FLAGSTAR BANK, NATIONAL ASSOCIATION (FLG) Business

Item 1. Business

General

Where we say "we," "us," "our," the "Bank," the "Company," or "Flagstar," in this report we usually mean Flagstar Bank, National Association.

Flagstar Bank, National Association, is a national banking association headquartered in Hicksville, New York which had $87.5 billion of assets, $61.0 billion of loans, deposits of $66.0 billion, and total stockholders’ equity of $8.1 billion as of December 31, 2025. The Bank went public in 1993 and has grown organically and through a series of accretive mergers and acquisitions.

We operate in a single reportable segment and have identified one reporting unit which is the same as our operating segment. We continue to assess our reportable segments and reporting units, which may result in a change to either or both in future reporting periods. Please refer to Note 23 - Segment Reporting.

Internal Corporate Reorganization

Effective October 17, 2025, the Bank became the successor reporting company to Flagstar Financial, Inc. ("Flagstar Financial"), the former holding company for the Bank, pursuant to an internal corporate reorganization to eliminate the Bank’s holding company structure (the “Reorganization”). In connection with the completion of the Reorganization, Flagstar Financial was merged with and into the Bank (the “Merger”), with the Bank continuing as the surviving entity.

At the effective time of the Merger, the outstanding shares of Flagstar Financial’s common stock and Series A preferred stock were cancelled and automatically converted into an equivalent number of shares of the Bank’s common stock and Series A preferred stock. Flagstar Financial’s Series B and Series D preferred stock were also converted into common stock of the Bank, except that such conversion was instead into non-voting equity securities that are substantially identical to the Series B and Series D preferred stock to the extent that ownership of the additional common stock would otherwise be prohibited by law or require approval by a government entity. As a result, subject to the foregoing limitations, the shares of capital stock of the Bank are now owned directly by shareholders in the same proportion as their ownership of Flagstar Financial capital stock immediately prior to the Merger. Further, each warrant to purchase either Series D preferred stock or common stock of Flagstar Financial was converted automatically into a warrant to purchase the Bank’s common stock or, as applicable, the Bank’s Series D preferred stock. In addition, each of Flagstar Financial's outstanding warrants to purchase shares of Flagstar Financial common stock forming a part of a unit of Flagstar Financial's outstanding Bifurcated Option Note Unit SecuritiESSM (the “BONUSES Units”) was converted automatically into a warrant to purchase Bank common stock upon the same terms applicable to the outstanding warrants immediately prior to the Reorganization. Immediately following the Merger, the Bank had substantially the same outstanding capital stock with substantially the same rights and privileges as the outstanding capital stock of Flagstar Financial immediately prior to the Merger. Immediately after the Merger, the Bank had substantially the same consolidated assets, liabilities and shareholders’ equity as Flagstar Financial immediately prior to the Merger. The Bank assumed Flagstar Financial's debt obligations, equity incentive plans, equity compensation plans, and other compensation plans as a result of the Merger.

Online Information about the Bank

We serve our customers through our website: www.flagstar.com. In addition to providing our customers with 24-hour access to their accounts, and information regarding our products and services, hours of service, and locations, the website provides extensive information about the Bank for the investment community. Earnings releases, dividend announcements, and other press releases are posted upon issuance to the Investor Relations portion of the website, which can be found at https://.ir.flagstar.com.

In addition, our securities filings with the OCC (including our annual report on Form 10-K; our quarterly reports on Form 10-Q; and our current reports on Form 8-K), and all amendments to those reports, in all cases as filed or furnished pursuant to Section 13(a) or 15(d) of the Securities Exchange Act of 1934, are available without charge, and are posted to the Investor Relations portion of our website. The website also provides information regarding Flagstar's Board of Directors (the "Board") and management team, as well as certain Board committee charters and our corporate governance policies. The content of our website shall not be deemed to be incorporated by reference into this Annual Report.

9

Table of Contents

Our Market

The Bank currently operates approximately 340 locations across nine states, including strong footholds in the greater New York/New Jersey metropolitan region and in the upper Midwest, along with a significant presence in fast-growing markets in Florida and the West Coast. In addition, the Bank has approximately 20 private bank branches located primarily in the metropolitan New York City region and on the West Coast, which serve the needs of high-net worth individuals and their businesses.

The market for the loans we originate varies, depending on the type of loan. For example, the vast majority of our multi-family loans are collateralized by rental apartment buildings in New York City, while the majority of the properties collateralizing our commercial real estate loans are located in the Northeast and Midwest. Our commercial and industrial loans are originated nationally to middle-market and mid-sized companies.

Competition

We compete for deposits and customers through multiple channels, including our retail branch network and our private banking locations as well as through our mortgage offerings. By prioritizing convenience and service, we offer products at competitive rates through our branches, banking locations and ATM network as well as mobile banking and dedicated website, which provide 24-hour access for customers. Our offerings include traditional banking products, non-deposit investment products, and insurance. The competitiveness of our deposit pricing is influenced by short-term interest rates, industry consolidation, and rates offered by other institutions, including credit unions and online banks. Additionally, we face competition from fintech companies. Our ability to attract deposits also depends on internal factors such as the availability of full product offerings including having wholesale funds to support our loan production and commitments.

Our success as a lender is closely tied to the economic health of the markets we serve, impacting loan demand, collateral value, and repayment ability. Economic conditions have a significant impact on loan demand, the value of the collateral securing our credits, and the ability of our borrowers to repay their loans. For commercial and industrial and commercial real estate loans, competition also comes from numerous sources including the capital markets and larger financial institutions, commercial and savings banks, fintech companies, and credit unions.

Monetary Policy

The Bank is affected by fiscal and monetary policies of the federal government, including those of the Federal Reserve Board ("FRB") which regulates the national money supply in order to mitigate recessionary and inflationary pressures. Among the techniques available to the FRB are engaging in open market transactions of U.S. Government securities, changing the discount rate and changing reserve requirements against bank deposits. These techniques are used in varying combinations to influence the overall growth of bank loans, investments, and deposits. Their use may also affect interest rates charged on loans and paid on deposits. The effect of government policies on the earnings of the Bank cannot be predicted.

10

Table of Contents

Environmental Issues

We encounter certain environmental risks in our lending activities and other operations. The existence of hazardous materials may make it unattractive for a lender to foreclose on the properties securing its loans. In addition, under certain conditions, lenders may become liable for the costs of cleaning up hazardous materials found on such properties. We attempt to mitigate such environmental risks by requiring either that a borrower purchase environmental insurance or that an appropriate environmental site assessment be completed as part of our underwriting review on the initial granting of commercial real estate and acquisition, development, and construction loans, regardless of location, and of any out-of-state multi-family loans we may produce. Depending on the results of an assessment, appropriate measures are taken to address the identified risks. In addition, we order an updated environmental analysis prior to foreclosing on such properties, and typically hold foreclosed multi-family, commercial real estate, and acquisition, development, and construction loan properties in subsidiaries.

Our attention to environmental risks also applies to the properties and facilities that house our bank operations. Prior to acquiring a large-scale property, a Phase 1 Environmental Property Assessment is typically performed by a licensed professional engineer to determine the integrity of, and/or the potential risk associated with, the facility and the property on which it is built. Properties and facilities of a smaller scale are evaluated by qualified in-house assessors, as well as by industry experts in environmental testing and remediation. This two-pronged approach identifies potential risks associated with asbestos-containing material, above ground and underground storage tanks, radon, electrical transformers (which may contain PCBs), ground water flow, storm and sanitary discharge, and mold, among other environmental risks. These processes assist us in mitigating environmental risk by enabling us to identify and address potential issues, including by avoiding taking ownership or control of contaminated properties.

