CENTRAL PACIFIC FINANCIAL CORP (CPF) Business

ITEM 1.    BUSINESS

General

Central Pacific Financial Corp. is a Hawaii corporation and a registered bank holding company under the Bank Holding Company Act of 1956, as amended (the "BHC Act"). CPF was organized on February 1, 1982, and serves as the holding company for its principal subsidiary, Central Pacific Bank. The Bank was incorporated in its present form in the State of Hawaii on March 16, 1982, following a holding company reorganization. Its predecessor entity was originally incorporated in the State of Hawaii on January 15, 1954.

CPF reports financial results on a fiscal year ending December 31, and operates as a single reportable segment: banking operations.

Throughout this document, "Central Pacific Bank" is referred to as "our Bank" or "the Bank" and "the Company," "we," "us" or "our," refers to Central Pacific Financial Corp. on a consolidated basis. The terms "Central Pacific Financial Corp.," "CPF," or "the holding company", refers to the parent company on a standalone basis.

Branch Network

Through our Bank and its subsidiaries, we provide full-service commercial banking through 27 bank branches and 55 ATMs located across the State of Hawaii. Our administrative and main offices are located in Honolulu, and we operate 20 branches on the island of Oahu. In addition, we have four branches on Maui, two on Hawaii Island, and one on Kauai.

Products and Services

Central Pacific Bank offers a full range of deposit and lending products and services to consumer and business customers. These include accepting demand, money market, savings, and time deposits, as well as originating commercial and industrial, construction, commercial real estate, residential mortgage, home equity, and consumer loans. We also offer cash management, digital banking, fiduciary and investment management services. Our Bank's deposits are insured by the Federal Deposit Insurance Corporation ("FDIC") up to applicable limits. The Bank became a member of the Federal Reserve System ("Federal Reserve") in January 2025, making the Federal Reserve Bank ("FRB") its primary federal regulator.

Financial Performance Drivers

We derive income primarily from interest and fees on loans, interest and dividends on investment securities, and fees related to deposit and other services. Major operating expenses include interest paid on deposits and borrowings, salaries and employee benefits, and general operating costs. Our relationship-based Hawaii retail and small business deposits provide stable, low-cost funding to support balance sheet growth and margin optimization. We seek to diversify funding sources through strategic partnerships with customers in Japan and Korea.

Lending Activities

Through our Bank, we concentrate our lending activities in five principal areas:

(1)Residential Mortgage Lending.  Includes fixed-rate and adjustable-rate loans primarily secured by single-family, owner-occupied residences in Hawaii, as well as home equity lines of credit and loans. We typically require loan-to-value ratios of not more than 80%, although higher levels are permitted with mortgage insurance. Changes in interest rates, economic conditions, and other market factors impact collateral values and borrower financial condition, affecting credit risk. A portion of our first mortgage originations are sold in the secondary market, while the remainder is retained in our loan portfolio.

(2)Commercial and Industrial Lending.  Consists primarily of term loans and lines of credit to small and middle-market businesses and professionals in Hawaii. Operating cash flow from the borrower's business is typically the primary source of repayment, but our underwriting generally requires additional collateral, such as real estate and business assets, and personal guarantees where possible to mitigate risk.

(3)Commercial Mortgage Lending.  Includes loans secured by commercial real estate, such as multi-family residential properties, industrial facilities, warehouses, offices, retail spaces, healthcare facilities, hotels, and religious dwellings.

3

Table of Contents

Underwriting generally requires net cash flow from the property to cover the debt service while maintaining reserves, with liquidation of collateral considered as a secondary source of repayment.

(4)Construction Lending.  Includes loans for construction, land development, and other land loans for residential and commercial projects.

(5)Consumer Lending.  Includes loans that are generally unsecured or secured by personal assets, such as automobiles, with relatively small average loan sizes.

Our Heritage

Central Pacific Bank was founded by World War II veterans who, despite returning home as war heroes, faced limited banking opportunities in Hawaii. In response, they established the Bank to serve individuals and small businesses that lacked access to financial services at the time. This commitment to creating opportunity and serving our community continues in the present day as we strive to deliver exceptional customer service and tailored financial products to meet the unique needs of our customers and the communities we serve.

Our Strategic Focus

Our strategic focus is to be a top-performing bank that consistently delivers superior financial results, operational excellence, and shareholder returns across economic cycles. To drive growth, diversify our balance sheet, and strengthen resilience, we focus on markets and niche segments that differentiate our Bank. These include small businesses and homeowners in Hawaii, strategic partnerships with financial institutions in Japan and Korea, U.S. Mainland lending to diversify our loan portfolio and manage interest rate risk, and the integration of Wealth Management to provide a full spectrum of services to meet client needs.

Our strategy is financially driven and supported by a customer-centric approach, built on the following core elements: (i) stable, low-cost funding; (ii) disciplined credit selection; (iii) thoughtful diversification; (iv) capital optimization and shareholder returns; and (v) prudent risk and capital management.

Employees and Workforce

We believe the success of our business is largely due to the quality of our employees, the development of their full potential, and our ability to provide timely and meaningful rewards to our employees. At December 31, 2025, we employed 763 individuals, including 722 full-time and 41 part-time employees. We are not a party to any collective bargaining agreements.

We actively encourage and support employee growth and development by prioritizing internal promotions and transfers wherever possible. Continuous learning and career development are advanced through a combination of formal processes, internally developed programs, and external learning opportunities, including:

•Continuous performance development and annual reviews;

•A culture‑ and people‑focused training program for new managers designed to strengthen leadership capabilities, employee engagement, and effective people management practices;

•A comprehensive sales and technical training framework that aligns product, sales, and technical training programs under a unified, enterprise‑wide structure to support consistent skill development and performance standards;

•Internally developed training programs, conferences, and other job-related learning opportunities;

•Tuition reimbursement for approved courses or degree programs, as well as payment of fees paid for professional certifications;

•Participation in external leadership development programs such as the Pacific Coast Banking School, through which a cohort of two to three high-potential employees attends annually; and

•CPB Toastmasters, which supports employees developing public speaking, communication and leadership skills.

The safety, health, and wellness of our employees remain a top priority. We promote work-life balance through flexible work arrangements, comprehensive health care benefits, and sponsor various wellness programs.

Employee retention is critical to our efficiency and commitment to exceptional service. We believe our strong core values, focus on employee well-being, career support, and competitive compensation and benefits, including health insurance and retirement savings plans, aids in retention of our top-performing employees. In addition to base salary, our compensation program includes variable pay (e.g., commission, incentive, bonus) designed to motivate and reward high performance that

4

Table of Contents

aligns with our corporate strategy and business objectives. At December 31, 2025, the employee average tenure was 9 years and 33% of our staff had been with us for 10 years or more.

Our Market Area and Competition

Our operations, like those of other financial institutions in our market, are significantly influenced by economic conditions in Hawaii, particularly the strength of the real estate market and the tourism industry, as well as the fiscal and regulatory policies of federal and state governments and the authorities that regulate financial institutions.

