OP Bancorp (OPBK) Business

Item 1. Business.

Overview

Founded in 2005 as First Standard Bank, and rebranded as Open Bank in 2010, we formed OP Bancorp as our holding company in 2016. OP Bancorp, headquartered in Los Angeles, California, operates its commercial community banking activities through Open Bank ("Open Bank" or the "Bank"), our wholly owned banking subsidiary. We provide commercial banking services to small and medium-sized businesses, their owners, and retail customers, with a focus on the Korean-American community. We currently operate twelve full service branches: nine branches across Los Angeles and Orange Counties in California, as well as one branch each in Santa Clara, California; Carrollton, Texas; and Las Vegas, Nevada. Additionally, we maintain five loan production offices located in Pleasanton, California; Atlanta, Georgia; Aurora, Colorado; Lynnwood, Washington; and Fairfax, Virginia. Substantially all our business activities are conducted through the Bank.

We provide our customers with a high degree of service, convenience and the financial products we believe they need to achieve their financial objectives, by offering a customer-oriented product mix, competitive pricing, and convenient locations. Our lending activities are diversified and include commercial real estate ("CRE"), commercial and industrial ("C&I"), Small Business Administration (“SBA”), home mortgage, and consumer loans. We generally lend in markets where we have a physical presence through our branch and loan production offices. We attract retail deposits through our branch network which offers a wide range of deposit products for business and consumer banking customers. We offer a multitude of other banking products and services to our customers to complement our lending and deposit business.

We have a strong, values-based corporate culture rooted in personal community-based relationship banking that permeates throughout our entire organization. We strive to provide quality customer service that exceeds our customers’ expectations. We also heavily invest in the Korean-American communities through our annual contributions to the Open Stewardship Foundation. We believe that our customers value a banking partner that is knowledgeable about their business needs with a willingness and commitment to reinvest in their communities. We assure our customers that banking with us indirectly provides them an opportunity to contribute to their community. We believe our strategic approach creates opportunities for expanding our banking relationships with new and existing customers who value personalized attention, local decision making and view us as an alternative to larger, more consolidated Korean-American financial institutions.

We established the Open Stewardship Foundation in 2011 to actively support civic organizations, schools and other eligible charitable non-profit organizations that provide public benefit services in the communities we serve. The Foundation operates through a board of directors that includes individuals who are members of our board of directors and executive management team, including our President and Chief Executive Officer and our Chairman of the Board. The Foundation board of directors reviews and approves award grants. We have committed to contribute annually 10% of our consolidated net income after taxes to the Foundation. Since inception, we have donated approximately $22.1 million to the Foundation, supporting over 250 local non-profit organizations through December 31, 2025.

We plan to continue to leverage our experienced management team, our personal relationship, community banking focus in the Korean-American communities in which we serve, and our diversified lending approach to drive future organic growth. While other institutions frequently enter new geographies through acquisitions, we have grown our geographic footprint through de novo branches, while remaining true to our business model. Although our growth historically has been organic, we may in the future consider opportunistic strategic acquisitions to enhance our long-term growth strategy.

Competition

The banking and financial services industry in our primary markets in Southern California is highly competitive. Within the Korean‑American direct banking market, competition consists of a limited number of banks operating across varying asset sizes and ownership structures, most of which are California‑based. We also compete with other community and regional banks in our markets, including Chinese‑American and other

2

Asian‑American banks, where there is overlap in loan and deposit relationships. We pursue growth in these markets primarily through organic expansion and, where appropriate, strategic acquisitions.

In addition, we compete with a broad range of financial institutions and nonbank financial service providers, including large national and regional banks, savings institutions, credit unions, brokerage firms, mortgage companies, finance companies, insurance companies, and online‑focused financial services firms. Many of these competitors have greater financial resources, longer operating histories, higher lending limits, broader product offerings, and greater access to capital markets, which may allow them to offer more competitive pricing, expanded services, or enhanced delivery channels.

Competitive pressures are driven by industry consolidation, evolving regulatory requirements, technological innovation, and changing customer expectations. Customers increasingly demand multiple delivery channels and digital banking capabilities, intensifying competition from both traditional financial institutions and non‑depository providers. We compete primarily through relationship‑based banking, deep knowledge of the communities we serve, responsive decision‑making, disciplined risk management, and a scalable operating platform designed to support growth while maintaining asset quality and operational efficiency.