Additional environmental risks may also arise from both physical and transitional risks related to climate change. Physical risks of climate change can include both acute events, such as increased severity of extreme weather events or wildfires, and chronic events, such as longer-term shifts in climate patterns, rising temperatures, or prolonged droughts. These physical risks can adversely impact our operations, our clients, and the third parties on which we rely. We have conducted a climate change scenario analysis to understand how physical risk events may impact our owned and operated properties over time.

Transition risks associated with a shift to a low-carbon economy may include changes to policy, legal requirements, technology, and market expectations. These transitional risks may result in new regulatory requirements, changes in consumer behavior, and market valuation adjustments. Such developments could impact our operating expenses, lending activities, product offerings and longer-term business strategy. Additionally, our practices, and the practices of our customers, related to climate change, without appropriate mitigation or transitional strategies, may adversely affect stakeholder relationships.

Our climate risk program seeks to understand how our physical and transitional risks relate to our current risk factors, such as credit, market, liquidity, operational, compliance, and strategic risks. Although the timing and severity of climate change may not be entirely predictable and risk management practices may not be effective in mitigating our overall exposure, we continue to develop our climate risk program to identify, assess, and mitigate climate change risks.

Human Capital Management

We place great importance on having the right people in the right roles, with the right skills, and doing their best work. By focusing on the growth and development of our talented team members, we believe we are best positioned to deliver results for our customers. We believe when our employees deliver for our customers, they deliver for our communities and shareholders as well.

At December 31, 2025, our workforce included 5,631 employees. None of our employees are represented by a collective bargaining agreement and we believe our employee relations to be in good standing.

We believe our employees are among our most significant resources and that our employees are critical to our continued success. We focus significant attention on attracting and retaining talented and experienced individuals to manage and support our operations. We pay our employees competitively and offer a broad range of benefits, both of which we believe are competitive with our industry peers and with other firms in the locations in which we do business. Our employees receive salaries that are subject to annual review and periodic benchmarking. Our benefits program includes a 401(k) Plan with an employer matching contribution, healthcare and other insurance benefits, flexible spending accounts and paid time off. Many of our employees are also eligible to participate in the Bank’s equity award program and the Bank's annual cash incentive program.

11

Table of Contents

We are proud to strive to maintain an inclusive workforce that reflects the demographics of the communities in which we do business. Our company recognizes that the talents of a dedicated workforce are a key competitive advantage. To increase our talent pool, we work with key stakeholders in our business locations to deepen our understanding of the local labor market and better position the organization to recruit and retain exceptional talent.

We strive to create and foster a supportive environment for all of our employees, and we are proud to share our business success with individuals whose cultural and personal differences support an innovative and productive workplace.

We strive to build and leverage an inclusive and engaged workforce that inspires all individuals to work together towards a common goal of superior business results by embracing the unique needs and objectives of our customers and community. We strive to achieve this by hiring great people who represent the talents, experiences, and background of the communities we serve. Our commitment is reflected in the policies that govern our workforce, and is evidenced in our recruiting strategies, inclusion training and Employee resource groups, which are key to our efforts. Our employee resource groups, which are open to all employees, provide our associates access to coaching, mentoring and professional development.

Our management teams and all of our employees are expected to exhibit and promote honest, ethical and respectful conduct in the workplace. All of our employees must adhere to a code of conduct that sets standards for appropriate behavior and all employees are required to complete annual training that focuses on preventing, identifying, reporting and stopping any type of unlawful discrimination.

Federal, State, and Local Taxation

The Bank is subject to federal, state, and local income taxes. See the discussion of "Income Taxes" in Note 2 - Summary of Significant Accounting Policies and Note 13 - Federal, State, and Local Taxes.

Regulation and Supervision

The following is a brief summary of certain statutes and regulations that significantly affect the Bank and its subsidiaries. A number of other statutes and regulations may affect the Bank but are not discussed in the following paragraphs.

Effective October 17, 2025, the Bank became the successor reporting company to Flagstar Financial upon the completion of the Reorganization. More information about the Reorganization and its effects can be found under “General—Internal Corporate Reorganization” above. As a result of the Reorganization, among other things, the Bank is now the top-level publicly-traded entity within our corporate structure and the Bank is no longer subject to (i) examinations by the FRB; (ii) certain requirements applicable to bank holding companies that meet specific asset thresholds, including Enhanced Prudential Standards, stress testing requirements, and bank holding company resolution plans; and (iii) the Securities Act of 1933, as amended (the “Securities Act”). The Bank remains subject to the requirements of the Securities Exchange Act of 1934, as amended (the “Exchange Act”), including the reporting requirements thereunder, but now makes those securities filings with the OCC rather than the SEC (including its annual report on Form 10-K, quarterly reports on Form 10-Q, and current reports on Form 8-K), although it continues to make those filings with the SEC via EDGAR as a voluntary filer. The Bank is subject to OCC regulations governing securities offerings.

General

The Bank is a national banking association, subject to federal regulation and oversight by the Office of Comptroller of the Currency (the "OCC"). The activities of the Bank are limited to those specifically authorized under the National Bank Act and related interpretations of the OCC. The OCC has authority to bring an enforcement action against the Bank for unsafe or unsound banking practices, which could include limiting the Bank’s ability to conduct otherwise permissible activities or imposing corrective capital or managerial requirements on the bank. We are also subject to regulation and examination by the FDIC, which insures the deposits of the Bank to the extent permitted by law and to certain transaction-related requirements established by the Federal Reserve. The Bank is also subject to the supervision of the Consumer Financial Protection Bureau (the "CFPB"), which regulates the offering and provision of consumer financial products or services under federal consumer financial laws. The OCC, FDIC and the CFPB may take regulatory enforcement actions if we do not operate in accordance with applicable regulations, policies and directives. Proceedings may be instituted against us, or any "institution-affiliated party", such as a director, officer, employee, agent or controlling person, who engages in unsafe and unsound practices, including violations of applicable laws and regulations. The FDIC has additional authority to terminate insurance of accounts, if after notice and hearing, we are found to have engaged in unsafe and unsound practices, including violations of applicable laws and regulations. The federal system of regulation and supervision establishes a comprehensive framework of activities in which to

12

Table of Contents

operate and is primarily intended for the protection of depositors and the FDIC's Deposit Insurance Fund rather than our shareholders.

Our corporate affairs are primarily governed by the National Bank Act, with related regulations administered by the OCC. In terms of securities matters, we are not subject to the Securities Act, but are subject to OCC regulations governing securities offerings. Our common stock and certain other securities are registered under the Exchange Act, which grants the OCC the authority to administer and enforce certain sections of the Exchange Act applicable to national banks. Despite this, we continue to make filings required by the Exchange Act with the SEC as a voluntary filer. The statutory and regulatory frameworks applicable to us as a national bank are not as well developed as the corporate and securities law frameworks that apply to many other publicly held companies. Our brokerage and investment advisory subsidiary is regulated by the SEC, the Financial Industry Regulatory Authority (“FINRA”) and state securities agencies.

The banking and financial services business in which we engage is and remains highly regulated. Legislative changes to laws governing the financial industry occur frequently; some of this legislation materially affects the manner in which we and other financial institutions operate, including increasing the costs and other burdens of conducting our businesses. In addition, the banking regulatory agencies regularly promulgate new regulations or modify existing regulations, which also have a significant impact on the financial industry. Any change to laws and regulations, whether by the regulatory agencies or Congress, could have a materially adverse impact on our operations.

The Dodd-Frank Wall Street Reform and Consumer Protection Act

Enacted in July 2010, the Dodd-Frank Wall Street Reform and Consumer Protection Act significantly changed the bank regulatory structure and will continue to affect, into the immediate future, the lending and investment activities and general operations of depository institutions and their holding companies. The Dodd-Frank Wall Street Reform and Consumer Protection Act is complex and comprehensive legislation that impacts practically all aspects of a banking organization and represents a significant overhaul of many aspects of the regulation of the financial services industry.

