SOUTH PLAINS FINANCIAL, INC. (SPFI) Business

Item 1. Business

General

South Plains Financial, Inc. (the “Company” or “SPFI”) is a bank holding company headquartered in Lubbock, Texas, and City Bank, SPFI’s wholly-owned banking subsidiary, is one of
the largest independent banks in West Texas (“City Bank” or the “Bank”). The Company is hereafter collectively referred to as “we,” “us” or “our.”

We have additional banking operations in the Dallas, El Paso, Greater Houston, the Permian Basin, and College Station, Texas markets, and the Ruidoso, New Mexico market. Through
City Bank, we provide a wide range of commercial and consumer financial services to small and medium-sized businesses and individuals in our market areas. Our principal business activities include commercial and retail banking, along with investment,
trust and mortgage services.

We had total assets of $4.48 billion, gross loans held for investment of $3.14 billion, total deposits of $3.87 billion, and total shareholders’ equity of $493.8 million as of
December 31, 2025.

Our history dates back over 80 years. We trace our beginnings to the founding of First State Bank of Morton, a community bank headquartered in West Texas that held approximately $1
million of total assets in 1941. In 1962, the bank was sold to new management, including J.K. Griffith, the father of our current Chairman and Chief Executive Officer, Curtis C. Griffith. Since Mr. Griffith was elected Chairman of First State Bank of
Morton in 1984, the Bank has transformed from a small-town institution with approximately $30 million in total assets and a single branch location into one of the largest community banks in West Texas. The parent company to First State Bank of Morton
acquired South Plains National Bank of Levelland, Texas in 1991 and changed its name to South Plains Bank. The Company became the holding company to First State Bank of Morton and South Plains Bank in 1993, the same year we acquired City Bank. City
Bank was originally established in Lubbock in 1984. We merged First State Bank of Morton and South Plains Bank into City Bank in 1998 and 1999, respectively. We had more than $175 million in assets upon the closing of these acquisitions. We acquired
West Texas State Bank, Odessa, Texas, with approximately $430 million in assets, in 2019 through the merger of West Texas State Bank with and into the Bank.

We currently operate 24 full-service banking locations across seven geographic markets resulting from six acquisitions, de novo branch establishments, and the formation of a de
novo bank in Ruidoso, New Mexico, which we later merged into the Bank. We also operate 7 loan production offices both in our banking markets and in certain key areas in Texas that focus on mortgage loan origination. We build long-lasting
relationships with our customers by delivering high-quality products and services and have sought to capitalize on the opportunities presented by continued consolidation in the banking industry. We believe a major contributor to our historical
success has been our focus on becoming the community bank of choice in the markets that we serve.

Our common stock is listed on the Nasdaq Global Select Market under the symbol “SPFI.”

Acquisition Activities

On December 1, 2025, SPFI and BOH Holdings, Inc., a Texas corporation (“BOH”), entered into an Agreement and Plan of Reorganization, providing for the acquisition by
SPFI of BOH through the merger of BOH with and into SPFI, with SPFI continuing as the surviving entity. Immediately thereafter, Bank of Houston, a Texas state banking association and wholly-owned subsidiary of
BOH (“Bank of Houston”), will merge with and into City Bank, with City Bank continuing as the surviving entity. The proposed transaction is expected to close in the second quarter of 2026, subject to the
satisfaction of customary closing conditions, including the receipt of all required regulatory approvals and the approval of BOH’s shareholders.

Market Area

We operate in the following markets (deposit information is as of December 31, 2025):

Lubbock/South Plains - We operate 10 branches holding $2.5 billion of deposits in the Lubbock metropolitan statistical area (“MSA”)
and the surrounding South Plains region of Texas.

Dallas - We operate three branches with $496.5 million of deposits and five loan production offices, which we refer to as mortgage
offices, in the Dallas-Fort Worth-Arlington MSA, which we refer to as the Dallas-Fort Worth metroplex.

El Paso - We operate two bank branches with $229.4 million of deposits and one mortgage office in the El Paso MSA.

Houston - We operate one branch with $52.8 million of deposits in the Houston-The Woodlands-Sugarland MSA, which we refer to as
Greater Houston. This branch is located in the city of Houston.

Bryan/College Station - We operate one branch in the city of College Station, Texas, which has $56.1 million in deposits. We refer to
the Bryan-College Station MSA as Bryan/College Station.

The Permian Basin - We operate six branches with $361.3 million of deposits in the Permian Basin region of Texas.

Ruidoso, New Mexico - We operate one branch with $200.5 million of deposits in the village of Ruidoso, New Mexico.

We believe our exposure to these dynamic and complementary markets provides us with economic diversification and the opportunity for expansion across Texas and New Mexico.

5

Table of Contents

Competition

The banking and financial services industry is highly competitive, and we compete with a wide range of financial institutions within our markets, including local, regional and
national commercial banks and credit unions. We also compete with mortgage companies, trust companies, brokerage firms, consumer finance companies, mutual funds, securities firms, third-party payment processors, financial technology companies and
other financial intermediaries for certain of our products and services. Some of our competitors are not subject to the regulatory restrictions and level of regulatory supervision applicable to us.

Interest rates on loans and deposits, as well as prices on fee-based services, are typically significant competitive factors within the banking and financial services industry.
Many of our competitors are much larger financial institutions that have greater financial resources than we do and compete aggressively for market share. These competitors attempt to gain market share through their financial product mix, pricing
strategies and banking center locations. Other important competitive factors in our industry and markets include office locations and hours, quality of customer service, community reputation, continuity of personnel and services, capacity and
willingness to extend credit, and ability to offer excellent banking products and services. While we seek to remain competitive with respect to fees charged, interest rates and pricing, we believe that our broad suite of financial solutions, our
high-quality customer service culture, our positive reputation and our long-standing community relationships will enable us to compete successfully within our markets and enhance our ability to attract and retain customers.

Human Capital Resources

As of December 31, 2025, we had approximately 603 total employees, which included 545 full-time employees and 58 part-time employees. None of our employees are covered under a
collective bargaining agreement and management considers its employee relations to be satisfactory.

Our employees are the cornerstone of our success and the embodiment of our values and continue to be our greatest asset. With diverse backgrounds, skill and experiences, they form
a dynamic and collaborative workforce dedicated to achieving our company’s mission and vision. Our employees are carefully cultivated through a variety of resources. These resources include mid-year and annual performance conversations, ongoing
training, internally developed growth and leadership programs, a robust mentorship program, and opportunities for career advancement by promotion and transferring from within the organization whenever possible. In addition, employees are encouraged
to attend conferences and outside training events in connection with their job duties.

We believe our ability to attract and retain employees is a key to our success. We strive to offer a well-rounded salary package through competitive salaries with the opportunity
for an employee annual bonus program, a robust benefit package (including a company matched 401(k) Plan contribution, healthcare and insurance benefits, health savings and flexible spending accounts, long-term care and long-term disability benefits,
life insurance benefits, a robust wellness program, and paid-time off), and a commitment to supporting career goals, employee development and recognition, and employee community involvement. At December 31, 2025, approximately 33% of our current
staff had been with us for ten years or more.

Our employees embody our commitment to excellence, innovation, and customer satisfaction, driving sustainable growth and delivering exceptional results in every aspect of our
operations. As stewards of our company culture, they uphold our core principles of faith, family and fun, ensuring that we remain at the forefront of our industry and continue to exceed the expectations of our stakeholders.

Lending Activities

General. We adhere to what we believe are disciplined underwriting standards, but also remain cognizant of serving the
credit needs of customers in our primary market areas by offering flexible loan solutions in a responsive and timely manner. We maintain asset quality through an emphasis on local market knowledge, long-term customer relationships, consistent and
thorough underwriting and a conservative credit culture. We also seek to maintain a broadly diversified loan portfolio across customer, product and industry types. These components, together with active credit management, are the foundation of our
credit culture, which we believe is critical to enhancing the long-term value of our organization to our customers, employees, shareholders and communities.

We have a service-driven, relationship-based, business-focused credit culture, rather than a price-driven, transaction-based culture. Substantially all of our loans are made to
borrowers located or operating in our primary market areas with whom we have ongoing relationships across various product lines. The few loans secured by properties outside of our primary market areas were made to borrowers who are otherwise
well-known to us.

Credit Concentrations. In connection with the management of our credit portfolio, we actively manage the composition of our
loan portfolio, including credit concentrations. Our loan approval policies establish concentrations limits with respect to industry and loan product type to enhance portfolio diversification. Commercial real estate concentrations are monitored by
the Board of Directors (“Board”) of the Bank, at least quarterly and the limits are reviewed bi-monthly as part of our credit analytics Board Credit Risk Committee program. The Board Credit Risk Committee is comprised of outside directors and two
Bank officers, including the Chairman of the Board and the Bank’s Chief Executive Officer.

6

Table of Contents

Loan Approval Process. We seek to achieve an appropriate balance between prudent, disciplined underwriting and flexibility in our
decision-making and responsiveness to our customers. Our Board requires new loans over $5.0 million to relationships in excess of $20.0 million to be reported to the Board Credit Risk Committee. As of December 31, 2025, the Bank had a legal lending
limit of approximately $123.1 million. As of that date, our 20 largest borrowing relationships ranged from approximately $26.7 million to $57.5 million (including unfunded commitments) and totaled approximately $775.0 million in total commitments
(representing, in the aggregate, 21.0% of our total outstanding commitments).

Our credit approval policies provide for various levels of officer and senior management lending authority for new credits and renewals, which are based on position, capability and experience. New
loans in excess of an individual officer’s lending limit up to $5.0 million may be approved with joint authorities of a market president and a senior credit officer. New loans to relationships over $5.0 million and renewing loans to relationships
over $7.0 million are approved by our Executive Loan Committee. These limits are reviewed periodically by the Bank’s Board. We believe that our credit approval process provides for thorough underwriting and efficient decision-making.

Credit Risk Management. Credit risk management involves a partnership between our loan officers and our credit approval,
credit administration and collections personnel. Loan delinquencies and exceptions are constantly monitored by credit personnel and consultations with loan officers occur as often as daily. Our performance evaluation program for our loan officers
includes significant credit quality metric goals, such as the percentages of past due loans and charge-offs to total loans in the officer’s portfolio, that we believe motivate the loan officers to focus on the origination and maintenance of
high-quality credits consistent with our strategic focus on asset quality.