Based on deposit market share among FDIC-insured financial institutions in Hawaii, Central Pacific Bank is ranked as the fourth-largest depository institution in the state as of December 31, 2025.

The banking and financial services industry in Hawaii, particularly within our target market areas, is highly competitive. We compete for loans, deposits, and customers with a broad range of financial service providers, including commercial and savings banks, securities and brokerage firms, financial technology ("fintech") companies, mortgage companies, insurance companies, finance companies, credit unions, and other non-bank financial service providers. This competition also includes online mortgage lenders and brokers operating through digital platforms.

To differentiate ourselves in this competitive environment, we emphasize strong personal relationships between our customers and our officers, directors, and employees, as well as specialized services designed to meet the unique needs of our customers and the communities we serve. We believe our competitive advantage lies in offering flexibility, superior customer service, competitive pricing, robust digital banking capabilities, and locally-focused promotional activities.

For further discussion of factors affecting our operations see, "Part II, Item 7. Management's Discussion and Analysis of Financial Condition and Results of Operations."

Business Concentrations

No individual or single group of related accounts is considered material in relation to the assets or deposits of our Bank, or in the overall business of the Company. Approximately 80% of our loan portfolio at December 31, 2025 consisted of real estate-related loans, including residential mortgage loans, home equity loans, commercial mortgage loans, and construction loans. See "Part II, Item 7. Management's Discussion and Analysis of Financial Condition and Results of Operations—Financial Condition—Loan Portfolio."

Our business activities are concentrated primarily in Hawaii. Consequently, our financial condition and results of operations are closely tied to the economic trends in Hawaii, particularly in the commercial and residential real estate markets. During periods of economic strength, real estate markets typically perform well; during periods of economic weakness, they are adversely affected.

Our Subsidiaries

Central Pacific Bank is the wholly-owned principal subsidiary of Central Pacific Financial Corp. As of December 31, 2025, other wholly-owned subsidiaries include CPB Capital Trust IV and CPB Statutory Trust V.

Central Pacific Bank owns 50% of One Hawaii HomeLoans, LLC ("One Hawaii"). One Hawaii was inactive in 2024 and 2025 and will be accounted for as a variable interest entity and consolidated into the Company's financial statements when activity begins.

Central Pacific Bank also owns 50% of Gentry HomeLoans, LLC, Haseko HomeLoans, LLC, and Island Pacific HomeLoans, LLC, which are accounted for under the cost method and reported as investments in unconsolidated entities in the Company's consolidated balance sheets.

The Company sponsors the Central Pacific Bank Foundation, which is not consolidated in the Company's financial statements.

5

Table of Contents

Supervision and Regulation

General

The Company and the Bank are subject to extensive regulation and oversight by federal and state laws and regulatory agencies. These regulations are designed to protect depositors, the FDIC deposit insurance fund, borrowers, and to promote the stability of the United States of America ("U.S.") banking system.

The following discussion summarizes certain statutes and regulations applicable to us; it is not exhaustive and is qualified in its entirety by reference to the actual laws and regulations. We cannot predict if or when new legislation will be enacted or new regulations or guidance will be issued, nor the impact such changes may have on community banks generally or on our financial condition and results of operations. Future developments could increase or decrease the cost of doing business, limit or expand permissible activities or alter the competitive landscape among banks, savings associations, credit unions, and other financial institutions. Similarly, we cannot predict whether regulatory requirements will be reduced or eliminated or the overall effect such changes may have on the Company and the Bank.

Regulatory Oversight

Central Pacific Financial Corp. is a separate legal entity from its subsidiaries and serves as the bank holding company for Central Pacific Bank. CPF is regulated under the BHC Act and is subject to inspection, examination, and supervision by the FRB. CPF is also governed by Hawaii's Code of Financial Institutions and overseen by the Hawaii Division of Financial Institutions ("DFI").

As a publicly traded company, CPF is subject to disclosure and reporting requirements under the Securities Act of 1933, as amended, and the Securities Exchange Act of 1934, as amended (the "Exchange Act"), as administered by the U.S. Securities and Exchange Commission ("SEC"). Our common stock is listed on the New York Stock Exchange ("NYSE") under the symbol "CPF," and we comply with NYSE listing standards. We are also subject to the corporate governance and accounting requirements of the Sarbanes-Oxley Act of 2002, which include executive certifications of financial statements, audit committees requirements, disclosure of controls and procedures, and the establishment and testing of internal controls over financial reporting.

Central Pacific Bank is a Hawaii state-chartered bank with deposits insured by the FDIC. On January 24, 2025, the Bank became a member of the Federal Reserve System, making the FRB its primary federal regulator. Previously, the Bank was regulated primarily by the FDIC. Upon joining the Federal Reserve System, the Bank subscribed to Federal Reserve Bank capital stock equal to 6% of its capital and surplus.

As a Hawaii state-chartered bank, the Bank is subject to extensive federal and state laws and regulations governing permissible activities, investments, reserves against deposits, funds availability, dividends, lending practices, collateral requirements, loan servicing and foreclosure, transactions with affiliates and insiders, borrowings, capital standards, check-clearing, branching, and mergers and acquisitions.

The Company is also subject to regulations issued by the Consumer Financial Protection Bureau ("CFPB"), Federal Trade Commission ("FTC"), and FRB. During periodic examinations, the DFI and FRB assess our financial condition, capital resources, asset quality, management, earnings prospects, liquidity, market sensitivity, and other aspects of our operations. These agencies also evaluate management effectiveness and compliance with applicable laws or regulations.

Regulatory Enforcement Authority

Federal and Hawaii regulators have broad discretion in supervising and enforcing banking laws, including examination policies, asset classification standards, and requirements for adequate loan loss reserves. To promote safety and soundness, these

6

Table of Contents

agencies have adopted guidelines designed to identify and address potential risks before an institution's capital becomes impaired. These guidelines establish operational and managerial standards in areas such as:

1.Internal controls, information systems, and audit processes;

2.Loan documentation and credit underwriting;

3.Interest-rate management;

4.Asset growth and quality; and

5.Compensation, fees, and benefits.

Further, the regulatory agencies have adopted safety and soundness guidelines for asset quality and for evaluating and monitoring earnings to ensure that earnings are sufficient for the maintenance of adequate capital and reserves.

If an examination reveals deficiencies in financial condition, capital resources, asset quality, earnings prospects, management, liquidity, market sensitivity, or compliance with laws and regulations, the FRB, DFI, and the FDIC have authority to:

•Require corrective action for violations or unsafe practices;

•Direct increases in capital and impose higher minimum capital ratios, which may limit acceptance of brokered deposits;

•Restrict growth, including geographic expansion, new products, mergers and acquisitions;

•Issue informal or formal enforcement actions, such as memoranda of understanding, written agreements, consent orders, cease-and-desist orders, or prompt corrective action directives;

•Require prior approval for changes in senior executive officers or directors; remove officers and directors; and assess civil monetary penalties; and

•Terminate FDIC insurance, revoke the charter and/or take possession of and close and liquidate the Bank or appoint a receiver, which for a Hawaii state-chartered bank would result in a revocation of its charter.