Volcker Rule

Under the Volcker Rule, we are prohibited from (1) engaging in short-term proprietary trading for our own account and (2) having certain ownership interests in and relationships with hedge funds or private equity funds (covered funds). The Volcker Rule regulations contain exemptions for market-making, hedging, underwriting, trading in U.S. government and agency obligations, and also permit certain ownership interests in certain types of covered funds to be retained. They also permit the offering and sponsoring of covered funds under certain conditions. The Volcker Rule regulations impose significant compliance and reporting obligations on banking entities, such as the Bank. We have put in place the compliance programs required by the Volcker Rule and any holdings in illiquid covered funds are in compliance with the Volcker Rule.

The New York Housing Stability and Tenant Protection Act of 2019

In 2019, the New York State Legislature passed the Housing Stability and Tenant Protection Act of 2019 impacting about one million rent-regulated apartment units. Among other things, the legislation: (i) curtails rent increases from material capital improvements and Individual Apartment Improvements; (ii) all but eliminates the ability for apartments to exit rent regulation; (iii) does away with vacancy decontrol and high-income deregulation; and (iv) repealed the 20 percent vacancy bonus. The legislation generally limits a landlord’s ability to increase rents on rent-regulated apartments and makes it more difficult to convert rent regulated apartments to market rent apartments.

Capital Requirements

In 2013, the FDIC, the OCC, and the FRB (collectively, the "Federal Banking Agencies") approved revisions to their capital adequacy guidelines and prompt corrective action rules to implement the revised standards of the Basel Committee on Banking Supervision, commonly called Basel III, and to address relevant provisions of the Dodd-Frank Wall Street Reform and Consumer Protection Act. Basel III generally refers to two consultative documents released by the Basel Committee on Banking Supervision in December 2009. The Basel III rules generally refer to the rules adopted by U.S. banking regulators in December 2010 to align U.S. bank capital requirements with Basel III and with the related loss absorbency rules they issued in January 2011, which include significant changes to bank capital, leverage, and liquidity requirements.

The Basel III rules include new risk-based capital and leverage ratios, which became effective January 1, 2015, and revised the definition of what constitutes “capital” for the purposes of calculating those ratios. Under Basel III, the Bank is

13

Table of Contents

required to maintain minimum capital in accordance with the following ratios: (i) a common equity tier 1 capital ratio of 4.5 percent; (ii) a tier 1 capital ratio of 6 percent (increased from 4 percent); (iii) a total capital ratio of 8 percent (unchanged from the prior rules); and (iv) a tier 1 leverage ratio of 4 percent.

In addition, the Basel III rules assign higher risk weights to certain assets, such as the 150 percent risk weighting assigned to exposures that are more than 90 days past due or are on non-accrual status, and to certain commercial real estate facilities that finance the acquisition, development, or construction of real property. Basel III also eliminate the inclusion of certain instruments, such as trust preferred securities, from tier 1 capital. In addition, tier 2 capital is no longer limited to the amount of tier 1 capital included in total capital. Mortgage servicing rights, certain deferred tax assets, and investments in unconsolidated subsidiaries over designated percentages of common stock are required, subject to limitation, to be deducted from capital. Finally, tier 1 capital includes accumulated other comprehensive income, which includes all unrealized gains and losses on available-for-sale securities.

Basel III also established a “capital conservation buffer” (consisting entirely of common equity tier 1 capital) that is 2.5 percent above the new regulatory minimum capital requirements. This resulted in an increase in the minimum common equity tier 1, tier 1, and total capital ratios to 7.0 percent, 8.5 percent, and 10.5 percent, respectively. An institution can be subject to limitations on paying dividends, engaging in share repurchases, and paying discretionary bonuses if its capital levels fall below these amounts. Basel III also establishes a maximum percentage of eligible retained income that can be utilized for such capital distributions.

The following schedule presents minimum capital ratio and capital conservation buffer requirements, our capital ratios at December 31, 2025, and the minimum requirements to be well capitalized:

Prompt Corrective Regulatory Action

The Federal Deposit Insurance Corporation Improvement Act of 1991 (“FDICIA”) requires, among other things, that federal bank regulatory authorities take “prompt corrective action” with respect to institutions that do not meet minimum capital requirements. For such purposes, the law establishes five capital tiers: well capitalized, adequately capitalized, undercapitalized, significantly undercapitalized, and critically undercapitalized. The five capital tiers are described in more detail below. Under the prompt corrective action regulations, an institution that fails to remain “well capitalized” becomes subject to a series of restrictions that increase in severity as its capital condition weakens. Such restrictions may include a prohibition on capital distributions, restrictions on asset growth, or restrictions on the ability to receive regulatory approval of applications. The FDICIA also provides for enhanced supervision authority over undercapitalized institutions, including authority for the appointment of a conservator or receiver for the institution.

As a result of the Basel III rules, new definitions of the relevant measures for the five capital categories took effect on January 1, 2015. An institution is deemed to be “well capitalized” if it has a total risk-based capital ratio of 10 percent or greater, a tier 1 risk-based capital ratio of 8 percent or greater, a common equity tier 1 risk-based capital ratio of 6.5 percent or greater, and a tier 1 leverage ratio of 5 percent or greater, and is not subject to a regulatory order, agreement, or directive to meet and maintain a specific capital level for any capital measure.

An institution is deemed to be “adequately capitalized” if it has a total risk-based capital ratio of 8 percent or greater, a tier 1 risk-based capital ratio of 6 percent or greater, a common equity tier 1 risk-based capital ratio of 4.5 percent or greater, and a tier 1 leverage ratio of 4 percent or greater.

An institution is deemed to be “undercapitalized” if it has a total risk-based capital ratio of less than 8 percent, a tier 1 risk-based capital ratio of less than 6 percent, a common equity tier 1 risk-based capital ratio of less than 4.5 percent, or a tier 1 leverage ratio of less than 4 percent. An institution is deemed to be “significantly undercapitalized” if it has a total risk-based capital ratio of less than 6 percent, a tier 1 risk-based capital ratio of less than 4 percent, a common equity tier 1 risk-based capital ratio of less than 3 percent, or a tier 1 leverage ratio of less than 3 percent. An institution is deemed to be “critically

14

Table of Contents

undercapitalized” if it has a ratio of tangible equity (as defined in the regulations) to total assets that is equal to or less than 2 percent.

“Undercapitalized” institutions are subject to growth, capital distribution (including dividend), and other limitations, and are required to submit a capital restoration plan. An institution’s compliance with such a plan is required to be guaranteed by any company that controls the undercapitalized institution in an amount equal to the lesser of 5 percent of the bank’s total assets when deemed undercapitalized or the amount necessary to achieve the status of adequately capitalized. If an undercapitalized institution fails to submit an acceptable plan, it is treated as if it is “significantly undercapitalized.” Significantly undercapitalized institutions are subject to one or more additional restrictions including, but not limited to, an order by the FDIC to sell sufficient voting stock to become adequately capitalized; requirements to reduce total assets, cease receipt of deposits from correspondent banks, or dismiss directors or officers; and restrictions on interest rates paid on deposits, compensation of executive officers, and capital distributions by the parent holding company.

Beginning 60 days after becoming “critically undercapitalized,” critically undercapitalized institutions also may not make any payment of principal or interest on certain subordinated debt, extend credit for a highly leveraged transaction, or enter into any material transaction outside the ordinary course of business. In addition, subject to a narrow exception, the appointment of a receiver is required for a critically undercapitalized institution within 270 days after it obtains such status.

For additional information, see the Capital section of the MD&A and Note 17 - Capital. As of December 31, 2025, each of the Bank’s capital ratios exceeded those required for an institution to be considered “well capitalized” under these regulations.