Our policies require rapid notification of delinquency and prompt initiation of collection actions. Loan officers, credit administration personnel, and senior management
proactively support collection activities.

In accordance with our credit risk management procedures, we perform annual asset reviews of our larger relationships. As part of these asset review procedures, we analyze recent
financial statements of the property, borrower and any guarantor, the borrower’s revenues and expenses, and any deterioration in the relationship or in the borrower’s and any guarantor’s financial condition. Upon completion, we update the grade
assigned to each loan. Our credit policy requires that loan officers promptly update risk ratings for all loans as warranted by changing circumstances of the borrower or the credit and to notify credit administration personnel of any risks developing
in a portfolio or in an individual borrowing relationship. We maintain a list of loans that receive additional attention if we believe there may be a potential credit risk.

Loans that are adversely classified undergo a detailed quarterly review by loan review personnel. This review includes an evaluation of the market conditions, the property’s
trends, the borrower and guarantor status, the level of reserves required and loan accrual status. These reports are reviewed by a group of lending and credit personnel to evaluate collection effectiveness for each loan reported. Additionally, we
periodically have an independent, third-party review performed on our loan grades and our credit administration functions. Our external loan review firm schedules two to three visits per year and, in combination with our internal loan review
function, attempts to achieve a combined review of at least 60% of the total dollar amount of the loan portfolio. Finally, we perform, at least annually, a stress test of our loan portfolio, in which we evaluate the impact of declining economic
conditions on the portfolio based on previous recessionary periods. Credit personnel review these reports and present them to the Board Credit Risk Committee. These asset review procedures provide management with additional information for assessing
our asset quality and lending strategies.

Investments

We manage our securities portfolio primarily for liquidity purposes, including depositor and borrower funding requirements and availability as collateral for public fund deposits,
with a secondary focus on interest income. Our securities portfolio is classified as either available-for-sale or held-to-maturity and can be used for pledging on public deposits, selling under repurchase agreements and meeting unforeseen liquidity
needs. The investments in our securities portfolio are a variety of high-grade securities, including government agency securities, government guaranteed mortgage backed securities and municipal securities.

Our investment policy is reviewed annually by the Bank’s Board. Overall investment goals are established by the Bank’s Board and the Bank’s Investment/Asset Liability Committee.
The Bank’s Board has delegated the responsibility of monitoring our investment activities to the Investment/Asset Liability Committee.

7

Table of Contents

Sources of Funds

Deposits

Deposits represent the Company’s primary and most vital source of funds. We offer a variety of deposit products including demand deposits accounts, interest-bearing products,
savings accounts and certificate of deposits. We put continued effort into gathering noninterest-bearing demand deposit accounts through loan production, customer referrals, marketing staffs, mobile and online banking and various involvements with
community networks.

Borrowings

In addition to deposits, we may utilize advances from the Federal Home Loan Bank of Dallas (the “FHLB”), and other borrowings, such as a line of credit with the Federal
Reserve Bank of Dallas (the “FRB”), uncollateralized lines of credit with multiple banks, subordinated debt, and junior subordinated deferrable interest debentures as supplementary funding sources to finance our operations.

Other Banking Services

Mortgage Banking

Our mortgage originations totaled $269.3 million for the year ended December 31, 2025 and we sold the servicing on approximately 57% of those mortgages. We originate mortgages
primarily from our branches or loan production offices in Lubbock, El Paso, College Station, Abilene, Arlington, Austin, Dallas, Dripping Springs, Forney, Fort Worth, Grand Prairie, Houston, Midland, Southlake, and Waco, Texas. We refer to our loan
production offices as mortgage offices. While our mortgage operation represents a sizable component of our total noninterest income, comprising 24%, or $10.7 million, for the year ended December 31, 2025, we view the mortgage business as an ancillary
part of our operations. Within our mortgage origination portfolio, refinances of existing mortgages represented 18% of total mortgage originations in the year ended December 31, 2025. We retain mortgage servicing rights from time to time when we sell
mortgages to third parties. As of December 31, 2025, we serviced $1.8 billion of mortgages that we originated and sold to third parties.

We leverage a variety of digital reporting tools to increase the efficiency of the underwriting process, enhance loan production and boost overall margins while keeping expenses to
a minimum. New market expansion will depend primarily on opportunities to hire and retain high quality loan origination staff. Additionally, existing markets are monitored for profitability and efficiencies to determine if we would need to exit any
locations.

Trust Services

City Bank Trust, a division of City Bank, provides a range of traditional trust products and services along with several retirement services and products, including estate administration, family
trust administration, revocable and irrevocable trusts (including life insurance trusts), real estate administration, charitable trusts for individuals and corporations, 401(k) plans, self-directed individual retirement accounts (“IRAs”),
simplified employee pensions plans, employee stock ownership plans, defined benefit plans, profit-sharing plans, Keoghs and managed IRAs. Our trust department had approximately $435 million of assets under management at December 31, 2025, and
contributed $2.9 million of fee income for the year ended December 31, 2025.

Investment Services

The Investment Center at City Bank provides a variety of investments offered through Raymond James Financial Services, Inc. (Member FINRA/SIPC) including self-directed IRAs, money
market funds, 401(k) plans, mutual funds, annuities and tax-deferred annuities, stocks and bonds, investments for non-U.S. residents, treasury bills, treasury notes and bonds and tax-exempt municipal bonds. Gross revenue derived from our investment
services for the year ended December 31, 2025 was $1.7 million with $684.4 million in assets under management at December 31, 2025.

SUPERVISION AND REGULATION

The following is a general summary of the material aspects of certain statutes and regulations that are applicable to us. These summary descriptions are not
complete, and you should refer to the full text of the statutes, regulations, and corresponding guidance for more information. These statutes and regulations are subject to change, and additional statutes, regulations, and corresponding guidance may
be adopted. We are unable to predict these future changes or the effects, if any, that these changes could have on our business or our revenues.

General

We are extensively regulated under U.S. federal and state law. As a result, our growth and earnings performance may be affected not only by management decisions and general
economic conditions, but also by federal and state statutes and by the regulations and policies of various bank regulatory agencies, including the Texas Department of Banking (“TDB”), the Federal Reserve, the Federal Deposit Insurance Corporation
(“FDIC”), and the Consumer Finance Protection Bureau (“CFPB”). Furthermore, tax laws administered by the Internal Revenue Service (“IRS”), and state taxing authorities, accounting rules developed by the Financial Accounting Standards Board (“FASB”),
securities laws administered by the Securities and Exchange Commission (“SEC”), and state securities authorities and anti-money laundering, or AML, laws enforced by the U.S. Department of the Treasury (“Treasury”) also impact our business. The effect
of these statutes, regulations, regulatory policies and rules are significant to our financial condition and results of operations. Further, the nature and extent of future legislative, regulatory or other changes affecting financial institutions are
impossible to predict with any certainty.

8

Table of Contents

Federal and state banking laws impose a comprehensive system of supervision, regulation and enforcement on the operations of banks, their holding companies and their affiliates.
These laws are intended primarily for the protection of depositors, customers and the Deposit Insurance Fund (“DIF”), rather than for shareholders. Federal and state laws, and the related regulations of the bank regulatory agencies, affect, among
other things, the scope of business, the kinds and amounts of investments banks may make, reserve requirements, capital levels relative to operations, the nature and amount of collateral for loans, the establishment of branches, the ability to merge,
consolidate and acquire, dealings with insiders and affiliates and the payment of dividends.

This supervisory and regulatory framework subjects banks and bank holding companies to regular examination by their respective regulatory agencies, which results in examination
reports and ratings that, while not publicly available, can affect the conduct and growth of their businesses. These examinations consider not only compliance with applicable laws and regulations, but also capital levels, asset quality and risk,
management’s ability and performance, earnings, liquidity and various other factors. These regulatory agencies have broad discretion to impose restrictions and limitations on the operations of a regulated entity where the agencies determine, among
other things, that such operations are unsafe or unsound, fail to comply with applicable law or are otherwise inconsistent with laws and regulations or with the supervisory policies of these agencies.

The following is a summary of the material elements of the supervisory and regulatory framework applicable to the Company and the Bank. It does not describe all of the statutes,
regulations and regulatory policies that apply, nor does it restate all of the requirements of those that are described. The descriptions are qualified in their entirety by reference to the particular statutory and regulatory provision.

Regulatory Capital Requirements

The federal banking agencies require that banking organizations meet several risk-based capital adequacy requirements. These risk-based capital adequacy requirements are intended
to provide a measure of capital adequacy that reflects the perceived degree of risk associated with a banking organization’s operations, both for transactions reported on the banking organization’s balance sheet as assets and for transactions that
are recorded as off-balance sheet items, such as letters of credit and recourse arrangements. The risk-based guidelines apply on a consolidated basis to bank holding companies with consolidated assets of $3 billion or more, such as the Company, or
with a material amount of equity securities outstanding that are registered with the SEC. The federal banking agencies may change existing capital guidelines or adopt new capital guidelines in the future and often expect high growth or acquisitive
bank holding companies to maintain capital positions substantially above the minimum supervisory levels. In addition, the federal banking agencies have required many banks and bank holding companies subject to enforcement actions to maintain capital
ratios in excess of the minimum ratios otherwise required to be deemed “well-capitalized” and have subjected such institutions to restrictions on various activities, including a bank’s ability to accept or renew brokered deposits.

In 2013, the federal bank regulatory agencies issued final rules, or the Basel III Capital Rules, establishing a new comprehensive capital framework for banking organizations. The
Basel III Capital Rules implement the Basel Committee’s December 2010 framework for strengthening international capital standards and certain provisions of the Dodd-Frank Act. The Basel III Capital Rules became effective on January 1, 2015.