Deposit Products

We offer traditional retail deposit products through our branch network, along with online and mobile banking access. Our deposit offerings include demand, savings, money market, and time deposit accounts designed to serve our broad customer base. Core deposits are an important source of funding for our lending activities, and we strive to maintain a balanced and diversified deposit mix through competitive pricing, convenient branch locations, and relationship‑based service. We supplement core deposits with wholesale funding, including brokered deposits, as needed. We also employ conventional marketing initiatives and leverage our community involvement to attract and retain customers. In many cases, we require borrowers to maintain deposit relationships. For additional information on our deposits, see Management’s Discussion and Analysis of Financial Condition and Results of Operations ("MD&A"). Financial Condition — Deposits and Other Sources of Funds and Note 7. Deposits to the Consolidated Financial Statements in this Form 10-K.

Lending Activities

Our principal business is commercial and consumer lending focused on businesses and individuals located primarily in Southern California. Our lending strategy emphasizes a diversified loan portfolio by borrower type, loan product, industry, and geography, with a focus on high‑quality credits originated within our market areas. We seek to meet the credit needs of small‑ and medium‑sized businesses, professionals, and individuals in the communities we serve.

Our loan products include CRE loans, SBA loans, C&I loans, mortgage warehouse lines of credit, residential mortgage loans, and unsecured consumer loans. CRE loans are generally secured by first liens on income‑producing or owner‑occupied properties. C&I loans are typically secured by business assets and, where appropriate, personal guarantees. SBA lending primarily consists of SBA 7(a) and SBA 504 loans for working capital, business expansion, and owner‑occupied real estate. Residential mortgage lending includes adjustable‑rate loans for owner‑occupied and non‑owner‑occupied properties, while consumer lending consists primarily of unsecured lines of credit and term loans to high‑net‑worth individuals.

Lending activities are primarily originated through our relationship‑based banking model, including our branch network, experienced commercial bankers, loan production officers, and specialized lending teams. SBA loans are originated through our dedicated SBA Loan Department, supported by our status as an SBA Preferred Lender, and through a combination of internal staff and third‑party brokers. Residential mortgage loans are originated through our retail branches, correspondent relationships, and selective purchases from third‑party originators. Mortgage warehouse lines of credit are extended to non‑bank mortgage originators to finance short‑term residential mortgage production.

We manage credit risk through centralized credit policies, disciplined underwriting standards, defined approval authorities, ongoing portfolio monitoring, and independent loan review. When individual credit

3

exposures exceed regulatory lending limits or concentration thresholds, we may sell loan participations to other financial institutions to manage risk and meet customer borrowing needs.

For additional information on our loan portfolio, see MD&A. Financial Condition — Loans and Note 3. Loans and Allowance for Credit Losses on Loans to the Consolidated Financial Statements in this Form 10-K.

Investment Activities

We manage our securities portfolio and cash with a goal of maintaining adequate liquidity and preserve principal, with a secondary focus on yield. The portfolio is used to balance sheet liquidity, diversify asset quality, and manage interest rate risk in accordance with established policies.

Coexistence Agreement between the Bank and Open Bank S.A.

We have not registered the trademark “Open Bank” under the trademark laws of the United States. Open Bank, S.A., a corporation organized and existing under the laws of Spain with its principal office located in Ciudad Grupo Santander, Av. Catabria Boadilla del Monte Madrid Spain (“Open Bank S.A.”) originally registered the trademark “Open Bank” (U.S. Registration No. 3397518) in 2008 with the United States Patent and Trademark Office. Open Bank S.A. provides financial services in Spain and solicits financial services in the United States through the internet. Open Bank S.A. is operating through Santander and is using the Santander license to engage in banking in the United States. In February 2014, we entered into a Coexistence Agreement with Open Bank S.A. (the “Coexistence Agreement”), under which both parties agreed that we may use the name “Open Bank” in connection with banking and banking related services in the state of California and the cities of New York, Dallas, Atlanta, Chicago, Seattle and Fort Lee, New Jersey (the “Permitted Markets”). We agreed to limit all of the Bank’s marketing, advertising, publicity, soliciting and or media efforts using the “Open Bank” name to primarily the Korean-American community in the Permitted Markets. However, we have the right under the Coexistence Agreement to market through the internet. The Coexistence Agreement states that these limitations are not intended to mean that we should in any way engage in discriminatory tactics or policy or in any way discriminate against non-Korean-American customers or potential customers. Under the Coexistence Agreement, Open Bank S.A. retains the right to use and market its services in relation to its registered trademark in any state or territory in the United States. We further agreed not to challenge Open Bank S.A.’s trademark registration or any future applications by Open Bank S.A. The Coexistence Agreement has no termination date and is perpetual. If Open Bank S.A. decides to become a licensed bank in California or in any of the other Permitted Markets, depending on its business and marketing plan, there could be confusion created by the use of the name “Open Bank,” which could have a material adverse impact on our ability to build its brand in the Permitted Markets. In addition, if Open Bank S.A. were to assert that we breached the Coexistence Agreement, Open Bank S.A. could file for an injunction, seek to have the Bank change its name or seek monetary damages, any of which could have a material adverse impact on our financial condition and results of operations. There are no approval rights of either party for any of the actions or no actions that either party may take under the Coexistence Agreement. To our knowledge Open Bank S.A. has not initiated any business or marketing activities in the United States other than through its website.

