC finalized amendments to require broker-dealers, investment companies and investment advisers registered with the SEC to adopt written policies and procedures for incident response programs to address unauthorized access to or use of customer information. The amendments also require covered entities to notify, within 30 days, individuals affected by an incident involving sensitive customer information and provide them with details about the incident and other information intended to help affected individuals respond appropriately. Compliance with these amendments began on December 3, 2025.

​

The Bank Secrecy Act

​

The Bank Secrecy Act (“BSA”) requires all financial institutions, including banks and securities broker-dealers, to, among other things, establish a risk-based system of internal controls reasonably designed to prevent money laundering and the financing of terrorism. The BSA includes a variety of recordkeeping and reporting requirements (such as currency transaction and suspicious activity reporting), as well as due diligence/know-your-customer documentation requirements. The Company has established a BSA/anti-money laundering program and taken other appropriate measures in order to comply with BSA requirements.

13

Table of Contents

Anti-Money Laundering Act of 2020

​

The Anti-Money Laundering Act of 2020 (“AMLA”) amends the BSA and was enacted in January 2021. The AMLA was intended to reform and modernize U.S. bank secrecy and anti-money laundering laws. The Company has and will continue to review and monitor its anti-money laundering program to ensure it complies with the provisions of the AMLA.

​

In July 2024, the federal banking agencies, including the Federal Reserve and OCC, proposed amendments to update the requirements for supervised institutions to establish, implement and maintain effective, risk-based and reasonably designed AML and countering the financing of terrorism ("CFT") programs. The proposed amendments would require supervised institutions to identify, evaluate and document the regulated institution's money laundering, terrorist financing and other illicit finance activity risks, as well as consider, as appropriate, the U.S. Department of the Treasury's Financial Crimes Enforcement Network's ("FinCEN") published national AML/CFT priorities.

​

In August 2024, the Financial Crimes Enforcement Network (“FinCEN”), which drafts regulations implementing anti-money laundering legislation, adopted a rule extending anti-money laundering obligations, including maintenance of an anti-money laundering program and filing certain reports with FinCEN, to registered investment advisers, like certain of the Company’s subsidiaries. On December 31, 2025, FinCEN issued a final rule to extend the effective date of this rule from January 1, 2026 until January 1, 2028 to provide additional time for FinCEN to review and tailor the rule.

​

USA Patriot Act

​

The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (“USA Patriot Act”) imposes obligations on U.S. financial institutions, including banks and broker-dealer subsidiaries, to implement policies, procedures and controls which are reasonably designed to detect and report instances of money laundering and the financing of terrorism. In addition, provisions of the USA Patriot Act require the federal financial institution regulatory agencies to consider the effectiveness of a financial institution’s anti-money laundering activities when reviewing bank mergers and bank holding company acquisitions. The USA Patriot Act also encourages information-sharing among financial institutions, regulators, and law enforcement authorities by providing an exemption from the privacy provisions of the GLB Act for financial institutions that comply with the provision of the Act. Failure of a financial institution to maintain and implement adequate programs to combat money laundering and terrorist financing, or to comply with all of the relevant laws or regulations, could have serious legal, financial and reputational consequences for the institution. The Company has approved policies and procedures that are designed to comply with the USA Patriot Act and its regulations.

​

Office of Foreign Assets Control Regulation

​

The United States has imposed economic sanctions that affect transactions with designated foreign countries, nationals and others administrated by the Treasury’s Office of Foreign Assets Control (“OFAC”). The OFAC administered sanctions can take many different forms; however, they generally contain one or more of the following elements: (i) restrictions on trade with or investment in a sanctioned country, entity or individual, including prohibitions against direct or indirect imports and exports and prohibitions on “U.S. persons” engaging in financial transactions relating to making investments, or providing investment related advice or assistance; and (ii) a blocking of assets in which the government or specially designated nationals have an interest, by prohibiting transfers of property subject to U.S. jurisdiction (including property in the possession or control of U.S. persons). Blocked assets (e.g., property and bank deposits) cannot be paid out, withdrawn, set off or transferred in any manner without a license from OFAC. Failure to comply with these sanctions could have serious legal, financial, and reputational consequences. The Company has approved policies and procedures that are designed to comply with OFAC and its regulations.

​

14

Table of Contents

Sarbanes-Oxley Act of 2002

​

The Sarbanes-Oxley Act of 2002 (“Sarbanes-Oxley Act”) implemented a broad range of corporate governance, accounting and reporting reforms for companies that have securities registered under the Securities Exchange Act of 1934, as amended. In particular, the Sarbanes-Oxley Act established, among other things: (i) requirements for audit and other key Board of Directors committees involving independence, expertise levels, and specified responsibilities; (ii) responsibilities regarding the oversight of financial statements by the Chief Executive Officer and Chief Financial Officer of the reporting company; (iii) an independent accounting oversight board for the accounting industry; (iv) standards for auditors and the regulation of audits, including independence provisions which restrict non-audit services that accountants may provide to their audit clients; (v) increased disclosure and reporting obligations for the reporting company and its directors and executive officers including accelerated reporting of company stock transactions; (vi) a prohibition of personal loans to directors and officers, except certain loans made by insured financial institutions on non-preferential terms and in compliance with other bank regulator requirements; and (vii) a range of new and increased civil and criminal penalties for fraud and other violations of the securities laws. The Company has approved policies and procedures that are designed to comply with the Sarbanes-Oxley Act and its regulations.