The Basel III Capital Rules require the Bank and the Company, to comply with four minimum capital standards: a Tier 1 leverage ratio of at least 4.0%; a common equity Tier 1, or
CET1, to risk-weighted assets ratio of 4.5%; a Tier 1 capital to risk-weighted assets ratio of at least 6.0%; and a total capital to risk-weighted assets ratio of at least 8.0%. CET1 capital is generally comprised of common shareholders’ equity and
retained earnings. Tier 1 capital is generally comprised of CET1 and additional Tier 1 capital. Additional Tier 1 capital generally includes certain noncumulative perpetual preferred stock and related surplus and minority interests in equity accounts
of consolidated subsidiaries. Total capital includes Tier 1 capital (CET1 capital plus additional Tier 1 capital) and Tier 2 capital. Tier 2 capital is generally comprised of capital instruments and related surplus meeting specified requirements, and
may include cumulative preferred stock and long-term perpetual preferred stock, mandatory convertible securities, intermediate preferred stock and subordinated debt. Also included in Tier 2 capital is the allowance limited to a maximum of 1.25% of
risk-weighted assets and, for institutions that have exercised an opt-out election regarding the treatment of Accumulated Other Comprehensive Income, or AOCI, up to 45% of net unrealized gains on available-for-sale equity securities with readily
determinable fair market values. Institutions that have not exercised the AOCI opt-out have AOCI incorporated into CET1 capital (including unrealized gains and losses on available-for-sale-securities). The calculation of all types of regulatory
capital is subject to deductions and adjustments specified in the regulations.

The Basel III Capital Rules also establish a “capital conservation buffer” of 2.5% above the regulatory minimum risk-based capital requirements. An institution is subject to
limitations on certain activities, including payment of dividends, share repurchases and discretionary bonuses to executive officers, if its capital level is below the buffered ratio.

9

Table of Contents

The Basel III minimum capital ratios are summarized in the table below.

In determining the amount of risk-weighted assets for purposes of calculating risk-based capital ratios, a banking organization’s assets, including certain off-balance sheet assets
(e.g., recourse obligations, direct credit substitutes, residual interests), are multiplied by a risk weight factor assigned by the regulations based on perceived risks inherent in the type of asset. As a result, higher levels of capital are required
for asset categories believed to present greater risk. For example, a risk weight of 0% is assigned to cash and U.S. government securities, a risk weight of 50% is generally assigned to prudently underwritten first lien 1-4 family residential
mortgages, a risk weight of 100% is assigned to commercial and consumer loans, a risk weight of 150% is assigned to certain past due loans and a risk weight of between 0% to 600% is assigned to permissible equity interests, depending on certain
specified factors. The Basel III Capital Rules increased the risk weights for a variety of asset classes, including certain commercial real estate mortgages. Additional aspects of the Basel III Capital Rules’ risk-weighting requirements that are
relevant to the Company and the Bank include:

As of December 31, 2025, the Company’s and the Bank’s capital ratios exceeded the minimum capital adequacy guideline percentage requirements under the Basel III Capital Rules on a
fully phased-in basis.

Community Bank Leverage Ratio

On September 17, 2019, the federal banking agencies jointly finalized a rule effective as of January 1, 2020 and intended to simplify the regulatory capital requirements described
above for qualifying community banking organizations, or QCBO, that opt into the Community Bank Leverage Ratio, or CBLR, framework, as required by Section 201 of the EGRRCPA. The final rule became effective on January 1, 2020, and the CBLR framework
became available for banks to use beginning with their March 31, 2020 Call Reports. Under the final rule, if a QCBO opts into the CBLR framework and meets all requirements under the framework, it will be considered to have met the well-capitalized
ratio requirements under the Prompt Corrective Action regulations described below and will not be required to report or calculate risk-based capital. In order to qualify for the CBLR framework, a QCBO must have a tier 1 leverage ratio of greater than
9%, less than $10 billion in total consolidated assets, and limited amounts of off-balance-sheet exposures and trading assets and liabilities. In November 2025, the federal bank regulatory agencies proposed changes to the CBLR framework intended to
encourage broader adoption, including reducing the required leverage ratio from 9% to 8%; however, the proposed rule has not yet been finalized.

Although the Company and the Bank are QCBOs, the Company and the Bank have currently not elected to opt in to the CBLR framework at this time and will continue to follow the
capital requirements under the Basel III Capital Rules as described above.

10

Table of Contents

Prompt Corrective Action

The Federal Deposit Insurance Act (“FDIA”) requires federal banking agencies to take “prompt corrective action” with respect to depository institutions that do not meet minimum
capital requirements. For purposes of prompt corrective action, the law establishes five capital tiers: “well-capitalized,” “adequately capitalized,” “undercapitalized,” “significantly undercapitalized,” and “critically undercapitalized.” A
depository institution’s capital tier depends on its capital levels and certain other factors established by regulation. The applicable FDIC regulations have been amended to incorporate the increased capital requirements required by the Basel III
Capital Rules that became effective on January 1, 2015. Under the amended regulations, an institution is deemed to be “well-capitalized” if it has a total risk-based capital ratio of 10.0% or greater, a Tier 1 risk-based capital ratio of 8.0% or
greater, a CET1 ratio of 6.5% or greater and a leverage ratio of 5.0% or greater. Accordingly, a financial institution may be considered “well-capitalized” under the prompt corrective action framework, but not satisfy the full Basel III capital
ratios. Generally, a financial institution must be “well capitalized” before the Federal Reserve will approve an application by a bank holding company to acquire a bank or merge with a bank holding company. The FDIC applies the same requirement in
approving bank merger applications.

At each successively lower capital category, a bank is subject to increased restrictions on its operations. For example, a bank is generally prohibited from making capital
distributions and paying management fees to its holding company if doing so would make the bank “undercapitalized.” Asset growth and branching restrictions apply to undercapitalized banks, which are required to submit written capital restoration
plans meeting specified requirements (including a guarantee by the parent holding company, if any). “Significantly undercapitalized” banks are subject to broad regulatory restrictions, including among other things, capital directives, forced mergers,
restrictions on the rates of interest they may pay on deposits, restrictions on asset growth and activities, and prohibitions on paying bonuses or increasing compensation to senior executive officers without FDIC approval. “Critically
undercapitalized” are subject to even more severe restrictions, including, subject to a narrow exception, the appointment of a conservator or receiver within 90 days after becoming critically undercapitalized.

The appropriate federal banking agency may determine (after notice and opportunity for a hearing) that the institution is in an unsafe or unsound condition or deems the institution
to be engaging in an unsafe or unsound practice. The appropriate agency is also permitted to require an adequately capitalized or undercapitalized institution to comply with the supervisory provisions as if the institution were in the next lower
category (but not treat a significantly undercapitalized institution as critically undercapitalized) based on supervisory information other than the capital levels of the institution.

The capital classification of a bank affects the frequency of regulatory examinations, the bank’s ability to engage in certain activities and the deposit insurance premium paid by
the bank. A bank’s capital category is determined solely for the purpose of applying prompt correct action regulations and the capital category may not accurately reflect the bank’s overall financial condition or prospects.

As of December 31, 2025, the Bank met the requirements for being deemed “well-capitalized” for purposes of the prompt corrective action regulations.

Enforcement Powers of Federal and State Banking Agencies

The federal bank regulatory agencies have broad enforcement powers, including the power to terminate deposit insurance, impose substantial fines and other civil and criminal
penalties, and appoint a conservator or receiver for financial institutions. Failure to comply with applicable laws and regulations could subject us and our officers and directors to administrative sanctions and potentially substantial civil money
penalties. In addition to the grounds discussed above under “Prompt Corrective Actions,” the appropriate federal bank regulatory agency may appoint the FDIC as conservator or receiver for a depository institution (or the FDIC may appoint itself,
under certain circumstances) if any one or more of a number of circumstances exist, including, without limitation, the fact that the depository institution is undercapitalized and has no reasonable prospect of becoming adequately capitalized, fails
to become adequately capitalized when required to do so, fails to submit a timely and acceptable capital restoration plan or materially fails to implement an accepted capital restoration plan. The TDB also has broad enforcement powers over us,
including the power to impose orders, remove officers and directors, impose fines and appoint supervisors and conservators.

The Company

General. As a bank holding company, the Company is subject to regulation and supervision by the Federal Reserve under the
Bank Holding Company Act of 1956, as amended, or the BHCA. Under the BHCA, the Company is subject to periodic examination by the Federal Reserve. The Company is required to file with the Federal Reserve periodic reports of its operations and such
additional information as the Federal Reserve may require.

Acquisitions, Activities and Change in Control. The BHCA generally requires the prior approval by the Federal Reserve for
any merger involving a bank holding company or a bank holding company’s acquisition of more than 5% of a class of voting securities of any additional bank or bank holding company or to acquire all or substantially all of the assets of any additional
bank or bank holding company. In reviewing applications seeking approval of merger and acquisition transactions, the Federal Reserve considers, among other things, the competitive effect and public benefits of the transactions, the capital position
and managerial resources of the combined organization, the risks to the stability of the U.S. banking or financial system, the applicant’s performance record under the Community Reinvestment Act (“CRA”) and the effectiveness of all organizations
involved in the merger or acquisition in combating money laundering activities. In addition, failure to implement or maintain adequate compliance programs could cause bank regulators not to approve an acquisition where regulatory approval is required
or to prohibit an acquisition even if approval is not required.

11

Table of Contents

Subject to certain conditions (including deposit concentration limits established by the BHCA and the Dodd-Frank Act), the Federal Reserve may allow a bank holding company to
acquire banks located in any state of the U.S. In approving interstate acquisitions, the Federal Reserve is required to give effect to applicable state law limitations on the aggregate amount of deposits that may be held by the acquiring bank holding
company and its insured depository institution affiliates in the state in which the target bank is located (provided that those limits do not discriminate against out-of-state depository institutions or their holding companies) and state laws that
require that the target bank have been in existence for a minimum period of time (not to exceed five years) before being acquired by an out-of-state bank holding company. Furthermore, in accordance with the Dodd-Frank Act, bank holding companies must
be well-capitalized and well-managed in order to complete interstate mergers or acquisitions. For a discussion of the capital requirements, see “Regulatory Capital Requirements” above.