Legislative and Regulatory Developments

Federal banking agencies have authority to issue regulations and guidelines to ensure safety and soundness of banks and the stability of the U.S. banking system. Changes in administration can influence regulatory priorities, including rulemaking, supervision, examination, and enforcement. While future changes may occur, the scope and impact of such changes cannot currently be determined.

Capital Adequacy Requirements

Bank holding companies and banks are subject to regulatory capital requirements administered by federal and state banking agencies, including the Basel III Capital Rule. These rules establish minimum risk-based and leverage capital ratios designed to ensure the safety and soundness of financial institutions.

The FRB monitors the Company's capital adequacy on a consolidated basis, and the Bank's capital adequacy is supervised by its federal and state regulators, including the FRB and the DFI. Both the Company and the Bank must comply with Basel III minimum risk-based and leverage capital requirements and the Capital Conservation Buffer.

These requirements implement international Basel III standards in the United States, and certain provisions of the Dodd-Frank Act. Regulators may require higher capital levels than the minimums based on an institution's size, complexity or risk profile.

Overview of Risk-Based Capital Guidelines

Under Basel III, capital requirements vary based on the risk profile of both on-balance sheet assets (such as loans) and off-balance sheet exposures (such as commitments, letters of credit, and recourse arrangements). Risk-based capital ratios are calculated by assigning risk weights to assets and certain off-balance sheet items, then dividing qualifying capital by total risk-weighted assets, with higher-risk categories requiring higher levels of capital.

Institutions engaged in significant trading activity may also be subject to the market risk capital guidelines, which incorporate additional market and interest rate risk components.

7

Table of Contents

Minimum Capital Ratios

Under Basel III, the Company's and the Bank's on-balance sheet assets, certain exposures, and eligible off-balance sheet items are assigned risk weights to determine risk-weighted assets. These risk-weighted assets are used as the denomimator to calculate the following minimum capital ratios:

•Tier 1 Leverage Ratio: Tier 1 capital divided by quarterly average assets (net of goodwill, other intangible assets, and certain other deductions).

•Common Equity Tier 1 ("CET1") Risk-Based Capital Ratio: CET1 capital divided by risk-weighted assets. CET1 capital primarily includes common stockholders' equity, subject to certain regulatory adjustments. The Bank elected to exclude accumulated other comprehensive income from regulatory capital. This election was made in order to avoid significant variations in our levels of capital depending upon the impact of interest rate fluctuations on the fair value of our Bank’s available-for-sale securities portfolio.

•Tier 1 Risk-Based Capital Ratio: Tier 1 capital divided by risk-weighted assets. Tier 1 capital includes CET1 capital, perpetual preferred stock, and certain qualifying capital instruments. Hybrid securities, such as trust preferred securities, are generally excluded from Tier 1 capital; however, for bank holding companies with less than $15 billion in total consolidated assets, certain trust preferred securities are grandfathered for inclusion in Tier 1 capital.

•Total Risk-Based Capital Ratio: Total capital (CET1 capital, Tier 1 capital, and Tier 2 capital) divided by risk-weighted assets. Tier 2 capital includes qualifying subordinated debt and allowance for credit losses. Tier 2 capital also includes, among other things, certain trust preferred securities.

For Prompt Corrective Action purposes applicable to insured depository institutions, an institution is "well‑capitalized" if it meets all of the following thresholds and is not subject to a relevant regulatory order:

•Tier 1 Leverage Ratio ≥ 5.0%

•CET1 Risk‑Based Capital Ratio ≥ 6.5%

•Tier 1 Risk‑Based Capital Ratio ≥ 8.0%

•Total Risk‑Based Capital Ratio ≥ 10.0%

The Federal Reserve has not updated its well‑capitalized standard for bank holding companies to fully reflect Basel III; therefore, the PCA “well‑capitalized” thresholds above are those applied to the insured depository institution level under current rules. Our capital ratios as of December 31, 2025, exceed these thresholds. Regulators may require capital levels above minimums based on prevailing economic conditions or our specific risk profile.

Consequences of Non-Compliance

Failure to meet minimum or well-capitalized standards could trigger mandatory and discretionary regulatory actions, including restrictions on dividends, capital distributions, and regulatory approvals. Such actions could materially affect our operations and financial condition.

Capital Conservation Buffer

In addition to minimum capital ratios, Basel III requires a Capital Conservation Buffer of 2.50% above the minimum CET1 ratio to avoid restrictions on capital distributions and certain discretionary bonuses. The Capital Conservation Buffer effectively raises the required risk-based capital ratios. The Tier 1 Leverage Ratio is not impacted by the Capital Conservation Buffer, meaning an institution may be considered well-capitalized while failing to meet the Capital Conservation Buffer requirements.

The table below summarizes the capital requirements that the Company and the Bank must satisfy to avoid limitations on capital distributions and certain discretionary bonus payments (i.e., the required minimum capital ratios plus the Capital Conservation Buffer):

8

Table of Contents

As of December 31, 2025, the Company and the Bank were well-capitalized for regulatory purposes. For a detailed tabular presentation of the Company’s and the Bank’s capital ratios as of December 31, 2025, see Note 23 - Parent Company and Regulatory Restrictions to the Consolidated Financial Statements under "Part II, Item 8. Financial Statements and Supplementary Data".

Basel IV and U.S. Implementation

In December 2017, the Basel Committee published standards described as the finalization of Basel III post-crisis regulatory reforms, commonly referred to as "Basel IV." These standards revise the Basel Committee's standardized approach for credit risk (including recalibrating risk weights and introducing new capital requirements for certain "unconditionally cancellable commitments," such as unused credit card lines of credit), and establishes a new standardized approach for operational risk capital.

Under the Basel framework, as amended, these standards became effective on January 1, 2023, with an aggregate output floor phasing in through January 1, 2028. Under the current U.S. capital rules, operational risk capital requirements and capital floors apply only to advanced approaches institutions, and therefore do not apply to the Company and the Bank.

In July 2023, the FRB, OCC, and FDIC proposed significant changes to the current Basel III capital rules. These proposals would replace the advanced approaches risk-weighted assets framework with a new enhanced risk-based framework and require banking organizations with $100 billion or more in assets to calculate regulatory capital using more stringent requirements applicable to even larger organizations.

The impact of any changes to capital requirements, calculations, and implementation of Basel IV on the Company will depend on how these standards are adopted by U.S. federal banking regulators.

Prompt Corrective Action Provisions

The Federal Deposit Insurance Act requires federal banking regulators to take "prompt corrective action" when a depository institution fails to meet certain capital adequacy standards. Such actions may include, among other measures, requiring the institution to submit and implement an acceptable capital restoration plan.

Federal regulations establish five capital categories for insured depository institutions: well-capitalized, adequately capitalized, under-capitalized, significantly under-capitalized, and critically under-capitalized.