Human Capital Resources: Our Focus on Relationships

Our vision is to be known as a faith-based community bank focused on relationship banking. We have invested in developing a distinct corporate culture guided by a core set of values that arise directly from this vision. These values underlie everything we do, including the way we engage with customers and vendors, collaborate with colleagues, do business and manage our resources. Our values are fostered by stewardship, integrity, teamwork, and excellence. We believe our commitment to our communities, culture and quality of our people have been catalysts of our success and will continue to propel our future.

We aim to recruit, train, incentivize and retain a workforce that embraces our culture and values beginning with our hiring process and flowing throughout our organization. We also believe that our overall capabilities, culture and opportunities for career growth will allow us to continue to attract talented and entrepreneurial commercial and retail bankers from larger financial institutions.

We are dedicated to building and fostering an excellent relationship with our employees by promoting a healthy work environment, comprehensive total rewards package, open communications, and employee involvement.

4

We provide medical, dental, vision, life & disability, flexible spending accounts, and other supplemental benefits. We offer a 401(k) plan, which allows participants to contribute and invest a portion of each paycheck with a competitive employer match.

We support employees’ personal ambitions and professional development by providing on-the-job training and educational assistance, including reimbursement for eligible expenses associated with attending trainings and educational programs. We developed these components to recruit, retain, and reward top talent and remain an employer of choice by employees. We believe that our culture and values are among the attributes that our prospective employees find most attractive, and that these traits permeate throughout our organization and allow us to recruit talented individuals in ways that larger, less personalized financial institutions cannot.

As of December 31, 2025, we had 249 full-time equivalent employees, compared with 231 full-time equivalent employees as of December 31, 2024.

We consider our relationship with our employees to be good and have not experienced interruptions of operations due to labor disagreements.

Available Information

Our executive office is located at 1000 Wilshire Boulevard, Suite 500, Los Angeles, California 90017, and our main telephone number is (213) 892-9999. Our website, www.myopenbank.com, includes an investor relations section accessible at http://opbancorp.q4ir.com, where we make available, free of charge, our annual, quarterly, and current reports filed under the Securities Exchange Act of 1934, as well as proxy statements and any amendments to those filings, as soon as reasonably practicable after they are filed with or furnished to the SEC. We also post on our website the charters of our Board committees, our Code of Business Conduct and Ethics, and other corporate governance materials. We also make available summaries of Section 16 filings made by our directors and officers. Information on or accessible through our website is not incorporated by reference into this report or into our other filings with the SEC except to the extent explicitly stated therein. Shareholders may also request a free copy of any of the above-referenced reports and corporate governance documents by contacting us at the address or telephone number provided, or by emailing IRSupport@myopenbank.com.

Supervision and Regulation

General

We are extensively regulated under U.S. federal and state law. The effects of these laws and regulations affect our ability to make management decisions and to conduct our operations, and over recent years the volume, scope and complexity of these regulations have expanded substantially. The combined application of these laws and regulations applies to virtually every aspect of our business, and to a substantial degree affects our relationships with clients, vendors, and affiliates as well. Further, the cost of complying with these laws and regulations, and the potential penalties, liabilities or other consequences of failure to comply, has risen dramatically in recent years, and we do not expect that these costs or associated risks will be ameliorated in the foreseeable future. As a result, our growth and earnings performance may be affected not only by management decisions and general economic conditions, but also by federal and state statutes and by the regulations and policies of various bank regulatory agencies.