Regulatory Developments

On October 7, 2025, the OCC and FDIC issued a notice of proposed rulemaking to codify the elimination of reputation risk from their supervisory programs, which would, among other things, prohibit the OCC or FDIC from criticizing or taking adverse action against an institution on the basis of reputation risk, and would also prohibit the agencies from requiring, instructing, or encouraging an institution to close an account, to refrain from providing an account, product, or service, or to modify or terminate any product or service on the basis of a person or entity's political, social, cultural, or religious views or beliefs, constitutionally protected speech, or solely on the basis of politically disfavored but lawful business activities. On October 7, 2025, the OCC and FDIC also issued a notice of proposed rulemaking that would define the term “unsafe or unsound practice” for purposes of section 8 of the Federal Deposit Insurance Act and revise the supervisory framework for the issuance of matters requiring attention and other supervisory communications.

On December 23, 2025, the OCC issued a notice of proposed rulemaking to increase the total assets threshold for applying Heightened Standards to $700 billion. These Heightened Standards prescribe minimum standards for the Bank's risk governance framework and require significant time, expenses and resources to design and implement. If finalized as proposed, the Bank would no longer be subject to Heightened Standards.

Resolution Planning

As an insured depository institution with $50 billion or more in assets, the Bank is required to file a full resolution plan with the FDIC every three years and interim targeted information between full resolution submissions. The full resolution plan requires us to discuss how we could be rapidly and orderly resolved in the event of a material financial distress or failure. We developed our resolution plan in alignment with the FDIC’s requirements, and following the Board’s approval, we submitted a full resolution plan to the FDIC prior to its due date of July 1, 2025.

FDIC as Receiver or Conservator of the Bank

Upon the insolvency of an insured depository institution, such as the Bank, the FDIC may be appointed as the conservator or receiver of the institution. Acting as a conservator or receiver, the FDIC would have broad powers to transfer any assets or liabilities of the Bank without the approval of the Bank’s creditors.

Standards for Safety and Soundness

Federal law requires each Federal Banking Agency to prescribe, for the depository institutions under its jurisdiction, standards that relate to, among other things, internal controls; information and audit systems; loan documentation; credit underwriting; the monitoring of interest rate risk; asset growth; compensation; fees and benefits; and such other operational and managerial standards as the agency deems appropriate. The Federal Banking Agencies adopted final regulations and

15

Table of Contents

Interagency Guidelines Establishing Standards for Safety and Soundness (the “Guidelines”) to implement these safety and soundness standards. The Guidelines set forth the safety and soundness standards that the Federal Banking Agencies use to identify and address problems at insured depository institutions before capital becomes impaired. If the appropriate Federal Banking Agency determines that an institution fails to meet any standard prescribed by the Guidelines, the agency may require the institution to provide it with an acceptable plan to achieve compliance with the standard and agree to specific deadlines for the submission to and review by the regulator of reports confirming progress in implementing the safety and soundness compliance plan, as required by the Federal Deposit Insurance Act, as amended, (the “FDI Act”). Failure to implement such a plan may result in an enforcement action against the Bank.

Enforcement actions against the Bank and their respective officers and directors may include the issuance of a written directive, the issuance of a cease-and-desist order that can be judicially enforced, the imposition of civil money penalties, the issuance of directives to increase capital, the issuance of formal and informal agreements, the issuance of removal and prohibition orders against officers or other institution-affiliated parties, the imposition of restrictions and sanctions under prompt corrective action regulations, the termination of deposit insurance and the appointment of a conservator or receiver for the Bank. Civil money penalties can be over $2 million for each day a violation continues.

FDIC, OCC, and FRB Regulations

The discussion that follows pertains to FDIC, OCC, and FRB regulations other than those already discussed on the preceding pages.

Real Estate Lending Standards

The OCC has adopted regulations that prescribe standards for extensions of credit that (i) are secured by real estate, or (ii) are made for the purpose of financing construction or improvements on real estate. The regulations require each institution to establish and maintain written internal real estate lending standards that are consistent with safe and sound banking practices, and appropriate to the size of the institution and the nature and scope of its real estate lending activities. The standards also must be consistent with accompanying guidelines, which include loan-to-value limitations for the different types of real estate loans. Institutions are also permitted to make a limited amount of loans that do not conform to the proposed loan-to-value limitations as long as such exceptions are reviewed and justified appropriately. The guidelines also list a number of lending situations in which exceptions to the loan-to-value standards are justified.

The Federal Banking Agencies also have issued joint guidance entitled “Concentrations in Commercial Real Estate Lending, Sound Risk Management Practices” (the “Commercial Real Estate Guidance”). The Commercial Real Estate Guidance, which addresses land development, construction, and certain multi-family loans, as well as commercial real estate loans, does not establish specific lending limits but, rather, reinforces and enhances the Federal Banking Agencies’ existing regulations and guidelines for such lending and portfolio management. Specifically, the Commercial Real Estate Guidance provides that a bank has a concentration in commercial real estate lending if (1) total reported loans for construction, land development, and other land represent 100 percent or more of total risk-based capital; or (2) total reported loans secured by multi-family properties, non-farm non-residential properties (excluding those that are owner-occupied), and loans for construction, land development, and other land represent 300 percent or more of total risk-based capital. If a concentration is present, management must employ heightened risk management practices that address key elements, including board and management oversight and strategic planning, portfolio management, development of underwriting standards, risk assessment and monitoring through market analysis and stress testing, and maintenance of increased capital levels as needed to support the level of commercial real estate lending.

On December 13, 2019, the Federal Banking Agencies issued a final rule, which became effective on April 1, 2020, to modify the agencies’ capital rules for HVCRE exposures, as required by the EGRRCPA. The final rule revised the definition of HVCRE exposure to make it consistent with the statutory definition of the term included in Section 214 of the EGRRCPA, which excludes any loan made before January 1, 2015.

Dividend Limitations

The Bank would require the approval of the OCC if the dividends it declares in any calendar year were to exceed the total of its respective net profits for that year combined with its respective retained net profits for the preceding two calendar years, less any required transfer to paid-in capital. The term “net profits” is defined as net income for a given period less any dividends paid during that period.

16

Table of Contents

Investment Activities

National bank investment activities are governed by the National Bank Act and OCC regulations which, consistent with safe and sound banking practices, prescribe standards under which national banks may purchase, sell, deal in, underwrite, and hold securities. The types of investment activities that are permissible for national banks, and the calculation of limits for investments in such covered securities, are set forth in regulations promulgated by the OCC (12 CFR Part 1), as further described in the OCC’s Investment Securities Policy Statement (OCC Bulletin 1998-20). A national bank must adhere to safe and sound banking practices and the specific requirements of the OCC's regulations in conducting such investment activities. A bank must consider, as appropriate, the interest rate, credit, liquidity, price, foreign exchange, transaction, compliance, strategic, and reputation risks presented by a proposed activity, and the particular activities undertaken by the bank must be appropriate for that bank. If the OCC determines for safety and soundness reasons that a bank should calculate its investment limits more frequently than required by the OCC's Investment Securities regulations, the OCC may provide written notice to the bank directing the bank to calculate its investment limitations at a more frequent interval, and the bank must thereafter calculate its investment limits at that interval until further notice from the OCC.

The Gramm Leach Bliley Act and FDIC regulations also impose certain quantitative and qualitative restrictions on such activities and on a bank’s dealings with a subsidiary that engages in specified activities.

Enforcement

The OCC has authority to bring an enforcement action against the Bank for unsafe or unsound banking practices, which could include limiting the Bank’s ability to conduct otherwise permissible activities or imposing corrective capital or managerial requirements on the bank. The enforcement authority of these regulatory agencies includes, among other things, the ability to assess civil money penalties, to issue cease and desist orders, and to remove directors and officers. In general, these enforcement actions may be initiated in response to violations of laws and regulations and unsafe or unsound practices.