As an institution's capital category declines, it becomes subject to progressively more stringent restrictions and requirements, which may include limitations on permitted activities, operational practices, asset growth, and the ability to pay dividends or executive bonuses, as well as increased regulatory oversight.

In addition, an institution that is classified as well-capitalized, adequately capitalized, or under-capitalized may, upon notice and an opportunity for a hearing, be treated as though it were in the next lower capital category if its primary regulator determines that an unsafe or unsound condition or practice warrants such treatment.

To be considered well-capitalized, the Bank must now maintain a CET1 ratio of 6.5%, a Tier 1 capital ratio of at least 8%, a total capital ratio of at least 10%, and a leverage ratio of at least 5%.

Regulators may also require banks and bank holding companies that are subject to enforcement actions to maintain capital ratios above the minimum well-capitalized thresholds. In such cases, an institution may lose its well-capitalized designation and become subject to restrictions, including limitations on accepting brokered deposits.

Volcker Rule

In December 2013, federal banking agencies adopted final rules implementing the Volker Rule, a provision of the Dodd-Frank Act. Subject to certain exceptions, these rules prohibit banking entities from engaging in proprietary trading and from sponsoring or investing in certain entities, including hedge funds and private equity funds classified as "covered funds."

In July 2019, regulators finalized a rule exempting community banks with $10 billion or less in total consolidated assets and total trading assets and liabilities of 5% or less of total consolidated assets (and which is not controlled by a company whose

total assets and total trading assets and liabilities are in excess of such amounts), from the Volcker Rule. The Bank qualifies for this exemption.

9

Table of Contents

Brokered Deposits

The FDIC restricts the acceptance of brokered deposits to institutions that are well-capitalized. Institutions that are less than well-capitalized may not accept, renew, or roll over brokered deposits without an FDIC waiver. As of December 31, 2025, the Bank was well-capitalized and had no restrictions on accepting brokered deposits.

Bank Holding Company Regulation

Federal and state banking laws impose a broad range of requirements and restrictions on bank holding companies and their subsidiaries. These may include:

•Reporting Requirements: Submission of regular periodic reports and any additional information requested by the Federal Reserve;

•Capital Requirements: Compliance with minimum capital requirements (see the "Capital Adequacy Requirements" section above and the "Capital Resources" section in the MD&A);

•Source of Strength Doctrine: Bank holding companies must serve as a source of financial and managerial strength for subsidiary banks and provide necessary resources. If a subsidiary bank fails to maintain adequate capital, regulators may require "prompt corrective action" (see the "Prompt Corrective Action Provisions" section above);

•Dividend Restrictions: Limitation on dividends payable to shareholders and restrictions on obtaining dividends or other distributions from subsidiary banks;

•Risk Mitigation: Authority to require termination of activities or divestiture of subsidiaries, affiliates or investments deemed to pose significant risk to the safety, soundness or stability of any bank subsidiary;

•Management Oversight: Prior approval for changes in senior executive officers or directors; prohibition of golden parachute payments and certain employment agreements when the company is in troubled condition;

•Debt Regulation: Oversight of certain debt provisions, including interest ceilings, reserve requirements, and prior approval for purchasing or redeeming securities in specific circumstances;

•Acquisition Approvals: Prior regulatory approval is required to acquire 5% or more of voting stock of a bank or bank holding company, as well as for mergers or acquisitions, which are evaluated based on competitive (anti-trust), financial, and managerial considerations; and

•Control Presumptions: Prior notice or approval for acquiring control of a bank or bank holding company, with ownership or control of 10% of voting stock generally presumed to constitute control.

Change in Bank Control

Under the Change in Bank Control Act (“CIBCA”) and Regulation Y, any person seeking to acquire control of a bank or its holding company must provide prior notice to the Federal Reserve. A "person" includes individuals and entities such as corporations, partnerships, trusts, and joint venture. Control is generally defined as ownership, control, or the power to vote 25% or more of any class of voting securities. Regulations also establish rebuttable presumptions of control.

Other Restrictions on the Company's Activities

Bank holding companies (BHCs) may engage in non-banking activities deemed "closely related to banking" under section 4(c)(8) of the Bank Holding Company Act, subject to Federal Reserve approval or prior notice. Companies that elect and maintain "financial holding company" status under the Gramm-Leach-Bliley Act of 1999 ("GLBA") may engage in broader activities, including securities, insurance, and merchant banking, without prior approval. To qualify, the bank holding company and its depository institution subsidiaries must be well-capitalized, well managed, and in satisfactory compliance with the Community Reinvestment Act ("CRA").

Failure to maintain these standards or correct any deficiencies within prescribed timeframes may result in divestiture of subsidiary banks or the termination of nonconforming activities. The Company has not elected financial holding company status, and neither the Company nor the Bank engages in any activities classified by the Federal Reserve as non-banking or financial in nature.

10

Table of Contents

Dividends and Stock Repurchases

The Company may be limited in its ability to pay dividends or repurchase its stock by the Federal Reserve, including if doing so would be an unsafe or unsound banking practice. When a bank holding company intends to declare or pay a dividend that could raise safety and soundness concerns, it generally will be required to inform and consult with the Federal Reserve in advance. It is the policy of the Federal Reserve that a bank holding company should generally pay dividends on common stock only out of earnings, and only if prospective earnings retention is consistent with the company’s capital needs and overall current and prospective financial condition. Additionally, bank holding companies should inform and consult with the Federal Reserve in advance of declaring and paying a dividend that exceeds earnings for the period for which the dividend is being paid.

According to guidance from the Federal Reserve, a bank holding company’s dividend policies will be assessed against, among other things, its ability to achieve applicable capital ratio requirements. If a bank holding company does not achieve applicable capital ratio requirements, it may not be able to pay dividends. Subject to regulatory and statutory restrictions, including restrictions under applicable Hawaii law and federal regulation, future cash dividends by the Company will depend upon management's assessment of future capital requirements, contractual restrictions and other factors. The Company cannot provide any assurance that it will continue to pay any dividends on its common stock.

A bank holding company may be required to give the Federal Reserve prior written notice before purchasing or redeeming its equity securities if the gross consideration for the purchase or redemption, when aggregated with the net consideration paid by the bank holding company for all such purchases or redemptions during the preceding 12 months, is equal to 10.00% or more of the bank holding company’s consolidated net worth. The Federal Reserve may disapprove such a purchase or redemption if it determines that the proposal would constitute an unsafe or unsound practice or would violate any law, regulation, Federal Reserve order, or any condition imposed by or written agreement with the Federal Reserve. However, this prior notice requirement does not apply to any bank holding company that meets certain “well-capitalized” and “well-managed” standards and is not the subject of any unresolved supervisory issues.

In addition, a bank holding company is required to consult with the Federal Reserve before redeeming certain tier 1 and tier 2 capital instruments. To qualify as additional tier 1 capital, redemption or repurchase of the capital instrument requires prior approval of the Federal Reserve. Similarly, to qualify as tier 2 capital, redemption of the instrument prior to maturity or repurchase requires the prior approval of the Federal Reserve. Further, a bank holding company is required to consult with the Federal Reserve before redeeming any equity or other capital instrument included in Tier 1 or Tier 2 capital prior to stated maturity if such redemption could have a material effect on the level or composition of the organization’s capital base.