Federal and state banking laws impose a comprehensive system of supervision, regulation and enforcement on the operations of banks, their holding companies and certain of their affiliates. These laws are intended primarily to protect the Federal Deposit Insurance Corporation ("FDIC")’s Deposit Insurance Fund ("DIF") and bank customers rather than shareholders. Federal and state laws, and the related regulations of the bank regulatory agencies, affect, among other things, the scope of business, the kinds and amounts of investments banks and bank holding companies may make, their reserve requirements, capital levels relative to operations, the nature and amount of collateral for loans, the establishment of branches, the acceptance and management of risk, the ability to merge, consolidate and acquire, dealings with insiders and affiliates and the payment of dividends.

5

With respect to the OP Bancorp, we are regulated and examined by the California Department of Financial Protection and Innovation (“DFPI”) and the Federal Reserve Bank of San Francisco. Open Bank files reports with and is examined by the FDIC and the DFPI. In addition to banking and financial institutions laws and regulations, we are subject to a broad swath of other regulatory frameworks applicable to public companies generally, including federal and state tax laws, accounting rules developed by the Financial Accounting Standards Board (“FASB”), and federal and state securities laws. These statutes, regulations, regulatory policies and rules are significant to the financial condition and results of operations of OP Bancorp and its subsidiary, the Bank. This section briefly summarizes of the most significant aspects of applicable banking laws and regulations, but the implications and effects of these laws and regulations upon our business is far too extensive to be described completely, and readers should refer to Item 1A. Risk Factors in this Form 10-K for certain effects of these laws and regulations that may have a particular effect on our assets, results of operations and financial condition. We have not attempted to summarize laws of general applicability, such as corporate, tax, securities and accounting regulations, or other laws, such as employment laws, that may also have a material impact upon our business.

This supervisory and regulatory framework subjects banks and bank holding companies to periodic examination by their respective regulatory agencies, which results in examination reports and ratings that, while not publicly available, can affect the conduct and growth of their businesses. These examinations consider not only compliance with applicable laws and regulations, but also capital levels, asset quality and risk, management ability and performance, earnings, liquidity, and various other factors. Regulatory agencies have broad discretion to impose restrictions and limitations on the operations of a regulated entity where the agencies determine, among other things, that such operations are unsafe or unsound, fail to comply with applicable law or are otherwise inconsistent with laws and regulations or with the supervisory policies of these agencies. Regulators can, among other things, challenge a bank's classification of loans or collateral support, may require an increase in reserves, may prohibit or restrict certain types of deposit-gathering, and take other actions that may affect an institution's profitability. Further, federal bank regulatory agencies have broad enforcement powers, including the power to terminate deposit insurance, impose substantial fines and other civil and criminal penalties, and appoint a conservator or receiver for financial institutions. Failure to comply with applicable laws and regulations could subject us and our officers and directors to administrative sanctions and potentially substantial civil money penalties. In addition, the appropriate federal bank regulatory agency may appoint the FDIC as conservator or receiver for a depository institution (or the FDIC may appoint itself, under certain circumstances) if any one or more of a number of circumstances exist, including, without limitation, the fact that the depository institution is undercapitalized and has no reasonable prospect of becoming adequately capitalized, fails to become adequately capitalized when required to do so, fails to submit a timely and acceptable capital restoration plan or materially fails to implement an accepted capital restoration plan. The DFPI also has broad enforcement powers over us, including the power to impose orders, remove officers and directors, impose fines and appoint supervisors and conservators.

The following is a summary of the material elements of the supervisory and regulatory framework applicable to OP Bancorp and its subsidiary, the Bank. It does not describe all of the applicable statutes, regulations and regulatory policies, nor does it restate all of the requirements of those that are described. The descriptions are qualified in their entirety by reference to the particular statutory or regulatory provision.