Insurance of Deposit Accounts

The deposits of the Bank are insured up to applicable limits by the Deposit Insurance Fund. The maximum deposit insurance provided by the FDIC per account owner is $250,000 for all types of accounts.

Under the FDIC’s risk-based assessment system, insured institutions are assigned to one of four risk categories based upon supervisory evaluations, regulatory capital level, and certain other factors, with less risky institutions paying lower assessments based on the assigned risk levels. An institution’s assessment rate depends upon the category to which it is assigned and certain other factors. Assessment rates range from 2.5 to 42 basis points of the institution’s assessment base, which is calculated as average total assets minus average tangible equity. No institution may pay a dividend if in default of the federal deposit insurance assessment. Deposit insurance assessments are based on total average assets, excluding PPP loans, less average tangible common equity. The FDIC has authority to increase insurance assessments. We cannot predict what insurance assessments rates will be in the future.

Insurance of deposits may be terminated by the FDIC upon a finding that an institution has engaged in unsafe or unsound practices, is in an unsafe or unsound condition to continue operations, or has violated any applicable law, regulation, rule, order, or condition imposed by the FDIC. We do not know of any practice, condition, or violation that would lead to termination of the deposit insurance for the Bank.

On November 16, 2023, the FDIC published in the Federal Register its final rule that imposes special assessments to recover the loss to the Deposit Insurance Fund arising from the protection of uninsured depositors in connection with the systemic risk determination announced on March 12, 2023, following the closures of Silicon Valley Bank and Signature Bank. The assessment base for the special assessments is equal to an insured depository institution’s estimated uninsured deposits, reported as of December 31, 2022, adjusted to exclude the first $5 billion in estimated uninsured deposits from the insured depository institution, or for insured depository institutions that are part of a holding company with one or more subsidiary insured depository institutions, at the banking organization level. The final rule calls for the FDIC to collect special assessments at an annual rate of approximately 13.4 basis points, over eight quarterly assessment periods, beginning with the first quarterly assessment period of 2024.

On December 19 2025, the FDIC issued an interim final rule amending the special assessment. The interim final rule aligns the total amount collected through the special assessment with the FDIC’s most recent loss estimates and adjusts the assessment rate for the final quarterly collection period. Based on the FDIC’s updated projections, the special assessment is

17

Table of Contents

expected to be collected over the initial eight quarterly assessment periods, with the final payment due in March 2026. However, because estimated losses may change as the receiverships progress, the FDIC retains the authority to terminate the assessment early, provide offsets to future regular deposit insurance assessments if amounts collected exceed estimated losses, or impose a one-time final shortfall special assessment if losses exceed amounts collected upon termination of the receiverships for Silicon Valley Bank and Signature Bank. At December 31, 2025, the Bank’s accrual for its estimated special assessment charge was $46 million.

Brokered Deposits

The FDIC limits the ability to accept brokered deposits to those insured depository institutions that are well capitalized. Institutions that are less than well capitalized cannot accept, renew or roll over any brokered deposit unless they have applied for and been granted a waiver by the FDIC. The FDIC has defined the "national rate" for all interest-bearing deposits held by less-than-well-capitalized institutions as "a simple average of rates paid by all insured depository institutions and branches for which data are available" and has stated that its presumption is that this national rate is the prevailing rate in any market. As such, institutions that are less than well capitalized that are permitted to accept, renew or rollover brokered deposits via FDIC waiver generally may not pay an interest rate in excess of the national rate plus 75 basis points on such brokered deposits.

Under the FDIC's framework for analyzing whether bank deposits obtained through third-party arrangements are brokered deposits pursuant to Section 29 of the Federal Deposit Insurance Act, a person is generally a "deposit broker" if it is "engaged in the business of placing deposits, or facilitating the placement of deposits, of third parties with insured depository institutions or the business of placing deposits with insured depository institutions for the purpose of selling interests in those deposits to third parties." The FDIC has also identified a number of common business relationships described as "designated exceptions" that meet the primary purpose exception to Section 29 of the Federal Deposit Insurance Act and include: certain investment-related deposits; property management service deposits; deposits for cross-border clearing services; deposits related to real estate and mortgage servicing activities; retirement and 529 deposits; deposits related to employee benefits programs; deposits held to secure credit card loans; and deposits placed by agencies to disburse government benefits.

Debit Interchange Fees

Pursuant to FRB regulations mandated by the Dodd-Frank Act, interchange fees on debit card transactions are limited to a maximum of $0.21 per transaction plus 5 basis points of the transaction amount. A debit card issuer may recover an additional one cent per transaction for fraud prevention purposes if the issuer complies with certain fraud-related requirements prescribed by the FRB. The FRB also adopted requirements that issuers include two unaffiliated networks for routing debit transactions that are applicable to the Bank. On October 25, 2023, the FRB proposed to lower the maximum interchange fee that a large debit card issuer can receive for a debit card transaction. The proposal would also establish a regular process for updating the maximum amount every other year going forward. We continue to monitor the development of these proposed rule revisions.

Guidance for Third-Party Relationships

On June 9, 2023, the Federal Reserve, OCC, and FDIC issued final interagency guidance on risk management of third-party relationships, including third-party lending relationships. The interagency guidance seeks to, among other things, promote consistency in third-party risk management and provide sound risk management guidance for third-party relationships commensurate with a bank's risk profile and complexity as well as the criticality of the activity. The interagency guidance outlines a five-stage life cycle that a banking organization should incorporate into its third-party risk management approach: (1) planning stage, to evaluate and consider how to manage risks before entering into a third-party relationship; (2) due diligence stage, to provide the banking organization with the information needed to evaluate whether it can appropriately identify, monitor, and control risks associated with the third-party relationship; (3) contract negotiation stage, to facilitate risk management and oversight and specify the expectations and obligations of both parties; (4) ongoing monitoring, to confirm the quality and sustainability of a third party’s controls and ability to meet contractual obligations, and to escalate and respond to significant issues or concerns when identified; and (5) termination of third party relationships for various reasons such as expiration or breach of the contract, or the third party’s failure to comply with applicable laws or regulations. The interagency guidance provides detailed recommendations for complying with each of these life cycle stages. The final interagency guidance is directed to all banking organizations supervised by the Federal Reserve, OCC, and FDIC. Further rulemaking activity or guidance with respect to third party relationship risk management and banking-as-a-service arrangements (including with respect to deposit products and services) may be forthcoming.

18

Table of Contents

Banking Regulation

Limitation on Capital Distributions. The OCC regulates all capital distributions made by the Bank, directly or indirectly, including dividend payments. An application to the OCC by the Bank may be required based on a number of factors including whether the Bank would not be at least adequately capitalized following the distribution or if the total amount of all capital distributions (including each proposed capital distribution) for the applicable calendar year exceeds net income for that year to date plus the retained net income for the preceding two years.

Transactions with Affiliates

Under current federal law, transactions between depository institutions and their affiliates are governed by Sections 23A and 23B of the Federal Reserve Act and the FRB’s Regulation W promulgated thereunder. Generally, Section 23A limits the extent to which the institution or its subsidiaries may engage in “covered transactions” with any one affiliate to an amount equal to 10 percent of the institution’s capital stock and surplus, and contains an aggregate limit on all such transactions with all affiliates to an amount equal to 20 percent of such capital stock and surplus. Section 23A also establishes specific collateral requirements for loans or extensions of credit to or guarantees or acceptances on letters of credit issued on behalf of, an affiliate. Section 23B requires that covered transactions and a broad list of other specified transactions be on terms substantially the same as, or at least as favorable to, the institution or its subsidiaries as similar transactions with non-affiliates.