On January 27, 2026, the Company's Board of Directors authorized a share repurchase plan (the "2026 Repurchase Plan"), permitting the repurchase of up to $55.0 million of the Company's common stock. Repurchases may be made from time to time in the open market or through privately negotiated transactions. The 2026 Repurchase Plan replaced and superseded in its entirety the share repurchase program previously approved by the Company’s Board of Directors. During the year ended December 31, 2025, the Company repurchased 788,261 shares of common stock, at an aggregate cost of $23.3 million under the Company's 2025 Repurchase Plan. The Company cannot provide any assurance that it will continue to repurchase any shares of its common stock. The Company is also subject to applicable limitations on its ability to pay dividends and make distributions under applicable provisions of Hawaii law.

The Bank is a legal entity that is separate and distinct from its holding company. The Company relies on dividends received from the Bank for use in the operation of the Company and the ability of the Company to pay dividends to shareholders. Future cash dividends by the Bank will also depend upon management’s assessment of future capital requirements, contractual restrictions, and other factors. Current capital rules may restrict dividends by the Bank if the additional capital conservation buffer is not achieved. See section entitled “—Capital Adequacy Requirements” for further discussion. The ability of the Bank to declare a cash dividend to the Company is subject to applicable federal and Hawaii law. Subject to regulatory and statutory restrictions, including restrictions under applicable Hawaii law and federal regulation, future cash dividends by the Bank will depend upon management's assessment of future capital requirements, contractual restrictions and other factors. The Company cannot provide any assurance that the Bank will be able to continue to pay dividends to the Company.

FRB, FDIC and DFI Enforcement Authority

The federal and Hawaii regulatory structure gives the bank regulatory agencies extensive discretion in connection with their supervisory and enforcement activities and examination policies, including policies with respect to the classification of assets and the establishment of adequate loan loss reserves for regulatory purposes. The regulatory agencies have adopted guidelines to assist in identifying and addressing potential safety and soundness concerns before an institution's capital becomes impaired. The guidelines establish operational and managerial standards generally relating to: (1) internal controls, information systems,

11

Table of Contents

and internal audit systems; (2) loan documentation; (3) credit underwriting; (4) interest-rate exposure; (5) asset growth and asset quality; and (6) compensation, fees, and benefits. Further, the regulatory agencies have adopted safety and soundness guidelines for asset quality and for evaluating and monitoring earnings to ensure that earnings are sufficient for the maintenance of adequate capital and reserves. If, as a result of an examination, the DFI or the FRB should determine that the financial condition, capital resources, asset quality, earnings prospects, management, liquidity, market sensitivity, or other aspects of the Bank's operations are unsatisfactory or that the Bank or its management is violating or has violated any law or regulation, the DFI and the FRB, and separately the FDIC as insurer of the Bank's deposits, have residual authority to:

•require affirmative action to correct any conditions resulting from any violation or practice;

•direct an increase in capital and the maintenance of higher specific minimum capital ratios, which may preclude the Bank from being deemed well-capitalized and restrict its ability to accept certain brokered deposits;

•restrict the Bank's growth geographically, by products and services, or by mergers and acquisitions, including bidding in FDIC receiverships for failed banks;

•enter into or issue informal or formal enforcement actions, including required board resolutions, memoranda of understanding, written agreements and consent or cease and desist orders or prompt corrective action orders to take corrective action and cease unsafe and unsound practices;

•require prior approval of senior executive officer or director changes; remove officers and directors and assess civil monetary penalties; and

•terminate FDIC insurance, revoke the charter and/or take possession of and close and liquidate the Bank or appoint the FDIC as receiver, which for a Hawaii state-chartered bank would result in a revocation of its charter.

Mergers and Acquisitions

In 2024, the OCC and FDIC issued policy statements which conveyed a heightened level of scrutiny for bank merger and acquisition activity. Following the election of President Trump, in May 2025 the FDIC rescinded its 2024 policy statement on bank merger review and instead reverted to prior guidance from 1998. Similarly, the OCC issued an interim final rule that rescinded its 2024 policy statement and reinstated regulatory provisions allowing for automatic expedited processing for certain eligible mergers and acquisitions. Subsequently, President Trump executed a resolution, which, among other things, prevents an agency from reissuing a substantially similar rule. Accordingly, with the FDIC and OCC reinstating pre-2024 policies, we believe applicants have a more predictable merger approval path for qualifying transactions. The FRB has not issued new merger and acquisition regulations or policy statements but has recently approved a number of larger acquisitions. The full impact of the election of President Trump on bank mergers and acquisition policy has yet to be fully determined.

In September, 2024, the Department of Justice ("DOJ") announced that it withdrew its 1995 Bank Merger Guidelines and, instead, for purposes of evaluating the competitive impact of bank mergers, will rely on its 2023 Merger Guidelines which apply to all industries. For banks considering combinations where there may be even a remote possibility of antitrust concerns under the 2023 Merger Guidelines, the DOJ will review "market realities" in analyzing the competitive effects of a particular transaction.

While branch deposit concentration may be one area of focus, i.e. traditional Herfindahl Hirschman Index (HHI) analysis for deposit concentration utilizing the 2023 Merger Guideline baselines, the DOJ will drill down into the products and services that a bank merger may affect prior to fully assessing the impact of a combination. This type of analysis may involve a more robust review of the competitive landscape (i.e., the impact of credit unions and other non-bank competitors), and a closer analysis of interest rates, types of mortgages and other loans offered, quality of service and convenience at branch locations, the types of customers served, and the unique needs in a particular bank market for bespoke financing.

Deposit Insurance

The FDIC is an independent federal agency that insures deposits at federally insured banks and savings institutions through the Deposit Insurance Fund (the "DIF"), up to prescribed statutory limits. The FDIC also promotes the safety and soundness of the banking and savings industries.

The Dodd-Frank Act revised the FDIC's authority over DIF management by establishing requirements for the Designated Reserve Ratio ("DRR"), calculated as the DIF balance divided by estimated insured deposits, and by redefining the assessment base used to calculate quarterly assessments. FDIC assessments are determined based on an institution's asset size and relative risk of default, as measured by regulatory capital ratios and other supervisory factors. We generally have limited ability to influence the premiums required for FDIC insurance.

12

Table of Contents

The FDIC has set the DRR at 2.00%. In October 2022, to ensure the reserve ratio would reach at least 1.35% by the statutory deadline of September 30, 2029, the FDIC increased the initial base deposit insurance assessment rate schedules uniformly by 2 basis points. The increase in assessment rates became effective January 1, 2023, beginning with the first quarterly assessment period of 2023.

Additionally, in November 2023, the FDIC finalized a special assessment to recover losses to the DIF resulting from the closures of Silicon Valley Bank and Signature Bank. The special assessment equals approximately 13.4 basis points annually, based on an institution's uninsured deposits as of December 31, 2022, after applying a $5 billion deduction. The assessment will be collected over eight quarterly periods. The Bank will not incur this additional assessment because its uninsured deposits as of December 31, 2022, were below the $5 billion threshold.