Regulatory Capital Requirements

The Bank is subject to a comprehensive capital framework (the “Capital Rules”) adopted by Federal banking regulators (including the Federal Reserve and the FDIC), and similar rules will apply to OP Bancorp once its total assets exceed $3 billion or if it engages in certain types of activities. The Capital Rules implement the Basel III framework for strengthening the regulation, supervision and risk management of banks, as well as certain provisions of the Dodd-Frank Act. The Capital Rules generally recognize three components, or tiers, of capital: common equity Tier 1 capital, additional Tier 1 capital and Tier 2 capital. Common equity Tier 1 capital generally consists of retained earnings and common stock instruments (subject to certain adjustments), as well as accumulated other comprehensive income (“AOCI”) except to the extent that the institution exercises a one-time irrevocable option to exclude certain components of AOCI. We exercised the opt-out election regarding the treatment of AOCI in part to avoid significant variations in our capital levels resulting in changes in the fair market value of our available-for-sale ("AFS") debt securities portfolio as interest rates fluctuate. Additional Tier 1 capital generally includes non-cumulative preferred stock and related surplus subject to certain

6

adjustments and limitations. Tier 2 capital generally includes certain capital instruments (such as subordinated debt) and portions of the amounts of the allowance for credit losses, subject to certain requirements and deductions. The term “Tier 1 capital” means common equity Tier 1 capital plus additional Tier 1 capital, and the term “total capital” means Tier 1 capital plus Tier 2 capital.

The Capital Rules generally measure an institution’s capital using four capital measures or ratios. The common equity Tier 1 capital ratio is the ratio of the institution’s common equity Tier 1 capital to its total risk-weighted assets. The Tier 1 risk-based capital ratio is the ratio of the institution’s Tier 1 capital to its total risk-weighted assets. The total risk-based capital ratio is the ratio of the institution’s total capital to its total risk-weighted assets. The Tier 1 leverage ratio is the ratio of the institution’s Tier 1 capital to its average total consolidated assets. To determine risk-weighted assets, assets of an institution are generally placed into a risk category as prescribed by the regulations and given a percentage weight based on the relative risk of that category. An asset’s risk-weighted value will generally be its percentage weight multiplied by the asset’s value as determined under generally accepted accounting principles. In addition, certain off-balance-sheet items are converted to balance-sheet credit equivalent amounts, and each amount is then assigned to one of the risk categories. An institution’s federal regulator may require the institution to hold more capital than would otherwise be required under the Capital Rules if the regulator determines that the institution’s capital requirements under the Capital Rules are not commensurate with the institution’s credit, market, operational or other risks.

To be adequately capitalized, both OP Bancorp and the Bank are required to have a common equity Tier 1 capital ratio of at least 4.5% or more, a Tier 1 leverage ratio of 4.0% or more, a Tier 1 risk-based ratio of 6.0% or more and a total risk-based ratio of 8.0% or more. In addition to the preceding requirements, both OP Bancorp and the Bank are required to maintain a “conservation buffer” consisting of common equity Tier 1 capital, which is at least 2.5% above each of the required minimum levels. An institution that does not meet the conservation buffer will be subject to restrictions on certain activities including payment of dividends, stock repurchases and discretionary bonuses to executive officers.

The Capital Rules determine how certain capital elements are assessed, including but not limited to, requiring certain deductions related to mortgage servicing rights and deferred tax assets. The Capital Rules permit holding companies with less than $15 billion in total assets as of December 31, 2009 (which includes OP Bancorp) to continue to include trust preferred securities issued prior to May 19, 2010 in Tier 1 capital, generally up to 25% of other Tier 1 capital.

The Capital Rules also prescribe the methods for calculating certain risk-based assets and risk-based ratios. Higher or more sensitive risk weights are assigned to various categories of assets, among which are credit facilities that finance the acquisition, development or construction of real property, certain exposures or credits that are 90 days past due or are nonaccrual, foreign exposures, certain corporate exposures, securitization exposures, equity exposures and in certain cases mortgage servicing rights and deferred tax assets.

OP Bancorp

General. As a bank holding company, we are subject to regulation, supervision and periodic examination by the Federal Reserve under the Bank Holding Company Act of 1956, as amended (the “BHCA”), and by the DFPI in accordance with the California Financial Code. OP Bancorp is required to file with the Federal Reserve periodic reports of its operations and such additional information as the Federal Reserve may require. In accordance with Federal Reserve laws and regulations, OP Bancorp is required to act as a source of financial strength to the Bank and to commit resources to support the Bank in circumstances where it might not otherwise do so.

Permitted Activities. The BHCA generally prohibits a bank holding company from acquiring direct or indirect ownership or control of more than 5% of the voting shares of any company that is not a bank or whose business is not “closely related to banking.” The Federal Reserve has the power to order any bank holding company or its subsidiaries to terminate any activity or to terminate its ownership or control of any subsidiary when the Federal Reserve has reasonable grounds to believe that continuing such activity, ownership or control constitutes a serious risk to a subsidiary's financial soundness, safety or stability.