The BHCA also prohibits any company from acquiring “control” of a bank or bank holding company without prior notice to the appropriate federal bank regulator. “Control” is
conclusively presumed to exist upon the acquisition of 25% or more of the outstanding voting securities of a bank or bank holding company, but may arise based on the facts and circumstances even with ownership below 5.00% up to 24.99% ownership. The
Federal Reserve’s regulations related to determinations of whether a company has “control” over another company, including a bank holding company or a bank, for purposes of the BHCA, include a tiered system of non-control presumptions based upon the
percentage of any class of voting securities held by an acquirer and the presence of other indicia of control. The four categories of tiered presumptions of non-control, based upon the percentage of ownership of any class of voting securities held by
an acquirer, are (i) less than 5%, (ii) 5% to 9.99%, (iii) 10% to 14.99%, and (iv) 15% to 24.99%. These regulations provide greater transparency with respect to the total level of equity, representative directors, management interlocks, limiting
contractual provisions and business relationships that would be permissible to the Federal Reserve in order to avoid a determination of control. These regulations apply to control determinations under the BHCA, but do not apply to the Change in Bank
Control Act, as amended (the “CIBC Act”).

The CIBC Act and the related regulations of the Federal Reserve generally provide that a person, which includes a natural person or entity, directly or indirectly, has “control” of a
bank or bank holding company if it (i) owns, controls, or has the power to vote 25% or more of the voting securities of the bank or bank holding company, (ii) controls the election of directors, trustees, or general partners of the company, (iii) has
a controlling influence over the management or policies of the company, or (iv) conditions in any manner the transfer of 25% or more of the voting securities of the company upon the transfer of 25% or more of the outstanding shares of any class of
voting securities of another company. Accordingly, the CIBC Act requires that prior to the acquisition of any class of voting securities of a bank or bank holding company that prior notice to the Federal Reserve be provided, if, immediately after the
transaction, the acquiring person (or persons acting in concert) will own, control, or hold the power to vote 25% or more of any class of voting securities of the bank or bank holding company. A rebuttable presumption of control arises under the CIBC
Act where a person (or persons acting in concert) controls 10% or more (but less than 25%) of a class of the voting securities of a bank or bank holding (i) which has registered securities under the Exchange Act, such as the Company, or (ii) no other
person owns, controls, or holds the power to vote a greater percentage of any class of voting securities immediately after the transaction.

Permissible Activities. The BHCA and the implementing regulations of the Federal Reserve generally prohibit the Company
from controlling or engaging in any business other than that of banking, managing and controlling banks or furnishing services to banks and their subsidiaries. This general prohibition is subject to a number of exceptions. The principal exception
allows bank holding companies to engage in, and to own shares of companies engaged in, certain businesses found by the Federal Reserve prior to November 11, 1999 to be “so closely related to banking as to be a proper incident thereto.” This authority
would permit the Company to engage in a variety of banking-related businesses, including the ownership and operation of a savings association, or any entity engaged in consumer finance, equipment leasing, the operation of a computer service bureau
(including software development) and mortgage banking and brokerage. The BHCA generally does not place territorial restrictions on the domestic activities of non-bank subsidiaries of bank holding companies. The Federal Reserve has the power to order
any bank holding company or its subsidiaries to terminate any activity or to terminate its ownership or control of any subsidiary when the Federal Reserve has reasonable grounds to believe that continuing such activity, ownership or control
constitutes a serious risk to the financial soundness, safety or stability of any bank subsidiary of the bank holding company.

In connection with the Dodd-Frank Act, Section 13 of the BHCA, commonly known as the “Volcker Rule,” was amended to generally prohibit banking entities from engaging in the short-term
proprietary trading of securities and derivatives for their own account and barred them from having certain relationships with hedge funds or private equity funds. However, Section 203 of the EGRRCPA, exempts community banks from the restrictions of
the Volcker Rule if (i) the community bank, and every entity that controls it, has total consolidated assets equal to or less than $10 billion; and (ii) trading assets and liabilities of the community bank, and every entity that controls it, is equal
to or less than 5% of its total consolidated assets. As the consolidated assets of the Company are less than $10 billion and the Company does not currently exceed the 5% threshold, this aspect of the Volcker Rule does not have any impact on the
Company’s consolidated financial statements at this time.

12

Table of Contents

Additionally, bank holding companies that qualify and elect to operate as financial holding companies may engage in, or own shares in companies engaged in, a wider range of
non-banking activities, including securities and insurance underwriting and sales, merchant banking and any other activity that the Federal Reserve, in consultation with the Secretary of the Treasury, determines by regulation or order is financial in
nature or incidental to any such financial activity or that the Federal Reserve determines by order to be complementary to any such financial activity and does not pose a substantial risk to the safety or soundness of depository institutions or the
financial system generally. The Company has not elected to be a financial holding company, and we have not engaged in any activities determined by the Federal Reserve to be financial in nature or incidental or complementary to activities that are
financial in nature.

Source of Strength. Federal Reserve policy historically required bank holding companies to act as a source of financial and
managerial strength to their subsidiary banks. The Dodd-Frank Act codified this policy as a statutory requirement. Under this requirement the Company is expected to commit resources to support the Bank, including at times when the Company may not be
in a financial position to provide it. The Company must stand ready to use its available resources to provide adequate capital to the Bank during periods of financial stress or adversity. The Company must also maintain the financial flexibility and
capital raising capacity to obtain additional resources for assisting the Bank. The Company’s failure to meet its source of strength obligations may constitute an unsafe and unsound practice or a violation of the Federal Reserve’s regulations or
both. The source of strength obligation most directly affects bank holding companies where a bank holding company’s subsidiary bank fails to maintain adequate capital levels. Any capital loans by a bank holding company to the subsidiary bank are
subordinate in right of payment to deposits and to certain other indebtedness of the subsidiary bank. The BHCA provides that in the event of a bank holding company’s bankruptcy any commitment by a bank holding company to a federal bank regulatory
agency to maintain the capital of its subsidiary bank will be assumed by the bankruptcy trustee and entitled to priority of payment.

Imposition of Liability for Undercapitalized Subsidiaries. Bank regulators are required to take “prompt corrective action”
to resolve problems associated with insured depository institutions whose capital declines below certain levels. In the event an institution becomes “undercapitalized,” it must submit a capital restoration plan to its regulators. The capital
restoration plan will not be accepted by the regulators unless each company having control of the undercapitalized institution guarantees the subsidiary’s compliance with the capital restoration plan up to a certain specified amount. Any such
guarantee from a depository institution’s holding company is entitled to a priority of payment in bankruptcy.

The aggregate liability of the holding company of an undercapitalized bank is limited to the lesser of 5% of the institution’s assets at the time it became undercapitalized or the
amount necessary to cause the institution to be “adequately capitalized.” The bank regulators have greater power in situations where an institution becomes “significantly” or “critically” undercapitalized or fails to submit a capital restoration
plan. For example, a bank holding company controlling such an institution can be required to obtain prior Federal Reserve approval of proposed dividends, or it may be required to consent to a consolidation or to divest the troubled institution or
other affiliates.

Safe and Sound Banking Practices. Bank holding companies and their non-banking subsidiaries are prohibited from engaging in
activities that represent unsafe and unsound banking practices or that constitute a violation of law or regulations. Under certain conditions the Federal Reserve may conclude that certain actions of a bank holding company, such as a payment of a cash
dividend, would constitute an unsafe and unsound banking practice. The Federal Reserve also has the authority to regulate the debt of bank holding companies, including the authority to impose interest rate ceilings and reserve requirements on such
debt. Under certain circumstances the Federal Reserve may require a bank holding company to file written notice and obtain its approval prior to purchasing or redeeming its equity securities, unless certain conditions are met.

Tie in Arrangements. Federal law prohibits bank holding companies and any subsidiary banks from engaging in certain tie in
arrangements in connection with the extension of credit. For example, the Bank may not extend credit, lease or sell property, or furnish any services, or fix or vary the consideration for any of the foregoing on the condition that (i) the customer
must obtain or provide some additional credit, property or services from or to the Bank other than a loan, discount, deposit or trust services, (ii) the customer must obtain or provide some additional credit, property or service from or to the
Company or the Bank, or (iii) the customer must not obtain some other credit, property or services from competitors, except reasonable requirements to assure soundness of credit extended.

Dividend Payments, Stock Redemptions and Repurchases. The Company’s ability to pay dividends to its shareholders is
affected by both general corporate law considerations and the regulations and policies of the Federal Reserve applicable to bank holding companies, including the Basel III Capital Rules. Generally, a Texas corporation may not make distributions to
its shareholders if (i) after giving effect to the dividend, the corporation would be insolvent, or (ii) the amount of the dividend exceeds the surplus of the corporation. Dividends may be declared and paid in a corporation’s own treasury shares that
have been reacquired by the corporation out of surplus. Dividends may be declared and paid in a corporation’s own authorized but unissued shares out of the surplus of the corporation upon the satisfaction of certain conditions.

13

Table of Contents

It is the Federal Reserve’s policy that bank holding companies should generally pay dividends on common stock only out of income available over the past year, and only if
prospective earnings retention is consistent with the organization’s expected future needs and financial condition. It is also the Federal Reserve’s policy that bank holding companies should not maintain dividend levels that undermine their ability
to be a source of strength to its banking subsidiaries. Additionally, the Federal Reserve has indicated that bank holding companies should carefully review their dividend policy and has discouraged payment ratios that are at maximum allowable levels
unless both asset quality and capital are very strong. The Federal Reserve possesses enforcement powers over bank holding companies and their nonbank subsidiaries to prevent or remedy actions that represent unsafe or unsound practices or violations
of applicable statutes and regulations. Among these powers is the ability to proscribe the payment of dividends by banks and bank holding companies.

Bank holding companies must consult with the Federal Reserve before redeeming any equity or other capital instrument included in Tier 1 or Tier 2 capital prior to stated maturity,
if (x) such redemption could have a material effect on the level or composition of the organization’s capital base, or (y) as a result of such repurchase, there is a net reduction of the outstanding amount of common stock or preferred stock
outstanding at the beginning of the quarter in which the redemption or repurchase occurs. In addition, bank holding companies are unable to repurchase shares equal to 10% or more of its net worth if it would not be well-capitalized (as defined by the
Federal Reserve) after giving effect to such repurchase. Bank holding companies experiencing financial weaknesses, or that are at significant risk of developing financial weaknesses, must consult with the Federal Reserve before redeeming or
repurchasing common stock or other regulatory capital instruments.