Future failures of financial institutions, increases in our asset size or risk profile, or other FDIC determinations could result in higher FDIC premiums. Any such increases may materially and adversely affect our earnings and could negatively impact the value or market for our common stock.

Incentive Compensation

Regulatory guidance applicable to all banking organizations requires that incentive compensation policies align with safety and soundness principles.Institutions must ensure that compensation programs:

1.Provide incentives that appropriately balance risk and reward and do not encourage imprudent risk-taking,

2.Are compatible with effective controls and risk management, and

3.Are supported by strong corporate governance, including active oversight by the board of directors.

Monitoring methods should be commensurate with the size and complexity of the organization and its use of incentive compensation.

As required by the Dodd-Frank Act, federal banking agencies and the SEC proposed revised rules in 2016 governing incentive-based payment arrangements at regulated entities with at least $1 billion of total assets. In October 2022, the SEC adopted final rules implementing the incentive-based compensation recovery ("clawback") provisions of the Dodd-Frank Act. In response, the NYSE adopted new clawback listing standards applicable to the Company. We have implemented an NYSE-compliant clawback policy, which is included as an exhibit to this Annual Report on Form 10-K.

Cybersecurity

Federal regulators have issued guidance requiring financial institutions to implement layered security controls and robust cyber risk management processes. Institutions must address risks associated with compromised customer credentials, including reliable authentication for customers accessing internet-based services.

Management is also expected to maintain comprehensive business continuity planning to ensure rapid recovery and resumption of operations following a cyberattack involving destructive malware. This includes processes for restoring data, rebuilding network capabilities, and recovering business operations if the institution or its critical service providers are impacted.

State regulators have become increasingly active in establishing privacy and cybersecurity standards, with states such as California and New York implementing detailed requirements, including mandatory cybersecurity programs and data encryption standards. Many states have also adopted or updated data breach notification and privacy laws. We expect this trend to continue and actively monitor developments in states where we operate or serve customers.

In November 2021, federal banking agencies adopted a final rule, requiring banking organizations to notify their primary regulator within 36 hours of determining that a "computer-security incident" has materially disrupted or is reasonably likely to disrupt banking organizations, delivery of services to a material portion of customers, or operations that could result in material loss or impact U.S. financial stability. Failure to comply may result in regulatory sanctions, including financial penalties.

In July 2023, the SEC adopted rules requiring registrants to disclose material cybersecurity incidents experienced and provide annual disclosures regarding cybersecurity risk management, strategy and governance. These rules supersede prior interpretive guidance issued in February 2018, and are in addition to existing state and federal banking notification requirements.

We rely on electronic communications and information systems to conduct our operations and to store sensitive data. Our cybersecurity program employs a layered, defense-in-depth approach leveraging people, processes and technology to manage

13

Table of Contents

and maintain cybersecurity controls. We utilize preventative and detective tools to monitor, block, and alert on suspicious activity, including advanced persistent threats.

Despite these measures, cybersecurity threats remain pervasive, sophisticated, and rapidly evolving. While we have not experienced a significant compromise, data loss, or material financial impact to date, our systems, and those of our customers and third-party service providers, are under constant threat. Risks related to cybersecurity are expected to remain high due to the increasing complexity of attacks and the growing use of internet and mobile banking services.

See "Risk Factors" under Part I, Item 1A of this report for a further discussion of risks related to cybersecurity and "Cybersecurity" under Part I, Item 1C for a further discussion of our cybersecurity risk management, strategy and governance.

Office of Foreign Assets Control ("OFAC") Regulation

The U.S. Treasury Department’s Office of Foreign Assets Control ("OFAC") administers and enforces economic and trade sanctions against targeted foreign countries, regimes, and individuals under various laws. OFAC publishes lists of specially designated nationals and countries, and financial institutions are responsible for:

•Blocking accounts and transactions involving designated parties;

•Prohibiting unlicensed trade and financial transactions; and

•Reporting blocked transactions after they occur.

Failure to comply with OFAC requirements can result in serious financial, legal and reputational consequences, including regulatory actions that may prevent or prohibit mergers and acquisitions. Regulatory authorities have imposed cease-and-desist orders and civil money penalties on institutions found in violation of these obligations.

Operations and Consumer Compliance Laws

The Bank is subject to numerous federal and state laws and regulations governing anti-money laundering, consumer protection, and privacy, including:

•Anti-Money Laundering and Privacy Laws: USA Patriot Act of 2001, GLBA, Bank Secrecy Act, Foreign Account Tax Compliance Act, and the Anti-Money Laundering Act of 2020 (“AMLA”).

•Consumer Protection Laws: CRA, Fair Debt Collection Practices Act, Fair Credit Reporting Act, as amended by the Fair and Accurate Credit Transactions Act, Equal Credit Opportunity Act, Truth in Lending Act, Fair Housing Act, Home Mortgage Disclosure Act, Real Estate Settlement Procedures Act, and National Flood Insurance Act.

•Privacy and Marketing Laws: Telephone Consumer Protection Act, CAN-SPAM Act, and various state privacy and data protection statutes.

Noncompliance with these laws can result in lawsuits, administrative penalties, fines, reimbursements, and other enforcement actions. The Company and the Bank are also subject to federal and state laws prohibiting unfair or deceptive practices, misleading advertising. and unfair competition. Recent joint regulatory pronouncements have emphasized the importance of managing operational and compliance risks associated with Banking-as-a-Service ("BaaS") relationships.

These laws impose disclosure and reporting requirements and govern how financial institutions interact with customers when accepting deposits, originating loans, servicing and collecting loans, foreclosing, and providing other services. Failure to comply may result in injunctions, civil or criminal penalties, punitive damages, and loss of contractual rights.

The Anti-Money Laundering Act of 2020 ("AMLA"), which amends the Bank Secrecy Act of 1970 (“BSA”), was enacted in January 2021. The AMLA is intended to be a comprehensive reform and modernization to U.S. bank secrecy and anti-money laundering laws. Among other things, it codifies a risk-based approach to anti-money laundering compliance for financial institutions; requires the development of standards for evaluating technology and internal processes for BSA compliance; expands enforcement- and investigation-related authority, including increasing available sanctions for certain BSA violations and instituting BSA whistleblower incentives and protections.

The BSA, as amended by the USA PATRIOT Act, and its implementing regulations and other laws and regulations that impose anti-money laundering obligations require financial institutions to, among other duties, implement and maintain an effective AML/CFT compliance program and to file reports, such as suspicious activity reports and currency transaction reports. Our

14

Table of Contents

federal and state banking regulators, FinCEN, and other government agencies are authorized to impose significant civil money penalties for violations of the BSA and its implementing regulations and other applicable anti-money laundering requirements.