7

Source of Strength Doctrine. Federal Reserve policy historically required bank holding companies to act as a source of financial and managerial strength to their subsidiary banks. Dodd-Frank codified this policy as a statutory requirement. OP Bancorp is required to act as a source of strength to the Bank and to commit capital and financial resources to support the Bank, including at times when it may not be in a financial position to do so. OP Bancorp must stand ready to use its available resources to provide adequate capital to the Bank during periods of financial stress or adversity. OP Bancorp must also maintain the financial flexibility and capital raising capacity to obtain additional resources for assisting the Bank. OP Bancorp’s failure to meet its source of strength obligations may be construed as an unsafe and unsound practice, a violation of the Federal Reserve’s regulations, or both. The source of strength doctrine most directly affects bank holding companies whose subsidiary bank fails to maintain adequate capital levels. In such situation, the subsidiary bank will be required by the bank’s federal regulator to take “prompt corrective action.” Any capital loans by a bank holding company to its subsidiary bank are statutorily subordinate in right of payment to deposits and to certain other indebtedness of the bank. In the event of a bank holding company’s bankruptcy, its commitment to a federal bank regulatory agency to maintain the capital of its subsidiary bank will be assumed by the bankruptcy trustee and entitled to priority of payment.

Dividend Payments, Stock Redemptions and Repurchases. In addition to the requirements of the California Corporations Code, which imposes certain solvency tests and board-level approval requirements, the Federal Reserve may require a bank holding company to eliminate, defer or significantly reduce dividends to shareholders if: (i) the bank holding company’s net income available to shareholders for the past four quarters, net of dividends previously paid during that period, is not sufficient to fully fund the dividends; (ii) the prospective rate of earnings retention is inconsistent with the bank holding company’s capital needs and overall current and prospective financial condition; or (iii) the bank holding company will not meet, or is in danger of not meeting, its minimum regulatory capital adequacy ratios. The Capital Rules also require that a holding company seeking to pay dividends must maintain 2.5% in common equity Tier 1 capital attributable to the capital conservation buffer. See Supervision and Regulation — Regulatory Capital Requirements in this Form 10-K.

Acquisitions, Activities and Change in Control. The BHCA and the California Financial Code also substantially govern an institution’s ability to grow by acquisition. These regulations include extensive application filing and approval requirements as well as substantive regulation over the projected operations and financial performance of institutions proposing to merge or to be acquired. These laws and regulations afford regulators, including the Federal Reserve, the FDIC and the DFPI with expansive authority and discretion and may affect the availability, timing and cost of initiatives that financial institutions might take as a means to effectuate strategic growth.

Open Bank

General. The Bank is a California state-chartered commercial bank. The Bank's deposit accounts are insured by the FDIC through the DIF to the maximum extent permitted under applicable federal law and FDIC regulations. The Bank is not a member of the Federal Reserve System. As a California-chartered nonmember bank, the Bank is subject to examination, supervision, and regulation by the DFPI, its chartering authority, and by the FDIC.

Brokered Deposit Restrictions. Well capitalized institutions are not subject to limitations on brokered deposits, while an adequately capitalized institutions is able to accept, renew or roll over brokered deposits only with a waiver from the FDIC and subject to certain restrictions on the yield paid on such deposits. Undercapitalized institutions are generally not permitted to accept, renew, or roll over brokered deposits. For additional information regarding the ratios used to assess an institution's capital adequacy, as well as the Bank's capital ratio as of December 31, 2025 and 2024, see Item 7. MD&A - Capital Requirements and Note 16. Regulatory Capital Matters to the Consolidated Financial Statements in this Form 10-K.

Loans to One Borrower. With certain limited exceptions, the maximum amount that a California bank may lend to any borrower at any one time (including the obligations to the bank of certain related entities and related persons of the borrower) may not exceed 25% (and unsecured loans may not exceed 15%) of the bank’s shareholders’ equity, allowance for credit losses, and any capital notes and debentures of the bank. We generally do not have banking relationships that approach these limitations.