The Bank

General. City Bank is a Texas banking association and is subject to supervision, regulation and examination by the TDB and
the FDIC. City Bank is also subject to certain regulations of the CFPB. The TDB supervises and regulates all areas of the Bank’s operations including, without limitation, the making of loans, the issuance of securities, the conduct of the Bank’s
corporate affairs, the satisfaction of capital adequacy requirements, the payment of dividends and the establishment or closing of banking offices. The FDIC is the Bank’s primary federal regulatory agency and periodically examines the Bank’s
operations and financial condition and compliance with federal law. In addition, the Bank’s deposit accounts are insured by the DIF to the maximum extent provided under federal law and FDIC regulations, and the FDIC has certain enforcement powers
over the Bank.

Depositor Preference. In the event of the “liquidation or other resolution” of an insured depository institution, the
claims of depositors of the institution, including the claims of the FDIC as subrogee of insured depositors, and certain claims for administrative expenses of the FDIC as a receiver, will have priority over other general unsecured claims against the
institution. If an insured depository institution fails, insured and uninsured depositors, along with the FDIC, will have priority in payment ahead of unsecured, non-deposit creditors including the parent bank holding company with respect to any
extensions of credit they have made to that insured depository institution.

Brokered Deposit Restrictions. Well-capitalized institutions are not subject to limitations on brokered deposits, while
adequately capitalized institutions are able to accept, renew or roll over brokered deposits only with a waiver from the FDIC and subject to certain restrictions on the yield paid on such deposits. Undercapitalized institutions are generally not
permitted to accept, renew or roll over brokered deposits. As of December 31, 2025, the Bank was eligible to accept brokered deposits without a waiver from the FDIC as the Bank was a well-capitalized institution.

Deposit Insurance. As an FDIC-insured institution, the Bank is required to pay deposit insurance premiums to the FDIC. The
FDIC has adopted a risk-based assessment system whereby FDIC-insured depository institutions pay insurance premiums at rates based on their risk classification. An institution’s risk classification is assigned based on its capital levels and the
level of supervisory concern the institution poses to the regulators. For deposit insurance assessment purposes, an insured depository institution is placed in one of four risk categories each quarter. An institution’s assessment is determined by
multiplying its assessment rate by its assessment base. The total base assessment rates range from 1.5 basis points to 40 basis points. While in the past an insured depository institution’s assessment base was determined by its deposit base,
amendments to the FDIA revised the assessment base so that it is calculated using average consolidated total assets minus average tangible equity.

Additionally, the Dodd-Frank Act altered the minimum designated reserve ratio of the DIF, increasing the minimum from 1.15% to 1.35% of the estimated amount of total insured deposits, and eliminating
the requirement that the FDIC pay dividends to depository institutions when the reserve ratio exceeds certain thresholds. On October 18, 2022, the FDIC adopted a final rule applicable to all insured depository institutions increasing initial base
deposit insurance assessment rate schedules by 2 basis points, beginning in the first quarterly assessment period of 2023. The FDIC also issued notices maintaining a DIF reserve ratio of 2.0% for 2023 and 2024. In its May 2025 report, the FDIC
stated that the reserve ratio likely will reach the statutory minimum by the September 30, 2028 deadline and that no adjustments to the base assessment rates are currently projected. The increase in assessment rate schedules is intended to increase
the likelihood that the DIF reserve ratio be restored to at least the statutory minimum of 1.35% by September 30, 2028, the statutory deadline set by the Dodd-Frank Act. The assessment rate schedules will remain in effect unless and until the DIF
reserve ratio meets or exceeds 2.0% in order to support growth in the DIF in progressing toward the FDIC’s long-term goal of a 2.0% designated reserve ratio for the DIF. FDIC staff may in the future recommend additional assessment rate adjustments
if deemed necessary.

At least semi-annually, the FDIC updates its loss and income projections for the DIF and, if needed, may increase or decrease the assessment rates following notice and comment on
proposed rulemaking. As a result, the Bank’s FDIC deposit insurance premiums could increase. During the year ended December 31, 2025, the Bank paid $2.0 million in FDIC deposit insurance premiums.

14

Table of Contents

Audit Reports. For insured institutions with total assets of $1.0 billion or more, financial statements prepared in
accordance with generally accepted accounting principles, or GAAP, management’s certifications signed by our and the Bank’s chief executive officer and chief accounting or financial officer concerning management’s responsibility for the financial
statements, and an attestation by the auditors regarding the Bank’s internal controls must be submitted. For institutions with total assets of more than $3.0 billion, independent auditors may be required to review quarterly financial statements. The
Federal Deposit Insurance Corporation Improvement Act requires that the Bank have an independent audit committee, consisting of outside directors only, or that we have an audit committee that is entirely independent. The committees of such
institutions must include members with experience in banking or financial management, must have access to outside counsel and must not include representatives of large customers. The Bank’s audit committee consists entirely of independent directors.

Examination Assessments. Texas-chartered banks are required to pay an annual assessment fee to the TDB to fund its
operations. The fee is based on the amount of the bank’s assets at rates established by the Finance Commission of Texas. During the year ended December 31, 2025, the Bank paid examination assessments to the TDB totaling $350 thousand.

Capital Requirements. Banks are generally required to maintain minimum capital ratios. For a discussion of the capital
requirements applicable to the Bank, see “Regulatory Capital Requirements” above.

Bank Reserves. The Federal Reserve requires all depository institutions to maintain reserves against some transaction
accounts (primarily NOW and Super NOW checking accounts). The balances maintained to meet the reserve requirements imposed by the Federal Reserve may be used to satisfy liquidity requirements. An institution may borrow from the Federal Reserve
“discount window” as a secondary source of funds if the institution meets the Federal Reserve’s credit standards.

Liquidity Requirements. Historically, regulation and monitoring of bank and bank holding company liquidity has been
addressed as a supervisory matter, without required formulaic measures. The Basel III liquidity framework requires banks and bank holding companies to measure their liquidity against specific liquidity tests. The federal banking agencies adopted
final Liquidity Coverage Ratio rules in September 2014 and proposed Net Stable Funding Ratio rules in May 2016. These rules introduced two liquidity related metrics: Liquidity Coverage Ratio is intended to require financial institutions to maintain
sufficient high-quality liquid resources to survive an acute stress scenario that lasts for one month; and Net Stable Funding Ratio is intended to require financial institutions to maintain a minimum amount of stable sources relative to the liquidity
profiles of the institution’s assets and contingent liquidity needs over a one-year period.

While the Liquidity Coverage Ratio and the proposed Net Stable Funding Ratio rules apply only to the largest banking organizations in the country, certain elements may filter down
and become applicable to or expected of all insured depository institutions and bank holding companies.

Dividend Payments. The primary source of funds for the Company is dividends from the Bank. Unless the approval of the FDIC
is obtained, the Bank may not declare or pay a dividend if the total of all dividends declared during the calendar year, including the proposed dividend, exceeds the sum of the Bank’s net income during the current calendar year and the retained net
income of the prior two calendar years. In addition, pursuant to the Texas Finance Code, as a Texas banking association, the Bank generally may not pay a dividend that would reduce its outstanding capital and surplus unless it obtains the prior
approval of the Texas Banking Commissioner. As a Texas corporation, we may, under the Texas Business Organizations Code (“TBOC”), pay dividends out of net profits after deducting expenses, including loan losses. The FDIC and the TDB also may, under
certain circumstances, prohibit the payment of dividends to the Company from the Bank. Texas corporate law also requires that dividends only be paid out of funds legally available therefor.

The payment of dividends by any financial institution is affected by the requirement to maintain adequate capital pursuant to applicable capital adequacy guidelines and
regulations, and a financial institution generally is prohibited from paying any dividends if, following payment thereof, the institution would be undercapitalized. If the Bank’s capital becomes impaired or the FDIC or the TDB otherwise determines
that the Bank needs more than normal supervision, the Bank may be prohibited or otherwise limited from paying any dividends or making any other capital distributions to the Company. Consequently, any restrictions on the ability of the Bank to pay
dividends to the Company may, in turn, restrict the ability of the Company to pay dividends to shareholders. As described above, the Bank exceeded its minimum capital requirements under applicable regulatory guidelines as of December 31, 2025.

Transactions with Affiliates. The Bank is subject to sections 23A and 23B of the Federal Reserve Act, or the Affiliates
Act, and the Federal Reserve’s implementing Regulation W. An affiliate of a bank is any company or entity that controls, is controlled by or is under common control with the bank. Accordingly, transactions between the Company, the Bank and any
non-bank subsidiaries will be subject to a number of restrictions. The Affiliates Act imposes restrictions and limitations on the Bank from making extensions of credit to, or the issuance of a guarantee or letter of credit on behalf of, the Company
or other affiliates, the purchase of, or investment in, stock or other securities thereof, the taking of such securities as collateral for loans and the purchase of assets of the Company or other affiliates. Such restrictions and limitations prevent
the Company or other affiliates from borrowing from the Bank unless the loans are secured by marketable obligations of designated amounts. Furthermore, such secured loans and investments by the Bank to or in the Company or to or in any other
non-banking affiliate are limited, individually, to 10% of the Bank’s capital and surplus, and such transactions are limited in the aggregate to 20% of the Bank’s capital and surplus. All such transactions, as well as contracts entered into between
the Bank and affiliates, must be on terms that are no less favorable to the Bank than those that would be available from non-affiliated third parties. Federal Reserve policies also forbid the payment by bank subsidiaries of management fees which are
unreasonable in amount or exceed the fair market value of the services rendered or, if no market exists, actual costs plus a reasonable profit.

15

Table of Contents

Financial Subsidiaries. Under the Gramm-Leach-Bliley Act (“GLBA”), subject to certain conditions imposed by their
respective banking regulators, national and state-chartered banks are permitted to form “financial subsidiaries” that may conduct financial activities or activities incidental thereto, thereby permitting bank subsidiaries to engage in certain
activities that previously were impermissible. The GLBA imposes several safeguards and restrictions on financial subsidiaries, including that the parent bank’s equity investment in the financial subsidiary be deducted from the bank’s assets and
tangible equity for purposes of calculating the bank’s capital adequacy. In addition, the GLBA imposed new restrictions on transactions between a bank and its financial subsidiaries similar to restrictions applicable to transactions between banks and
non-bank affiliates. As of December 31, 2025, the Bank did not have any financial subsidiaries.