A continued focus of governmental policy relating to financial institutions in recent years has been combating money laundering and terrorist financing. The USA PATRIOT Act amended the BSA to broaden the application of anti-money laundering regulations to apply to additional types of financial institutions, such as broker-dealers, investment advisors, and insurance companies, and strengthened the ability of the U.S. government to help prevent, detect and prosecute international money laundering and the financing of terrorism. The principal provisions of Title III of the USA PATRIOT Act require that regulated financial institutions, including banks: (i) establish an AML/CFT compliance program that includes training and audit components; (ii) comply with regulations regarding the verification of the identity of any person seeking to open an account; (iii) take additional required precautions with non-U.S. owned accounts; and (iv) perform certain verification and certification of money laundering risk for their foreign correspondent banking relationships. Failure of a financial institution to comply with the BSA’s requirements could have serious legal and reputational consequences for the institution. The federal banking agencies examine the institution for compliance with the BSA and its implementing regulations and we continue to monitor and augment, where necessary, our AML/CFT compliance program. The federal banking agencies will also consider compliance with the BSA and its implementing regulations when reviewing merger and acquisition proposals. Failure to comply with the BSA and its implementing regulations can result in a federal banking agency imposing cease and desist and other regulatory orders and civil money penalties against a bank. The Bank has augmented its AML/CFT compliance systems and procedures to meet the requirements of the BSA and its implementing regulations and will continue to revise and update its compliance policies, procedures, and controls to reflect changes required by law.

The CRA encourages insured depository institutions to help meet the credit needs of their communities, including low- and moderate-income neighborhoods, consistent with safe and sound banking practices. CRA performance is considered when evaluating applications for branches, mergers, acquisitions, or holding company formations.

The Bank received an "Outstanding" rating in the FDIC's 2022 CRA Performance Evaluation, which measures lending, investment, and service activities supporting community needs.

On October 24, 2023, the OCC, FDIC, and FRB jointly issued a final rule intended to modernize and strengthen regulations implementing the CRA. The final rule would have revised the framework used to evaluate how banks help meet the credit needs of their communities, particularly for institutions with total assets in excess of $2 billion, including the Bank.

Under the 2023 final rule, banks with total assets in excess of $2 billion would have been evaluated under a multi-test framework consisting of the following components:

1.Retail lending;

2.Retail services and products (including consideration of digital delivery systems for banks with more than $10 billion in assets or banks that request such consideration);

3.Community development ("CD") financing; and

4.CD services.

The final rule also contemplated the application of weighted scoring across these test components when assigning an overall CRA rating. Alternatively, qualifying institutions could elect to be evaluated under a regulator‑approved strategic plan. In addition, banks above the $2 billion asset threshold would have been subject to expanded and revised data collection, recordkeeping, and reporting requirements. The rule further provided that an institution’s CRA rating could be adversely affected by evidence of illegal or discriminatory credit practices.

The 2023 CRA final rule was scheduled to take effect on April 1, 2024, with staggered compliance dates for various provisions, including the new performance tests, data collection requirements, and the establishment of revised retail lending assessment areas. However, the rule is currently subject to a preliminary injunction that stays its effective and implementation dates, and the federal banking agencies are not applying its provisions.

Accordingly, the federal banking agencies continue to examine and assess banks’ CRA performance under the CRA regulations originally adopted in 1995 and in effect as of March 29, 2024. On July 16, 2025, the OCC, FDIC, and FRB issued a joint notice of proposed rulemaking to rescind the 2023 CRA final rule and formally restore the prior CRA regulatory framework with certain conforming and technical amendments. Until that rulemaking process is completed, the 1995 CRA regulations remain applicable.

15

Table of Contents

Consumer Financial Protection Bureau ("CFPB")

The Dodd-Frank Act established the CFPB as an independent entity with broad rule making, supervisory and enforcement authority over consumer financial products and services, including deposit products, residential mortgages, home equity loans, and credit cards. The CFPB’s functions include investigating consumer complaints, conducting market research, issuing regulations, and enforcing compliance related to consumer financial products and services. CFPB regulations and guidance, including supervision and examination, apply to all covered persons and banks with $10 billion or more in assets. Banks with less than $10 billion in assets, including the Bank, will remain subject to compliance examinations by their primary federal banking regulator. However, the CFPB may include its own examiners in regulatory examinations by a smaller institution’s principal regulators and may require smaller institutions to comply with certain CFPB reporting requirements. In addition, regulatory positions taken by the CFPB and administrative and legal precedents established by CFPB enforcement activities, including in connection with supervision of larger bank holding companies and banks, could influence how the Federal Reserve and FDIC apply consumer protection laws, and regulations to financial institutions that are not directly supervised by CFPB. The precise effect of the CFPB’s consumer protection activities on the Company and the Bank cannot be determined with certainty.

The CFPB finalized numerous rules impacting nearly every aspect of the residential mortgage loan lifecycle. These rules implement the Dodd-Frank Act amendments to the Equal Credit Opportunity Act, Truth in Lending Act, and Real Estate Settlement Procedures Act. Among other requirements, banks originating residential mortgage loans must:

1.Develop and implement procedures to ensure compliance with the "ability-to-repay" test and determine whether a loan qualifies as a "qualified mortgage", in which case a rebuttable presumption exists that the creditor extending the loan has satisfied the ability-to-repay test;

2.Implement new or revised disclosures, policies, and procedures for originating and servicing mortgages, including, but not limited to, pre-loan counseling, early intervention with delinquent borrowers, and specific loss mitigation procedures for loans secured by a borrower's principal residence;

3.Comply with additional restrictions on mortgage loan originator hiring and compensation;

4.Comply with new disclosure requirements and standards for appraisals and certain financial products; and

5.Maintain escrow accounts for higher-priced mortgage loans for extended periods.

The review of products and practices to prevent unfair, deceptive or abusive acts or practices ("UDAAP") has been a focus of the CFPB, and of banking regulators more broadly. In addition, the Dodd-Frank Act provides the CFPB with broad supervisory, examination and enforcement authority over various consumer financial products and services, including the ability to require reimbursements and other payments to customers for alleged violations of UDAAP and other legal requirements and to impose significant penalties, as well as injunctive relief that prohibits lenders from engaging in allegedly unlawful practices. The CFPB also has the authority to obtain cease and desist orders providing for affirmative relief or monetary penalties. The Dodd-Frank Act does not prevent states from adopting stricter consumer protection standards. CFPB and state regulation of financial products and potential enforcement actions could also adversely affect the Bank’s business, financial condition or results of operations.

Privacy and Information Sharing

The federal bank regulators have adopted rules limiting the ability of banks and other financial institutions to disclose non-public information about consumers to unaffiliated third parties. These limitations require disclosure of privacy policies to consumers and, in some circumstances, allow consumers to prevent disclosure of certain personal information to a non-affiliated third party. These regulations affect how consumer information is transmitted through diversified financial companies and conveyed to outside vendors. In addition, consumers may also prevent disclosure of certain information among affiliated companies that is assembled or used to determine eligibility for a product or service, such as that shown on consumer credit reports and asset and income information from applications. Consumers also have the option to direct banks and other financial institutions not to share information about transactions and experiences with affiliated companies for the purpose of marketing products or services.