The Sarbanes-Oxley Act of 2002 generally prohibits loans by the Bank to its executive officers and directors. However, the Sarbanes-Oxley Act contains a specific exemption for loans made by an institution to its executive officers and directors in compliance with other federal banking laws. Section 22(h) of the Federal Reserve Act, and FRB Regulation O adopted thereunder, govern loans by a bank to directors, executive officers, and principal stockholders. FRB Regulation O includes limits on loans to any individual insider and such insider's related interests and certain conditions that must be met before such loans can be made. There is also an aggregate limitation on all loans to insiders and their related interests, which cannot exceed the institution's total unimpaired capital and surplus, unless the FDIC determines that a lesser amount is appropriate. Insiders are subject to enforcement actions for knowingly accepting loans in violation of applicable restrictions.

Community Reinvestment Act

Federal Regulation

Under the Community Reinvestment Act ("CRA"), as implemented by OCC regulations, an institution has a continuing and affirmative obligation consistent with its safe and sound operation to help meet the credit needs of its entire community, including low and moderate income neighborhoods. The CRA generally does not establish specific lending requirements or programs for financial institutions, nor does it limit an institution’s discretion to develop the types of products and services that it believes are best suited to its particular community, consistent with the CRA. However, institutions are rated on their performance in meeting the needs of their communities. Performance is tested in three areas: (1) lending, to evaluate the institution’s record of making loans in its assessment areas; (2) investment, to evaluate the institution’s record of investing in community development projects, affordable housing, and programs benefiting low- or moderate-income individuals and businesses; and (3) service, to evaluate the institution’s delivery of services through its branches, ATMs and other offices. The CRA requires each Federal Banking Agency, in connection with its examination of a financial institution, to assess and assign one of four ratings to the institution’s record of meeting the credit needs of the community and to take such record into account in its evaluation of certain applications by the institution, including applications for charters, branches and other deposit facilities, relocations, mergers, consolidations, acquisitions of assets or assumptions of liabilities, and bank holding company and savings and loan holding company acquisitions. The CRA also requires that all institutions make public disclosure of their CRA ratings.

On October 24, 2023, the OCC, the FDIC and the Federal Reserve issued a final rule amending the agencies’ CRA regulations. However, industry organizations challenged the final rule in court, and on March 29, 2024, the United States District Court for the Northern District of Texas granted an injunction and stay of the final rule. As a result, in July 2025 the agencies issued a joint proposal to rescind the 2023 final rule and replace it with regulations substantively identical to those that were in effect prior to the 2023 final rule. This effectively reinstates the CRA regulations first adopted by the agencies in 1995 and reinstated by the OCC in 2021.

19

Table of Contents

Community Pledge Agreement with the National Community Reinvestment Coalition

On January 24, 2022, the Bank and the National Community Reinvestment Coalition ("NCRC") announced the Bank's commitment to provide $28.0 billion in loans, investments, and other financial support to communities and people of color, low- and moderate-income ("LMI") families and communities, and small businesses. In 2025, we changed our intent regarding the Community Pledge Agreement as a result of the sale of our third-party mortgage origination and servicing businesses during 2024. We are undertaking the development of new initiatives to focus on enhancing the Bank’s community-centered activities to align with our strategic transformation and better meet the credit and banking needs of LMI communities.

Bank Secrecy and Anti-Money Laundering

The Bank is subject to the Bank Secrecy Act (“BSA”) and other anti-money laundering laws and regulations, including the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act, commonly referred to as the “USA PATRIOT Act” or the “Patriot Act”. The BSA requires all financial institutions to, among other things, establish a risk-based system of internal controls reasonably designed to prevent money laundering and the financing of terrorism. The BSA includes various record keeping and reporting requirements such as cash transaction and suspicious activity reporting as well as due diligence requirements. The Bank is also required to comply with the U.S. Treasury’s Office of Foreign Assets Control imposed economic sanctions that affect transactions with designated foreign countries, nationals, individuals, entities and others. The USA PATRIOT Act contains prohibitions against specified financial transactions and account relationships, as well as enhanced due diligence standards intended to prevent the use of the United States financial system for money laundering and terrorist financing activities. The Patriot Act requires banks and other depository institutions, brokers, dealers and certain other businesses involved in the transfer of money to establish anti-money laundering programs, including employee training and independent audit requirements meeting minimum standards specified by the Patriot Act, to follow standards for customer identification and maintenance of customer identification records, and to compare customer lists against lists of suspected terrorists, terrorist organizations and money launderers. The Patriot Act also requires federal bank regulators to evaluate the effectiveness of an applicant in combating money laundering in determining whether to approve a proposed bank acquisition.

We have developed and operate an enterprise-wide anti-money laundering program designed to enable us to comply with all applicable anti-money laundering and anti-terrorism financing laws and regulations. Our anti-money laundering program is also designed to prevent our products from being used to facilitate business in certain countries or territories, or with certain individuals or entities, including those on designated lists promulgated by the U.S. Department of the Treasury’s Office of Foreign Assets Controls and other U.S. and non-U.S. sanctions authorities. Our anti-money laundering and sanctions compliance programs include policies, procedures, reporting protocols, and internal controls designed to identify, monitor, manage, and mitigate the risk of money laundering and terrorist financing. These controls include procedures and processes to detect and report potentially suspicious transactions, perform consumer due diligence, respond to requests from law enforcement, and meet all recordkeeping and reporting requirements related to particular transactions involving currency or monetary instruments. Our programs are designed to address these legal and regulatory requirements and to assist in managing risk associated with money laundering and terrorist financing.

In July 2024, the Federal Banking Agencies, including the Federal Reserve and OCC, proposed amendments to update the requirements for supervised institutions to establish, implement and maintain effective, risk-based and reasonably designed anti-money laundering and countering the financing of terrorism ("CFT") programs. The proposed amendments would require supervised institutions to identify, evaluate and document the regulated institution's money laundering, terrorist financing and other illicit finance activity risks, as well as consider, as appropriate, the U.S. Department of the Treasury's Financial Crimes Enforcement Network's ("FinCEN") published national anti-money laundering and CFT priorities. Additionally, in August 2024, FinCEN, which drafts regulations implementing anti-money laundering legislation, adopted a rule extending anti-money laundering obligations, including maintenance of an anti-money laundering program and filing certain reports with FinCEN, to registered investment advisers. Compliance with these requirements is required beginning on January 1, 2026.

20

Table of Contents

Office of Foreign Assets Control Regulation

The United States has imposed economic sanctions that affect transactions with designated foreign countries, foreign nationals, and others. These are typically known as the “OFAC” rules, based on their administration by the U.S. Treasury Department's Office of Foreign Assets Control. The OFAC-administered sanctions targeting countries take many different forms. Generally, however, they contain one or more of the following elements: (i) restrictions on trade with, or investment in, a sanctioned country, including prohibitions against direct or indirect imports from, and exports to, a sanctioned country and prohibitions on “U.S. persons” engaging in financial transactions relating to making investments in, or providing investment-related advice or assistance to, a sanctioned country; and (ii) a blocking of assets in which the government or specially designated nationals of the sanctioned country have an interest, by prohibiting transfers of property subject to U.S. jurisdiction (including property in the possession or control of U.S. persons). Blocked assets (e.g., property and bank deposits) cannot be paid out, withdrawn, set off, or transferred in any manner without a license from OFAC. Failure to comply with these sanctions could have serious legal and reputational consequences.