Loans to Directors, Executive Officers and Principal Shareholders. The authority of the Bank to extend credit to its
directors, executive officers and principal shareholders, including their immediate family members and corporations and other entities that they control, is subject to substantial restrictions and requirements under the Federal Reserve’s Regulation
O, as well as the Sarbanes-Oxley Act. These statutes and regulations impose limits on the amount of loans the Bank may make to directors and other insiders and require that (i) the loans must be made on substantially the same terms, including
interest rates and collateral, as prevailing at the time for comparable transactions with persons not affiliated with the Company or the Bank, (ii) the Bank must follow credit underwriting procedures at least as stringent as those applicable to
comparable transactions with persons who are not affiliated with the Company or the Bank, and (iii) the loans must not involve a greater than normal risk of non-payment or include other features not favorable to the Bank. In addition, these
extensions of credit may not exceed, together with all other outstanding loans to such persons and affiliated entities, the Bank’s total capital and surplus. Any extension of credit to insiders above specified amounts must receive the prior approval
of the Bank’s board of directors and the Bank must periodically report all loans made to directors and other insiders to the bank regulators. Any violation of these restrictions may result in the assessment of substantial civil monetary penalties on
the Bank or any officer, director, employee, agent or other person participating in the conduct of the affairs of the Bank, the imposition of a cease and desist order, and other regulatory sanctions. As of December 31, 2025, the Bank’s total amount
of lines of credit for loans to insiders and loans outstanding to insiders was $48.9 million.

Limits on Loans to One Borrower. As a Texas banking association, the Bank is subject to limits on the amount of loans it
can make to one borrower. With certain limited exceptions, loans and extensions of credit from Texas banking associations outstanding to any borrower (including certain related entities of the borrower) at any one time may not exceed 25% of the Tier
1 capital of the Bank. A Texas banking association may lend an additional amount if the loan is fully secured by certain types of collateral, like bonds or notes of the U.S. Certain types of loans are exempted from the lending limits, including loans
secured by segregated deposits held by the Bank. The Bank’s legal lending limit to any one borrower was approximately $123.1 million as of December 31, 2025.

Safety and Soundness Standards / Risk Management. The federal banking agencies have adopted guidelines establishing
operational and managerial standards to promote the safety and soundness of federally insured depository institutions. The guidelines set forth standards for internal controls, information systems, internal audit systems, loan documentation, credit
underwriting, interest rate exposure, asset growth, compensation, fees and benefits, asset quality and earnings.

In general, the safety and soundness guidelines prescribe the goals to be achieved in each area, and each institution is responsible for establishing its own procedures to achieve
those goals. If an institution fails to comply with any of the standards set forth in the guidelines, the financial institution’s primary federal regulator may require the institution to submit a plan for achieving and maintaining compliance. If a
financial institution fails to submit an acceptable compliance plan, or fails in any material respect to implement a compliance plan that has been accepted by its primary federal regulator, the regulator is required to issue an order directing the
institution to cure the deficiency. Until the deficiency cited in the regulator’s order is cured, the regulator may restrict the financial institution’s rate of growth, require the financial institution to increase its capital, restrict the rates the
institution pays on deposits or require the institution to take any action the regulator deems appropriate under the circumstances. Noncompliance with the standards established by the safety and soundness guidelines may also constitute grounds for
other enforcement action by the federal bank regulatory agencies, including cease and desist orders and civil money penalty assessments.

During the past decade, the bank regulatory agencies have increasingly emphasized the importance of sound risk management processes and strong internal controls when evaluating the
activities of the financial institutions they supervise. Properly managing risks has been identified as critical to the conduct of safe and sound banking activities and has become even more important as new technologies, product innovation and the
size and speed of financial transactions have changed the nature of banking markets. The agencies have identified a spectrum of risks facing a banking institution including, but not limited to, credit, market, liquidity, operational, legal and
reputational risk. In particular, recent regulatory pronouncements have focused on operational risk, which arises from the potential that inadequate information systems, operational problems, breaches in internal controls, fraud or unforeseen
catastrophes will result in unexpected losses. New products and services, third party risk management and cybersecurity are critical sources of operational risk that financial institutions are expected to address in the current environment. The Bank
is expected to have active board and senior management oversight; adequate policies, procedures and limits; adequate risk measurement, monitoring and management information systems; and comprehensive internal controls.

16

Table of Contents

Branching Authority. Deposit-taking banking offices must be approved by the FDIC and, if such office is established within Texas, the TDB,
which consider a number of factors including financial history, capital adequacy, earnings prospects, character of management, needs of the community and consistency with corporate power. The Dodd-Frank Act permits insured state banks to engage in
interstate branching if the laws of the state where the new banking office is to be established would permit the establishment of the banking office if it were chartered by a bank in such state. In December 2025, the FDIC approved a final rule to
streamline the process for the establishment and relocation of domestic branches. Although new branches must still be approved by the FDIC, the final rule provides that most branch establishment or relocation filings that qualify for expedited
processing will be deemed approved within three business days after submission. Additionally, the final rule significantly reduces the volume of information required to be submitted in branch establishment or relocation filings. Finally, the Bank
may also establish banking offices in other states by merging with banks or by purchasing banking offices of other banks in other states, subject to certain restrictions.

Interstate Deposit Restrictions. The Riegle-Neal Interstate Banking and Branching Efficiency Act of 1994 (“Interstate
Act”), together with the Dodd-Frank Act, relaxed prior branching restrictions under federal law by permitting, subject to regulatory approval, banks to establish branches in states where the laws permit banks chartered in such states to establish
branches.

Section 109 of the Interstate Act prohibits a bank from establishing or acquiring a branch or branches outside of its home state primarily for the purpose of deposit production. To
determine compliance with Section 109, the appropriate federal banking agency first compares a bank’s estimated statewide loan-to-deposit ratio to the estimated host state loan-to-deposit ratio for a particular state. If a bank’s statewide
loan-to-deposit ratio is at least one-half of the published host state loan-to-deposit ratio, the bank has complied with Section 109. A second step is conducted if a bank’s estimated statewide loan-to-deposit ratio is less than one-half of the
published ratio for that state. The second step requires the appropriate agency to determine whether the bank is reasonably helping to meet the credit needs of the communities served by the bank’s interstate branches. A bank that fails both steps is
in violation of Section 109 and subject to sanctions by the appropriate agency. Those sanctions may include requiring the bank’s interstate branches in the non-compliant state be closed or not permitting the bank to open new branches in the
non-compliant state.

For purposes of Section 109, the Bank’s home state is Texas and the Bank operates branches in one host state: New Mexico. The most recently published host state loan-to-deposit
ratio using data as of June 30, 2024 reflects a statewide loan-to-deposit ratio in New Mexico of 61%. As of December 31, 2025, the Bank’s statewide loan-to-deposit ratio in New Mexico was 31.2%. Accordingly, management believes that the Bank is in
compliance with Section 109 in New Mexico after application of the first step of the two-step test.

Community Reinvestment Act. The CRA and the regulations issued thereunder are intended to encourage insured depository
institutions, while operating safely and soundly, to help meet the credit needs of their communities. The CRA specifically directs the federal bank regulatory agencies, in examining insured depository institutions, to assess their record of helping
to meet the credit needs of their entire community, including low and moderate income neighborhoods, consistent with safe and sound banking practices. The CRA further requires the agencies to take a financial institution’s record of meeting its
community credit needs into account when evaluating applications for, among other things, domestic branches, consummating mergers or acquisitions or holding company formations.

The federal banking agencies have adopted regulations which measure a bank’s compliance with its CRA obligations on a performance-based evaluation system. This system bases CRA
ratings on an institution’s actual lending service and investment performance rather than the extent to which the institution conducts needs assessments, documents community outreach or complies with other procedural requirements. The ratings range
from a high of “outstanding” to a low of “substantial noncompliance.” The Bank had a CRA rating of “satisfactory” as of its most recent CRA assessment.

Bank Secrecy Act, Anti-Money Laundering and the Office of Foreign Assets Control Regulation. The Uniting and Strengthening
America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (the “USA PATRIOT Act”) is designed to deny terrorists and criminals the ability to obtain access to the U.S. financial system and has significant
implications for depository institutions, brokers, dealers and other businesses involved in the transfer of money. The USA PATRIOT Act substantially broadened the scope of U.S. anti-money laundering (“AML”) laws and regulations by imposing
significant compliance and due diligence obligations, created new crimes and penalties and expanded the extra territorial jurisdiction of the U.S. Financial institutions are also prohibited from entering into specified financial transactions and
account relationships, must use enhanced due diligence procedures in their dealings with certain types of high risk customers and must implement a written customer identification program. Financial institutions must take certain steps to assist
government agencies in detecting and preventing money laundering and report certain types of suspicious transactions. Regulatory authorities routinely examine financial institutions for compliance with these obligations and failure of a financial
institution to maintain and implement adequate programs to combat money laundering and terrorist financing, or to comply with the USA PATRIOT Act or its regulations, could have serious legal and reputational consequences for the institution,
including causing applicable bank regulatory authorities not to approve merger or acquisition transactions when regulatory approval is required or to prohibit such transactions even if approval is not required. Regulatory authorities have imposed
cease and desist orders and civil money penalties against institutions found to be in violation of these obligations.

17

Table of Contents

Among other requirements, federal laws, including the Bank Secrecy Act (“BSA”), as amended by the USA PATRIOT Act and as further amended by the National Defense Authorization Act
for Fiscal Year 2021 (the “National Defense Authorization Act”), and implementing regulations, require banks to establish and maintain AML programs that include, at a minimum:

Additionally, the USA PATRIOT Act requires each financial institution to develop a customer identification program (“CIP”) as part of its AML program. The key components of the CIP
are identification, verification, government list comparison, notice and record retention. The purpose of the CIP is to enable the financial institution to determine the true identity and anticipated account activity of each customer. To make this
determination, among other things, the financial institution must collect certain information from customers at the time they enter into the customer relationship with the financial institution. This information must be verified within a reasonable
time through documentary and non-documentary methods. Furthermore, all customers must be screened against any CIP-related government lists of known or suspected terrorists. Financial institutions are also required to comply with various reporting and
recordkeeping requirements. The Federal Reserve and the FDIC consider an applicant’s effectiveness in combating money laundering, among other factors, in connection with an application to approve a bank merger or acquisition of control of a bank or
bank holding company.