In California, consumer privacy rights have been further bolstered by the enactment of the California Consumer Privacy Act (“CCPA”) and the California Privacy Rights Act (CPRA). The CCPA and CPRA create new consumer rights, impose additional obligations on businesses that collect personal information from California consumers, and create a new enforcement agency called the California Privacy Protection Agency. In particular, The CCPA and CPRA introduces four new consumer rights, including (1) the right to correction, meaning that users can request to have their personal information corrected; (2) the right to opt-out of automated decision making, meaning that California residents can say 'no' to their personal information being used in profiling for behavioral advertisement online; (3) the right to know about automated decision making; and (4) the right

16

Table of Contents

to limit use of sensitive personal information. These two statutes also significantly expand the types of consumer data subject to privacy restrictions and increase the potential penalties for any violations.

Durbin Amendment and Interchange Fees

Under the Durbin Amendment to the Dodd-Frank Act, the Federal Reserve adopted rules establishing standards for assessing whether the interchange fees that may be charged with respect to certain electronic debit transactions are "reasonable and proportional" to the costs incurred by issuers for processing such transactions. Interchange fees, or "swipe" fees, are charges that merchants pay to us and other card-issuing banks for processing electronic payment transactions.

Under the final rules, the maximum permissible interchange fee for banks with assets in excess of $10 billion is capped at 21 cents plus 5 basis points of the transaction value for most debit interchange transactions. The Federal Reserve also adopted a rule to allow a debit card issuer to recover one cent per transaction for fraud prevention purposes if the issuer complies with certain fraud-related requirements required by the Federal Reserve. The Federal Reserve also has rules governing routing and exclusivity that require issuers to offer two unaffiliated networks for routing transactions on each debit or prepaid product.

In October 2023, the Federal Reserve issued a proposal under which the maximum permissible interchange fee for an electronic debit transaction would be the sum of 14.4 cents per transaction and 4 basis points multiplied by the value of the transaction. Furthermore, the fraud-prevention adjustment would increase from a maximum of 1 cent to 1.3 cents per debit card transaction. The proposal would adopt an approach for future adjustments to the interchange fee cap which would occur every other year based on issuer cost data gathered by the Federal Reserve from large debit card issuers. The comment period for this proposal ended in May 2024. The extent to which any such proposed changes in permissible interchange fees will impact our future revenues is uncertain.

Currently, the Bank qualifies for the small issuer exemption from the interchange fee cap, which applies to any debit card issuer that, together with its affiliates, has total assets of less than $10 billion as of the end of the previous calendar year. The Bank will become subject to the interchange fee cap beginning July 1 of the year following the point at which its total assets reach or exceeds $10 billion. Reliance on the small issuer exemption does not exempt us from federal regulations prohibiting network exclusivity arrangements or from routing restrictions.

Commercial Real Estate Concentration Limits

In December 2006, federal banking regulators issued guidance titled "Concentrations in Commercial Real Estate Lending, Sound Risk Management Practices" to address increasing concentrations in commercial real estate ("CRE") and construction loans. Subsequently, in December 2015, the federal bank agencies issued additional guidance titled "Statement on Prudent Risk Management for Commercial Real Estate Lending." Together, these guidelines outline the criteria used by regulators to identify institutions that may be exposed to heightened CRE concentration risk.

An institution may be subjected to further supervisory review if it has:

1.Experienced rapid growth in CRE lending,

2.Significant exposure to a specific type of CRE,

3.Total reported loans for construction, land development, and other land representing 100% or more of the institution’s total risk-based capital, or

4.Total CRE loans representing 300% or more of the institution’s total risk-based capital, and the outstanding balance of the institutions CRE portfolio has increased by 50% or more in the prior 36 months.

As of December 31, 2025, the Bank’s construction, land development, and other land loans represented less than 100% of its total risk-based capital. As of December 31, 2025, the Bank's total CRE loans represented less than 300% of its total risk-based capital and has increased by less than 50% from the prior 36 months.

Changes in Federal, State, or Local Tax Laws

We are subject to changes in federal and applicable state tax laws and regulations that may impact our effective tax rates. Changes in these tax laws may be retroactive to previous periods and as a result could impact our current and future financial performance.

For example, the Tax Cuts and Jobs Act of 2017 resulted in a reduction of our federal tax rate from a minimum of 35% in 2017 to 21% beginning in 2018, which favorably impacted our earnings. Conversely, this legislation also enacted limitations on

17

Table of Contents

certain deductions, including the deduction of FDIC deposit insurance premiums, which partially offset the expected increase in net earnings from the lower tax rate.

On August 16, 2022, the Inflation Reduction Act of 2022 (the "IRA") was enacted into law. The IRA, among other things, imposes a non-deductible 1% excise tax on the aggregate fair market value of stock repurchased by certain public companies, if any, including the Company, occurring after December 31, 2022.

The foregoing description of the impact of changes in federal and applicable state tax laws on us should be read in conjunction with Note 16 - Income Taxes of the notes to Consolidated Financial Statements for more information.

Future Legislation and Regulation

Congress and state legislatures may enact, modify, or repeal laws governing the regulation of the financial services industry.In addition, federal and state regulatory agencies periodically propose and adopt regulatory changes or modify the manner in which existing regulations are interpreted or enforced.

The substance and impact of pending or future legislation or regulation, or the application thereof, cannot be predicted. However, enactment of proposed legislation (or modification or repeal of existing legislation) could have the following impact:

•Restructure the regulatory framework under which the Company and Bank operate;

•Significantly increase its costs;

•Impede the efficiency of its internal business processes;

•Require the Bank to increase its regulatory capital;

•Necessitate changes to its business strategy;

•Limit its ability to pursue business opportunities in an efficient manner.

Any of these outcomes could adversely, and possibly materially, affect the Company’s business, financial condition, results of operations, or prospects.

Available Information

Our website, www.cpb.bank, provides access to our annual reports on Form 10-K, quarterly reports on Form 10-Q, current reports on Form 8-K, and all related amendments to those reports as soon as reasonably practicable after such materials are electronically filed with or furnished to the SEC. Copies of the Company's filings with the SEC may also be obtained directly from the SEC's website at www.sec.gov. These documents may also be obtained in print upon request to our Investor Relations Department.

Also posted on our website and available in print upon request to our Investor Relations Department, are the charters for our Audit Committee, Compensation Committee and Governance Committee, as well as our Corporate Governance Guidelines and Code of Conduct and Ethics. Within the time period required by the SEC and NYSE, we will post on our website any amendment to the Code of Conduct and Ethics and any waiver applicable to our senior financial officers, as defined by the SEC, and our executive officers or directors. In addition, our website includes information concerning purchases and sales of our equity securities by our executive officers and directors, as well as disclosure relating to certain non-GAAP financial measures (as defined in the SEC's Regulation G) that we may make public orally, telephonically, by webcast, by broadcast or by similar means from time to time.