Data Privacy

Federal and state law contains extensive consumer privacy protection provisions. The Gramm Leach Bliley Act requires financial institutions to periodically disclose their privacy practices and policies relating to sharing such information and enable retail customers to opt out of the Bank’s ability to share certain information with affiliates and non-affiliates for marketing and/or non-marketing purposes, or to contact customers with marketing offers. The Gramm Leach Bliley Act also requires financial institutions to implement a comprehensive information security program that includes administrative, technical, and physical safeguards to ensure the security and confidentiality of customer records and information and imposes certain limitations on the ability to share consumers’ nonpublic personal information with non-affiliated third parties. Privacy requirements, including notice and opt out requirements, under The Gramm Leach Bliley Act and the FCRA are enforced by the FTC and by the CFPB through UDAAP laws and regulations, and are a standard component of CFPB examinations. State entities also may initiate actions for alleged violations of privacy or security requirements under state law.

Furthermore, an increasing number of state, federal, and international jurisdictions have enacted, or are considering enacting, privacy laws, such as the California Consumer Privacy Act (“CCPA”), which became effective on January 1, 2020, and the EU General Data Protection Regulation (“GDPR”), which regulates the collection, control, sharing, disclosure and use and other processing of personal information of data subjects in the EU and the European Economic Area. The CCPA gives residents of California expanded rights to access and delete their personal information, opt out of certain personal information sharing, and receive detailed information about how their personal information is used, in addition to other rights with respect to personal information, and also provides for civil penalties for violations and private rights of action for data breaches. California has also established a state agency to oversee CCPA implementation and enforcement efforts. Meanwhile, the GDPR provides data subjects with greater control over the collection and use of their personal information (such as the “right to be forgotten”) and has specific requirements relating to cross-border transfers of personal information to certain jurisdictions, including to the United States, with fines for noncompliance of up to the greater of 20 million euros or up to 4 percent of the annual global revenue of the noncompliant company.

Cybersecurity

The Cybersecurity Information Sharing Act (the “CISA”) is intended to improve cybersecurity in the U.S. through sharing of information about security threats between the U.S. government and private sector organizations, including financial institutions such as the Bank. The Cybersecurity Information Sharing Act also authorizes companies to monitor their own systems, notwithstanding any other provision of law, and allows companies to carry out defensive measures on their own systems from potential cyber-attacks.

The federal bank regulators have adopted rules providing for new notification requirements for banking organizations and their service providers for significant cybersecurity incidents. Specifically, the new rules require a banking organization to notify its primary federal regulator as soon as possible, and no later than 36 hours after, the banking organization determines that a "computer-security incident" rising to the level of a "notification incident" has occurred. Notification is required for incidents that have materially affected or are reasonably likely to materially affect the viability of a banking organization's operations, its ability to deliver banking products and services, or the stability of the financial sector. Service providers are required under the rule to notify affected banking organization customers as soon as possible when the provider determines that it has experienced a computer-security incident that has materially affected or is reasonably likely to materially affect the banking organization's customers for four or more hours.

21

Table of Contents

Cybersecurity and data privacy are also areas of increasing state legislative focus. For example, under California state law, the CCPA broadly defines personal information and substantially increases the rights of California residents to understand how their personal information is collected, used, and otherwise processed by commercial businesses, such as affording them the right to access and request deletion of their information and to opt out of certain sharing and sales of personal information. The CCPA contemplates civil penalties of up to $2,500 for each violation and up to $7,500 for each intentional violation and includes a private right of action (permitting lawsuits to be brought by private individuals instead of the state Attorney General or other government actor for certain breaches). Numerous other states have enacted, or are considering enacting, comprehensive data privacy laws that share similarities with the CCPA. In addition, laws in all 50 U.S. states require businesses to provide notice under certain circumstances to consumers whose personal information has been disclosed as a result of a data breach.

Federal Home Loan Bank System

The Bank is an active member of the FHLB-NY and continues to be a non-member participant of the FHLB-Indianapolis from advance activity pre-dating the merger of the Bank and Flagstar Bancorp. The Bank is required to hold shares of both FHLB-NY and FHLB-Indianapolis capital stock. At December 31, 2025, the Bank held $497 million of FHLB-NY stock and $255 million of FHLB-Indianapolis stock.

Federal Securities Law

The Bank’s common stock and certain other securities listed on the cover page of this report are registered with the OCC under the Exchange Act of 1934. The Bank is subject to the information and proxy solicitation requirements, insider trading restrictions, and other requirements under the Exchange Act.

Consumer Protection Regulations

The activities of the Bank may be subject to a variety of federal and state consumer laws and regulations designed to protect consumers. These laws and regulations mandate certain disclosure requirements and regulate the manner in which financial institutions must deal with clients and monitor account activity when taking deposits from, making loans to, or engaging in other types of transactions with, such clients. Failure to comply with these laws and regulations could lead to substantial penalties, operating restrictions, and reputational damage to the financial institution.

Applicable federal consumer protection laws, and their implementing regulations, include, but may not be limited to, the Dodd-Frank Wall Street Reform and Consumer Protection Act, Truth in Lending Act (Regulation Z), Truth in Savings Act (Regulation DD), Equal Credit Opportunity Act (Regulation B), Electronic Funds Transfer Act (Regulation E), Fair Housing Act, Home Mortgage Disclosure Act (Regulation C), Fair Debt Collection Practices Act (Regulation F), Fair Credit Reporting Act (Regulation V), as amended by the Fair and Accurate Credit Transactions Act, Expedited Funds Availability (Regulation CC), Reserve Requirements (Regulation D), Insider Transactions (Regulation O), Privacy of Consumer Information (Regulation P), Margin Stock Loans (Regulation U), Right To Financial Privacy Act, Flood Disaster Protection Act, Homeowners Protection Act, Servicemembers Civil Relief Act, Real Estate Settlement Procedures Act (Regulation X), Telephone Consumer Protection Act, CAN-SPAM Act, Children’s Online Privacy Protection Act, the Military Lending Act, and the Homeownership Counseling Act. Additionally, we are subject to Section 5 of the Federal Trade Commission Act, which prohibits unfair and deceptive acts or practices in or affecting commerce, and Section 1031 of the Dodd-Frank Act, which prohibits unfair, deceptive, or abusive acts or practices (“UDAAP”) in connection with any consumer financial product or service.

In addition, the Bank and its subsidiaries may be subject to certain state laws and regulations designed to protect consumers. Many states have consumer protection laws analogous to, or in addition to, the federal laws listed above, such as usury laws, state debt collection practices laws, and requirements regarding loan disclosures and terms, credit discrimination, credit reporting, money transmission, recordkeeping, and unfair or deceptive business practices.

Consumer Financial Protection Bureau

The Bank is subject to oversight by the Consumer Financial Protection Bureau ("CFPB") within the Federal Reserve System. The CFPB was established under the Dodd-Frank Wall Street Reform and Consumer Protection Act to implement and enforce rules and regulations under certain federal consumer protection laws with respect to the conduct of providers of certain consumer financial products and services. The CFPB has broad rulemaking authority for a wide range of consumer financial

22

Table of Contents

laws that apply to all banks, including, among other things, the authority to prohibit acts and practices that are deemed to be unfair, deceptive, or abusive.

The CFPB has exclusive examination and primary enforcement authority with respect to compliance with federal consumer financial protection laws and regulations by institutions under its supervision and is authorized, individually or jointly with the Federal Banking Agencies, to conduct investigations to determine whether any person is, or has, engaged in conduct that violates such laws or regulations. The CFPB has the authority to investigate possible violations of federal consumer financial law, hold hearings, and commence civil litigation. The CFPB can issue cease-and-desist orders against banks and other entities that violate consumer financial laws. The CFPB also may institute a civil action against an entity in violation of federal consumer financial law in order to impose a civil penalty or an injunction.