8

Tie in Arrangements. Federal law prohibits a bank holding company and any subsidiary banks from engaging in certain tie in arrangements in connection with the extension of credit. For example, the Bank may not extend credit, lease or sell property, furnish any services, fix or vary the consideration for any of the foregoing on the condition that: (i) the client must obtain or provide some additional credit, property or services from or to the Bank other than a loan, discount, deposit or trust services; (ii) the client must obtain or provide some additional credit, property or service from or to OP Bancorp or Open Bank; or (iii) the client must not obtain some other credit, property or services from competitors, except reasonable requirements to assure soundness of credit extended.

Deposit Insurance. The Bank is a member of the DIF administered by the FDIC, which insures client deposit accounts. The amount of federal deposit insurance coverage is $250,000 per depositor, for each account ownership category at each depository institution. The $250,000 amount is subject to periodic adjustments. In order to maintain the DIF, member institutions are assessed insurance premiums based on an insured institution’s average consolidated total assets less its average tangible equity capital.

Each institution is provided an assessment rate, which is generally based on the risk that the institution presents to the DIF. Institutions with less than $10 billion in assets generally have an assessment rate that can range from 2.5 to 32 basis points per annum. However, the FDIC has flexibility to adopt assessment rates without additional rule-making provided that the total base assessment rate increase or decrease does not exceed 2 basis points.

Dividend Payments. OP Bancorp has paid a quarterly dividend to our shareholders every quarter since 2019. The primary source of funds for OP Bancorp is dividends from the Bank. Under the California Financial Code, the Bank is permitted to pay a dividend in the following circumstances: (i) without the consent of either the DFPI or the Bank’s shareholders, in an amount not exceeding the lesser of (a) the retained earnings of the Bank; or (b) the net income of the Bank for its last three fiscal years, less the amount of any distributions made during the prior period; (ii) with the prior approval of the DFPI, in an amount not exceeding the greatest of: (a) the retained earnings of the Bank; (b) the net income of the Bank for its last fiscal year; or (c) the net income for the Bank for its current fiscal year; and (iii) with the prior approval of the DFPI and the Bank’s shareholders (i.e., OP Bancorp) in connection with a reduction of its contributed capital.

Risk Management. Bank regulatory agencies have increasingly emphasized the importance of sound risk management processes and strong internal controls when evaluating the activities of the financial institutions they supervise. Properly managing risks has been identified as critical to the conduct of safe and sound banking activities and has become even more important as new technologies, product innovation, and the size and speed of financial transactions have changed the nature of banking markets. The agencies have identified a spectrum of risks facing a banking institution including, but not limited to, credit, market, liquidity, operational, legal, and reputational risk. In particular, recent regulatory pronouncements have focused on operational risk, which arises from the potential that inadequate information systems, operational problems, breaches in internal controls, fraud, or unforeseen catastrophes will result in unexpected losses. New products and services, third-party risk management and cybersecurity are critical sources of operational risk that financial institutions are expected to address in the current environment. The Bank is expected to have active board and senior management oversight; adequate policies, procedures, and limits; adequate risk measurement, monitoring, and management information systems; and comprehensive internal controls.

Anti-Money Laundering and the Office of Foreign Assets Control Regulation. We are subject to federal laws aiming to counter money laundering and terrorist financing, as well as transactions with persons, companies and foreign governments sanctioned by the United States. These laws and regulations are intended to detect, identify, track and prevent money-laundering, money transfers to prohibited nations and entities, and certain types of financial crimes. These laws and regulations impose strict reporting and compliance obligations on financial institutions, and violations can carry substantial fines, civil money penalties and other sanctions, as well as restrictions on an institution’s business. Regulatory authorities routinely examine financial institutions for compliance with these obligations, and failure of a financial institution to maintain and implement adequate programs to combat money laundering and terrorist financing, or to comply with all of the relevant laws or regulations, could have serious legal and reputational consequences for the institution, including causing applicable bank regulatory authorities not to approve merger or acquisition transactions when regulatory approval is required or to prohibit such transactions even if approval is not required. Regulatory authorities have

9

imposed cease and desist orders and civil money penalties against institutions found to be violating these obligations.

Concentrations in Commercial Real Estate. Concentration risk exists when a financial institution deploys too many assets to a specific industry or segment of the economy with the potential to produce losses large enough to threaten the financial institution’s health. Concentration stemming from CRE is one area of regulatory concern. Regulatory guidance provides supervisory criteria, including the following numerical indicators, to assist bank examiners in identifying banks with potentially significant CRE loan concentrations that may warrant greater supervisory scrutiny: (i) CRE loans exceeding 300% of capital and increasing 50% or more in the preceding three years; or (ii) construction and land development loans exceeding 100% of capital. The guidance does not limit banks’ levels of CRE lending activities, but rather guides institutions in developing risk management practices and levels of capital that are commensurate with the level and nature of their CRE concentrations. If the regulatory agencies become concerned about our CRE loan concentrations, they could limit our ability to grow by restricting approvals for the establishment or acquisition of branches, or approvals of mergers or other acquisition opportunities.