Likewise, the Office of Foreign Accounts Control (“OFAC”) administers and enforces economic and trade sanctions against targeted foreign countries and regimes under authority of
various laws, including designated foreign countries, nationals and others. OFAC publishes lists of specially designated targets and countries. Financial institutions are responsible for, among other things, freezing or blocking accounts of, and
transactions with, such targets and countries, prohibiting unlicensed trade and financial transactions with them and reporting blocked transactions after their occurrence.

The Financial Crimes Enforcement Network (“FinCEN”) issued a final rule regarding customer due diligence requirements for covered financial institutions in connection with their
BSA and AML policies, that became effective in May 2018. The final rule adds a requirement to understand the nature and purpose of customer relationships and identify the “beneficial owner” (25% or more ownership interest) of legal entity customers.
Bank regulators routinely examine institutions for compliance with these obligations and they must consider an institution’s anti-money laundering compliance when considering regulatory applications filed by the institution, including applications
for bank mergers and acquisitions. The regulatory authorities have imposed “cease and desist” orders and civil money penalty sanctions against institutions found to be violating these obligations.

Further, on January 1, 2021, Congress passed the National Defense Authorization Act, which enacted the most significant overhaul of the BSA and related AML laws since the USA
PATRIOT Act. Notable amendments include (1) significant changes to the collection of beneficial ownership information and the establishment of a beneficial ownership registry, which requires corporate entities (generally, any corporation, limited
liability company, or other similar entity with 20 or fewer employees and annual gross income of $5 million or less) to report beneficial ownership information to FinCEN (which will be maintained by FinCEN and made available upon request to financial
institutions); (2) enhanced whistleblower provisions, which provide that one or more whistleblowers who voluntarily provide original information leading to the successful enforcement of violations of the anti-money laundering laws in any judicial or
administrative action brought by the Secretary of the Treasury or the Attorney General resulting in monetary sanctions exceeding $1 million (including disgorgement and interest but excluding forfeiture, restitution, or compensation to victims) will
receive not more than 30 percent of the monetary sanctions collected and will receive increased protections; (3) increased penalties for violations of the BSA; (4) improvements to existing information sharing provisions that permit financial
institutions to share information relating to suspicious activity reports (SARs) with foreign branches, subsidiaries, and affiliates (except those located in China, Russia, or certain other jurisdictions) for the purpose of combating illicit finance
risks; and (5) expanded duties and powers of FinCEN. Many of the amendments, including those with respect to beneficial ownership, require the Department of Treasury and FinCEN to promulgate rules.

18

Table of Contents

On September 29, 2022, FinCEN issued a final rule establishing a beneficial ownership information reporting requirement, pursuant to the Corporate Transparency Act of 2019 (“CTA”).
The rule requires most corporations, limited liability companies, and other entities created in or registered to do business in the United States to report information about their beneficial owners-the persons who ultimately own or control the
company, to FinCEN. On December 22, 2023, FinCEN issued a final rule regarding access by authorized recipients to beneficial ownership information that will be reported to FinCEN pursuant to Sec. 6403 of the CTA, which is part of the National Defense
Authorization Act. The regulations implement strict protocols required by the CTA to protect sensitive personally identifiable information reported to FinCEN and establish the circumstances in which specified recipients have access to beneficial
ownership information, along with data protection protocols and oversight mechanisms applicable to each recipient category. The disclosure of beneficial ownership information to authorized recipients in accordance with appropriate protocols and
oversight will help law enforcement and national security agencies prevent and combat money laundering, terrorist financing, tax fraud, and other illicit activity, as well as protect national security.

In July 2024, the federal banking agencies, including the Federal Reserve and FDIC, proposed amendments to update the requirements for supervised institutions to establish,
implement and maintain effective, risk-based and reasonably designed AML and countering the financing of terrorism (“CFT”) programs. The proposed amendments would require supervised institutions to identify, evaluate and document the regulated
institution’s money laundering, terrorist financing and other illicit finance activity risks, as well as consider, as appropriate, FinCEN’s published national AML/CFT priorities.

Failure of a financial institution to maintain and implement adequate AML and OFAC programs, or to comply with all of the relevant laws or regulations, could have serious legal and
reputational consequences for the institution.

Concentrations in Commercial Real Estate. The federal banking agencies have promulgated guidance governing financial
institutions with concentrations in commercial real estate lending. The guidance provides that a bank has a concentration in commercial real estate lending if (i) total reported loans for construction, land development, and other land represent 100%
or more of total capital or (ii) total reported loans secured by multifamily and non-farm nonresidential properties (excluding loans secured by owner-occupied properties) and loans for construction, land development, and other land represent 300% or
more of total capital and the bank’s commercial real estate loan portfolio has increased 50% or more during the prior 36 months. If a concentration is present, management must employ heightened risk management practices that address the following key
elements: including board and management oversight and strategic planning, portfolio management, development of underwriting standards, risk assessment and monitoring through market analysis and stress testing, and maintenance of increased capital
levels as needed to support the level of commercial real estate lending. On December 18, 2015, the federal banking agencies jointly issued a “statement on prudent risk management for commercial real estate lending.” As of December 31, 2025, the
Company did not exceed the levels to be considered to have a concentration in commercial real estate lending and believes its credit administration to be consistent with the published policy statement.

The Basel III Capital Rules also require loans categorized as “high-volatility commercial real estate,” or HVCRE, to be assigned a 150% risk weighting and require additional
capital support. However, the EGRRCPA prohibits federal banking regulators from imposing higher capital standards on HVCRE exposures unless they are for ADC and clarifying ADC status. As of December 31, 2025, we had $366.1 million in ADC loans and
$16.2 million in HVCRE loans.

Consumer Financial Services

We are subject to a number of federal and state consumer protection laws that extensively govern our relationship with our customers. These laws include the Equal Credit
Opportunity Act (“ECOA”), the Fair Credit Reporting Act, the Truth in Lending Act, the Truth in Savings Act, the Electronic Fund Transfer Act, the Expedited Funds Availability Act, the Home Mortgage Disclosure Act, the Fair Housing Act (“FHA”), the
Real Estate Settlement Procedures Act, the Fair Debt Collection Practices Act, the Service Members Civil Relief Act, the Military Lending Act, and these laws’ respective state law counterparts, as well as state usury laws and laws regarding unfair
and deceptive acts and practices. These and other federal laws, among other things, require disclosures of the cost of credit and terms of deposit accounts, provide substantive consumer rights, prohibit discrimination in credit transactions, regulate
the use of credit report information, provide financial privacy protections, prohibit unfair, deceptive and abusive practices and subject us to substantial regulatory oversight. Violations of applicable consumer protection laws can result in
significant potential liability from litigation brought by customers, including actual damages, restitution and attorneys’ fees. Federal bank regulators, state attorneys general and state and local consumer protection agencies may also seek to
enforce consumer protection requirements and obtain these and other remedies, including regulatory sanctions, customer rescission rights, action by the state and local attorneys general in each jurisdiction in which we operate and civil money
penalties. Failure to comply with consumer protection requirements may also result in failure to obtain any required bank regulatory approval for mergers or acquisitions or prohibition from engaging in such transactions even if approval is not
required.

Many states and local jurisdictions have consumer protection laws analogous, and in addition, to those listed above. These state and local laws regulate the manner in which
financial institutions deal with customers when taking deposits, making loans or conducting other types of transactions. Failure to comply with these laws and regulations could give rise to regulatory sanctions, customer rescission rights, action by
state and local attorneys general and civil or criminal liability.

19

Table of Contents

Rulemaking authority for most federal consumer protection laws was transferred from the prudential regulators to the CFPB on July 21, 2011. In some cases, regulators such as the
Federal Trade Commission (“FTC”) and the U.S. Department of Justice (“DOJ”) also retain certain rulemaking or enforcement authority. The CFPB also has broad authority to prohibit unfair, deceptive and abusive acts and practices, or UDAAP, and to
investigate and penalize financial institutions that violate this prohibition. While the statutory language of the Dodd-Frank Act sets forth the standards for acts and practices that violate the prohibition on UDAAP, certain aspects of these
standards are untested, and thus it is currently not possible to predict how the CFPB will exercise this authority.

The consumer protection provisions of the Dodd-Frank Act and the examination, supervision and enforcement of those laws and implementing regulations by the CFPB have created a more
intense and complex environment for consumer finance regulation. The CFPB has significant authority to implement and enforce federal consumer protection laws and new requirements for financial services products provided for in the Dodd-Frank Act, as
well as the authority to identify and prohibit UDAAP. The review of products and practices to prevent such acts and practices is a continuing focus of the CFPB, and of banking regulators more broadly. The ultimate impact of this heightened scrutiny
is uncertain but could result in changes to pricing, practices, products and procedures. It could also result in increased costs related to regulatory oversight, supervision and examination, additional remediation efforts and possible penalties. In
addition, the Dodd-Frank Act provides the CFPB with broad supervisory, examination and enforcement authority over various consumer financial products and services, including the ability to require reimbursements and other payments to customers for
alleged legal violations and to impose significant penalties, as well as injunctive relief that prohibits lenders from engaging in allegedly unlawful practices. The CFPB also has the authority to obtain cease and desist orders providing for
affirmative relief or monetary penalties. The Dodd-Frank Act does not prevent states from adopting stricter consumer protection standards. State regulation of financial products and potential enforcement actions could also adversely affect our
business, financial condition or results of operations. Significant recent CFPB developments include:

The CFPB has examination and enforcement authority over providers with more than $10 billion in assets. Banks and savings institutions with $10 billion or less in assets, like the
Bank, will continue to be examined by their applicable bank regulators.