​

Community Reinvestment Act of 1977

​

Under the CRA, the Bank is required to help meet the credit needs of its communities, including low- and moderate-income neighborhoods. Although the Bank must follow the requirements of CRA, it does not limit the Bank’s discretion to develop products and services that are suitable for a particular community or establish lending requirements or programs. In addition, the Equal Credit Opportunity Act and the Fair Housing Act prohibits discrimination in lending practices. The Bank’s failure to comply with the provisions of the CRA could, at a minimum, result in regulatory restrictions on its activities and the activities of the Company. The Bank’s failure to comply with the Equal Credit Opportunity Act and the Fair Housing Act could result in enforcement actions against it by its regulators as well as other federal regulatory agencies and the Department of Justice. The Bank’s most recent CRA rating was “Satisfactory”.

​

On October 24, 2023, the FRB, FDIC and OCC jointly issued a final rule intended to strengthen and modernize regulations implementing the CRA to encourage banks to expand access to credit, investment, and banking services in low- and moderate-income communities, adapt to changes in the banking industry, including internet and mobile banking, provide greater clarity and consistency in the application of the CRA regulations and tailor CRA evaluations and data collection to bank size and type. The implementation of this rule was subsequently stayed and on July 16, 2025 the FRB, FDIC and OCC jointly issued a proposal to rescind the aforementioned rule and replace it with the prior CRA regulations, with certain technical amendments. Accordingly, the CRA continues to be administered under the regulatory framework in effect prior to the issuance of the October 2023 final rule.

​

Cyber Security

​

The federal bank regulators have adopted rules providing for new notification requirements for banking organizations and their service providers for significant cybersecurity incidents. Specifically, the new rules require a banking organization to notify its primary federal regulator as soon as possible, and no later than 36 hours after, the banking organization determines that a "computer-security incident" rising to the level of a "notification incident" has occurred. Notification is required for incidents that have materially affected or are reasonably likely to materially affect the viability of a banking organization's operations, its ability to deliver banking products and services, or the stability of the financial sector. Service providers are required under the rule to notify affected banking organization customers as soon as possible when the provider determines that it has experienced a computer-security incident that has materially affected or is reasonably likely to materially affect the banking organization's customers for four or more hours.

​

​

15

Table of Contents

Guidance for Third-Party Relationships

​

On June 9, 2023, the Federal Reserve, OCC, and FDIC issued final interagency guidance on risk management of third-party relationships. The interagency guidance is based, in part, on the regulators’ previously existing third-party risk management guidance from 2013 and seeks to, among other things, promote consistency in third-party risk management and provide sound risk management guidance for third-party relationships commensurate with a bank's risk profile and complexity as well as the criticality of the activity. The final interagency guidance replaces each agency's existing guidance on this topic and is directed to all banking organizations supervised by the Federal Reserve, OCC, and FDIC. Additionally, third-party relationship risk management and banking-as-a-service arrangements (including with respect to deposit products and services) have continued to be topics of focus for federal bank regulators in 2025 and further rulemaking activity or guidance may be forthcoming.

​

Guiding and Establishing National Innovation for U.S. Stablecoins Act

​

On July 18, 2025, the Guiding and Establishing National Innovation for U.S. Stablecoins Act (the “GENIUS Act”) became U.S. law. The statute provides a federal regulatory framework for the issuance of stablecoins. If stablecoins become widely adopted by retail and/or commercial bank depositors as a substitute for bank accounts, financial institutions, such as CBNA, would experience a substantial negative impact on their liquidity, ability to originate loans and related interest income. It is highly uncertain what the impact of this law will be on CBNA’s future financial condition.

​

Future Legislation and Regulation

​

Laws, regulations and policies are continually under review by Congress and state legislatures and federal and state regulatory agencies. In addition to the specific legislation and regulations described above, future legislation and regulations or changes to existing statutes, regulations or regulatory policies applicable to the Company and its subsidiaries may affect the business, financial condition and results of operations in adverse and unpredictable ways and increase reporting requirements and compliance costs. The substance or impact of pending or future legislation or regulation, or the application thereof, cannot be predicted.

​

16

Table of Contents

Information about Our Executive Officers

The executive officers of the Company and the Bank who are elected by the Board of Directors are as follows:

​

​

​