Consumer Protection. We are subject to a number of federal and state consumer protection laws that extensively govern our relationship with our clients. These laws include, among others, the Equal Credit Opportunity Act, the Fair Credit Reporting Act, the Truth in Lending Act, the Truth in Savings Act, the Electronic Fund Transfer Act, the Expedited Funds Availability Act, the Home Mortgage Disclosure Act, the Fair Housing Act, the Real Estate Settlement Procedures Act, the Fair Debt Collection Practices Act, the Service Members Civil Relief Act, the Military Lending Act, and these laws’ respective state law counterparts, as well as state usury laws and laws regarding unfair, deceptive or abusive acts and practices (“UDAAP”). The consumer protection laws applicable to us, among other things, require disclosures of the cost of credit and terms of deposit accounts, provide substantive consumer rights, prohibit discrimination in credit transactions, regulate the use of credit report information, provide financial privacy protections, prohibit UDAAP practices, restrict our ability to raise interest rates and subject us to substantial regulatory oversight. Many states and local jurisdictions have consumer protection laws analogous to those listed above.

Violations of applicable consumer protection laws can result in significant potential liability from litigation brought by clients, including actual and statutory damages, restitution and attorneys’ fees. Federal bank regulators, state attorneys general, and state and local consumer protection agencies may also seek to enforce consumer protection requirements and obtain these and other remedies, including regulatory sanctions, client rescission rights, and civil money penalties. Non-compliance with consumer protection requirements may also result in our failure to obtain any required bank regulatory approval for merger or acquisition transactions we may wish to pursue or prohibition from engaging in such transactions even if approval is not required.

Cybersecurity. Federal bank regulatory agencies have increased their focus on cybersecurity through guidance, examination and regulations. Financial institutions are required to design and maintain multiple layers of security controls to establish lines of defense and ensure that their risk management processes address the risk posed by compromised customer credentials and include security measures to authenticate customers accessing internet-based services of the financial institution. The management of a financial institution is expected to maintain sufficient business continuity planning processes to ensure the rapid recovery, resumption and maintenance of operations in the event of a cyber-attack. A financial institution is also expected to develop appropriate processes to enable recovery of data and business operations and address rebuilding network capabilities and restoring data if the institution or its critical service providers fall victim to a cyber-attack. If we fail to observe the regulatory guidance, we could be subject to various regulatory sanctions, including financial penalties.

Financial institutions also must comply with the final rule issued by the federal bank regulatory agencies to improve sharing of information about cyber incidents that may affect the U.S. banking system. The rule requires financial institutions to notify their primary federal regulator of any significant computer-security incidents as soon as possible and no later than 36 hours after they determine that a cyber-incident occurred. Notification is required for incidents that have materially affected (or are reasonably likely to materially affect) the viability of a financial institution’s operations, its ability to deliver banking products and services, or the stability of the financial sector. We do not anticipate this rule to have a material impact on our operations at this time.

10

State regulators have also been increasingly active in implementing privacy and cybersecurity standards and regulations. Recently, several states, including California, have adopted laws and/or regulations requiring certain financial institutions to implement cybersecurity programs and providing detailed requirements with respect to these programs, including data encryption requirements. Many such states, including California, have also recently implemented or modified their data breach notification and data privacy requirements, and to expand both civil and enforcement liabilities for financial institutions that experience certain types of breaches. We expect this trend of state-level activity in those areas to continue, and we continue to monitor relevant legislative and regulatory developments in California where many of our customers are located.

In the ordinary course of business, we rely on electronic communications and information systems to conduct our operations and to store sensitive data. We employ a layered, defensive approach that leverages people, processes and technology to manage and maintain cybersecurity controls. We employ a variety of preventative and detective tools to monitor, block, and provide alerts regarding suspicious activity, as well as to report on any suspected advanced persistent threats. Notwithstanding the strength of our defensive measures, the threat from cyber-attacks is severe, attacks are sophisticated and increasing in volume, and attackers respond rapidly.