The CFPB is also authorized to collect fines and provide consumer restitution in the event of violations, engage in consumer financial education, track consumer complaints, request data and promote the availability of financial services to underserved consumers and communities. The CFPB is authorized to pursue administrative proceedings or litigation for violations of federal consumer financial laws. In these proceedings, the CFPB can obtain cease and desist orders (which can include orders for restitution or rescission of contracts, as well as other kinds of affirmative relief) and monetary penalties which, for 2025, range from $7,217 per day for minor violations of federal consumer financial laws (including the CFPB’s own rules) to $36,083 per day for reckless violations and $1,443,275 per day for knowing violations. The CFPB monetary penalty amounts are adjusted annually for inflation. Also, where a company has violated Title X of the Dodd-Frank Act or CFPB regulations under Title X, the Dodd-Frank Act empowers state attorneys general and state regulators to bring civil actions for the kind of cease-and-desist orders available to the CFPB (but not for civil penalties).

In May 2022, the CFPB issued an Interpretive Rule to clarify the authority of states to enforce federal consumer financial protections laws under the Consumer Financial Protection Act of 2010 (“CFPA”). However, in May 2025 the CFPB rescinded the interpretive rule, concluding that its interpretations were improper, but noting that the rescission of the interpretive rule does not alter, limit or affect the authority of states to take any action authorized by any separate provision of state or federal law. It is possible that the CFPB could issue additional guidance limiting or expanding the scope of States’ authority to enforce the CFPA in the future.

The CFPB has implemented the ability-to-repay and qualified mortgage (QM) provisions of the Truth in Lending Act (the “QM Rule”) and has recently taken steps to modify the QM Rule. The ability-to-repay provision requires creditors to make reasonable, good faith determinations that borrowers are able to repay their mortgages before extending credit based on a number of factors and consideration of financial information about the borrower derived from reasonably reliable third-party documents. Under the Dodd-Frank Act and the QM Rule, loans meeting the definition of “qualified mortgage” are entitled to a presumption that the lender satisfied the ability-to-repay requirements. The presumption is a conclusive presumption/safe harbor for loans meeting the QM requirements, and a rebuttable presumption for higher-priced loans meeting the QM requirements. The Bank has created policies and procedures to comply with these consumer protection requirements and continues to monitor developments relative to future changes to the QM Rule.

In October 2024, the CFPB issued a rule aimed to enhance consumer control and competition in financial services requiring banks and payment providers to give consumers free access to certain financial data upon request. With consumer authorization, they must also share this data with third parties via secure interfaces to facilitate financial services. Required data includes transaction information, account balance, account and routing numbers, terms and conditions, upcoming bill information, and certain account verification data. The rule takes effect for the Bank on April 1, 2027; however, the compliance timeline is subject to change due to the outcome of pending litigation challenging the rule and ongoing rulemaking activities. In August 2025, the CFPB issued an advanced notice of proposed rulemaking outlining questions related to the original rule, the responses to which the CFPB will consider as it engages in rulemaking to implement Section 1033 of the CFPA. While the impact of the rule will depend upon a number of factors, including consumer behavior and the actions of data providers and recipients, open banking initiatives like this final rule have the potential to change the competitive landscape, presenting challenges to our business model.

The CFPB and other regulators have recently had a heightened focus on fees, rewards and other practices related to credit cards. For example, in March 2024, the CFPB issued a final rule lowering the safe harbor amount for credit card late fees that would be considered “reasonable and proportional” to the costs incurred by credit card issuers for late payments to eight dollars, eliminating a higher late fee safe harbor amount for subsequent late payments and eliminating the annual inflation adjustment for the safe harbor amount. However, in April 2025, the rule was vacated as part of a consent judgment based on the U.S. District Court for the Northern District of Texas finding that the rule likely violated the Credit Card Accountability and Disclosure Act by preventing card issuers from imposing penalty fees that are reasonable and proportional to violations, as

23

Table of Contents

required by the Act. The vacating of the rule effectively restores the safe-harbor framework that had been in place prior to the rule. It is possible that the CFPB or state regulators could engage in related rulemaking in the future, which could impact the ability of banks to impose certain fees.

In December 2024, the CFPB issued a final rule to amend Regulation Z, which implements the Truth in Lending Act, to apply to overdraft credit provided by insured depository institutions with more than $10 billion in total assets. The final rule was scheduled to go into effect on October 1, 2025; however, in April 2025, the rule was overturned and nullified by Congress using the fast-track procedures of the Congressional Review Act. Because a joint resolution of disapproval was enacted, the CFPB may not issue a rule in substantially the same form in the future absent authorization in a subsequent law.

We continue to monitor recent developments related to the CFPB and their ongoing supervision. We believe and continue to operate in accordance with the applicable requirements. We expect to continue to be regulated by the CFPB or the other regulatory agencies who also supervise our compliance with consumer financial protection requirements.

Supervision and Regulation of Mortgage Banking Operations

Our mortgage banking business is subject to the rules and regulations of the U.S. Department of Housing and Urban Development, the Federal Housing Administration, the Veterans’ Administration, Federal National Mortgage Association, Government National Mortgage Association and Federal Home Loan Mortgage Corporation with respect to originating, processing, selling and servicing mortgage loans. Those rules, policies, regulations, guidelines or procedures, among other things, prohibit discrimination and establish underwriting guidelines, which include provisions for inspections and appraisals, require credit reports on prospective borrowers, and fix maximum loan amounts. Each of these entities has its own financial requirements, including submitting audited financial statements annually. We are also subject to examination or review to assure compliance with the applicable rules, policies regulations, guidelines or procedures. Mortgage origination activities are subject to federal laws that include, among others, the Equal Credit Opportunity Act, the Federal Truth-in-Lending Act, the Fair Housing Act, the Fair Credit Report Act, the National Flood Insurance Act and the Real Estate Settlement Procedures Act and related federal regulations that prohibit discrimination and require the disclosure of certain basic information to mortgagors concerning credit terms and settlement costs. Our mortgage banking operations are also affected by various state and local laws, regulations and the requirements of various private mortgage investors.

The federal bank regulatory agencies have adopted uniform regulations prescribing standards for extensions of credit that are secured by liens or interests in real estate or made for the purpose of financing permanent improvements to real estate. Under these regulations, all insured depository institutions, such as the Bank, must adopt and maintain written policies establishing appropriate limits and standards for extensions of credit that are secured by liens or interests in real estate or are made for the purpose of financing permanent improvements to real estate. These policies must establish loan portfolio diversification standards, prudent underwriting standards (including loan-to-value limits) that are clear and measurable, loan administration procedures, and documentation, approval, and reporting requirements. The real estate lending policies must reflect consideration of the federal bank regulatory agencies’ Interagency Guidelines for Real Estate Lending Policies.

Lending Authority

We maintain internal credit limits in compliance with regulatory requirements. Under regulatory guidance, the Bank may not make a loan or extend credit to a single or related group of borrowers in excess of 15 percent of Tier 1 plus Tier 2 capital and any portion of the ACL not included in Tier 2 capital. We have a tracking and reporting process to monitor lending concentration levels. All new credit exposure to relationships that exceed $350 million must be approved by the Risk Assessment Committee (the "RAC") of the Board. Credit exposures to relationships that exceed $125 million must be approved by the Chief Credit Officer. Relationships less than the aforementioned limits including those discussed throughout the loans held for investment section of this document, are approved by the joint authority of credit officers and lending officers. The RAC of the Board has the authority to direct changes in lending practices as they deem necessary or appropriate to address credit risks and exposures, including regulatory considerations, in accordance with the Bank’s strategic objectives and risk appetites.

Future Legislation and Regulation

Laws, regulations and policies are continually under review by Congress and state legislatures and federal and state regulatory agencies. In addition to the specific legislation and regulations described above, future legislation and regulations or changes to existing statutes, regulations or regulatory policies applicable to the Bank and its subsidiaries may affect the business, financial condition and results of operations in adverse and unpredictable ways and increase reporting requirements

24

Table of Contents

and compliance costs. The substance or impact of pending or future legislation or regulation, or the application thereof, cannot be predicted.