Mortgage and Mortgage-Related Products, Generally. Because abuses in connection with home mortgages were a significant
factor contributing to the financial crisis, many provisions of the Dodd-Frank Act and rules issued thereunder address mortgage and mortgage-related products, their underwriting, origination, servicing and sales. The Dodd-Frank Act significantly
expands underwriting requirements applicable to loans secured by 1-4 family residential real property and augmented federal law combating predatory lending practices. In addition to numerous disclosure requirements, the Dodd-Frank Act imposes new
standards for mortgage loan originations on all lenders, including banks, in an effort to strongly encourage lenders to verify a borrower’s ability to repay, while also establishing a presumption of compliance for certain “qualified mortgages.” The
Dodd-Frank Act generally requires lenders or securitizers to retain an economic interest in the credit risk relating to loans that the lender sells, and other asset-backed securities that the securitizer issues, if the loans do not comply with the
ability-to-repay standards described below. The Bank does not currently expect these provisions of the Dodd-Frank Act or any related regulations to have a significant impact on its operations, except for higher compliance costs.

Ability-to-Repay Requirement and Qualified Mortgage Rule. In January 2013, the CFPB issued a final rule implementing the
Dodd-Frank Act’s ability-to-repay requirements. Under this rule, lenders, in assessing a borrower’s ability to repay a mortgage-related obligation, must consider eight underwriting factors: (i) current or reasonably expected income or assets; (ii)
current employment status; (iii) monthly payment on the subject transaction; (iv) monthly payment on any simultaneous loan; (v) monthly payment for all mortgage-related obligations; (vi) current debt obligations, alimony, and child support; (vii)
monthly debt-to-income ratio or residual income; and (viii) credit history. This rule also includes guidance regarding the application of, and methodology for evaluating, these factors. The EGRRCPA provides that for certain insured depository
institutions and insured credit unions with less than $10 billion in total consolidated assets, mortgage loans that are originated and retained in portfolio will automatically be deemed to satisfy the “ability to repay” requirement. To qualify for
this treatment, the insured depository institutions and credit unions must meet conditions relating to prepayment penalties, points and fees, negative amortization, interest-only features and documentation.

20

Table of Contents

Home Mortgage Disclosure Act (“HMDA”). On October 15, 2015, pursuant to Section 1094 of the Dodd-Frank Act, the CFPB issued
amended rules in regard to the collection, reporting and disclosure of certain residential mortgage transactions under the Home Mortgage Disclosure Act (the “HMDA Rules”). The Dodd-Frank Act mandated additional loan data collection points in addition
to authorizing the Bureau to require other data collection points under implementing Regulation C. The HMDA Rules adopted a uniform loan volume threshold for all financial institutions, modifies the types of transactions that are subject to
collection and reporting, expands the loan data information being collected and reported, and modifies procedures for annual submission and annual public disclosures. EGRRCPA amended provisions of the HMDA Rules to exempt certain insured institutions
from most of the expanded data collection requirements required of the Dodd-Frank Act. The CFPB further amended the HMDA Rules in April 2020 so that, effective January 1, 2022, institutions originating fewer than 100 dwelling secured closed-end
mortgage loans or fewer than 200 dwelling secured open-end lines are exempt from the expanded data collection requirements that went into effect January 1, 2018. On February 1, 2023, the Office of the Comptroller of the Currency issued OCC Bulletin
2023-5 which clarified that, following a recent court decision vacating the 2020 HMDA Final Rules as to the loan volume reporting threshold for closed-end mortgage loans, the loan origination threshold for reporting HMDA data on closed-end mortgage
loans reverted to the 25 loan threshold established by the 2015 HMDA Final Rule. The Bank does not receive this reporting relief based on the number of dwelling secured mortgage loans reported annually.

UDAP and UDAAP. Banking regulatory agencies have increasingly used a general consumer protection statute to address
“unfair,” “deceptive” or “abusive” acts and business practices that may not necessarily fall directly under the purview of a specific banking or consumer finance law. Section 5 of the Federal Trade Commission Act, referred to as the FTC Act, is the
primary federal law that prohibits unfair or deceptive acts or practices, referred to as UDAP, and unfair methods of competition in or affecting commerce. “Unjustified consumer injury” is the principal focus of the FTC Act. UDAP laws and regulations
were expanded under the Dodd-Frank Act to apply to “unfair, deceptive or abusive acts or practices,” referred to as UDAAP, and were delegated to the CFPB for rule-making. The federal banking agencies have the authority to enforce such rules and
regulations. Under the Dodd-Frank Act, the CFPB looks to various factors to assess whether an act or practice is unfair, including whether it causes or is likely to cause substantial injury to consumers, the injury is not reasonably avoidable by
consumers, and the injury is not outweighed by countervailing benefits to consumers or to competition. A key focus of the CFPB is whether an act or practice hinders a consumer’s decision-making.

Incentive Compensation Guidance

The federal bank regulatory agencies have issued comprehensive guidance intended to ensure that the incentive compensation policies of banking organizations do not undermine the
safety and soundness of those organizations by encouraging excessive risk-taking. The incentive compensation guidance sets expectations for banking organizations concerning their incentive compensation arrangements and related risk-management,
control and governance processes. The incentive compensation guidance, which covers all employees that have the ability to materially affect the risk profile of an organization, either individually or as part of a group, is based upon three primary
principles: (1) balanced risk-taking incentives; (2) compatibility with effective controls and risk management; and (3) strong corporate governance. Any deficiencies in compensation practices that are identified may be incorporated into the
organization’s supervisory ratings, which can affect its ability to make acquisitions or take other actions. In addition, under the incentive compensation guidance, a banking organization’s federal supervisor may initiate enforcement action if the
organization’s incentive compensation arrangements pose a risk to the safety and soundness of the organization. Further, the Basel III capital rules limit discretionary bonus payments to bank executives if the institution’s regulatory capital ratios
fail to exceed certain thresholds.

The Dodd-Frank Act directs the federal banking regulators to promulgate rules prohibiting excessive compensation paid to executives of depository institutions and their holding
companies with assets in excess of $1 billion, regardless of whether the company is publicly traded or not. In May 2016, the federal banking regulators, joined by the SEC, proposed such a rule that is tailored based on the asset size of the
institution. All covered financial institutions would be subject to a prohibition on paying compensation, fees, and benefits that are “unreasonable” or “disproportionate” to the value of the services performed by a person covered by the proposed rule
(generally, senior executive officers and employees who are significant risk-takers). As of the date of this Report, the federal banking regulators have not yet implemented a final rule with respect to excessive compensation paid to executives of
depository institutions and their holding companies. The scope and content of the U.S. banking regulators’ policies on executive compensation are continuing to develop and are likely to continue evolving in the near future.

The Dodd-Frank Act requires public companies to include, at least once every three years, a separate non-binding “say-on-pay” vote in their proxy statement by which shareholders
may vote on the compensation of the public company’s named executive officers. In addition, if such public companies are involved in a merger, acquisition, or consolidation, or if they propose to sell or dispose of all or substantially all of their
assets, shareholders have a right to an advisory vote on any golden parachute arrangements in connection with such transaction (frequently referred to as “say-on-golden parachute” vote). In addition, the SEC adopted rules prohibiting the listing of
any equity security of a company that does not have a compensation committee consisting solely of independent directors, subject to certain exceptions.

In August 2022, the SEC adopted the final “pay versus performance” rule mandated by the Dodd-Frank Act. Among other disclosure requirements, the rule requires public companies
(other than emerging growth companies, registered investment companies and foreign private issuers) to disclose the relationships among named executive officer compensation “actually paid,” total shareholder return and certain financial performance
measures that the company uses to link compensation to company performance for its five most recent fiscal years. Beginning on December 31, 2024, the Company is no longer an emerging growth company and, accordingly, the rule will first apply to
disclosures in the Company’s proxy statement for the 2025 annual meeting of shareholders.

21

Table of Contents

In October 2022, the SEC adopted a final rule directing national securities exchanges and associations, including the Nasdaq, to implement listing standards that require listed
companies to adopt policies mandating the recovery or “clawback” of excess incentive-based compensation earned by a current or former executive officer during the three fiscal years preceding the date the listed company is required to prepare an
accounting restatement, including to correct an error that would result in a material misstatement if the error were corrected in the current period or left uncorrected in the current period. In accordance with Rule 10D-1 promulgated by the SEC under
the Exchange Act and Nasdaq Listing Rule 5608, the Board of Directors adopted and implemented an Incentive Award Recoupment Policy, effective as of October 2, 2023.

Financial Privacy

Under Section 501 of the Gramm-Leach-Bliley Act, and its implementing regulations, the federal bank regulatory agencies have adopted rules that limit the ability of banks and other
financial institutions to disclose non-public information about consumers to non-affiliated third parties. These limitations require disclosure of privacy policies to consumers and, in some circumstances, allow consumers to prevent disclosure of
certain personal information to a non-affiliated third party. These regulations affect how consumer information is transmitted through financial services companies and conveyed to outside vendors. In addition, consumers may also prevent disclosure of
certain information among affiliated companies that is assembled or used to determine eligibility for a product or service, such as that shown on consumer credit reports and asset and income information from applications. Consumers also have the
option to direct banks and other financial institutions not to share information about transactions and experiences with affiliated companies for the purpose of marketing products or services.

Impact of Monetary Policy

The monetary policy of the Federal Reserve has a significant effect on the operating results of financial or bank holding companies and their subsidiaries. Among the tools
available to the Federal Reserve to affect the money supply are open market transactions in U.S. government securities, changes in the discount rate on member bank borrowings and changes in reserve requirements against member bank deposits. These
tools are used in varying combinations to influence overall growth and distribution of bank loans, investments and deposits, and their use may affect interest rates charged on loans or paid on deposits.

Environmental Laws Potentially Impacting the Bank

We are subject to state and federal environmental laws and regulations. The Comprehensive Environmental Response, Compensation and Liability Act, (“CERCLA”), is a federal statute that
generally imposes strict liability on all prior and present “owners and operators” of sites containing hazardous waste. However, Congress acted to protect secured creditors by providing that the term “owner and operator” excludes a person whose
ownership is limited to protecting its security interest in the site. Since the enactment of the CERCLA, this “secured creditor exemption” has been the subject of judicial interpretations which have left open the possibility that lenders could be
liable for cleanup costs on contaminated property that they hold as collateral for a loan, which costs often substantially exceed the value of the property.

Other Recent Legislative Developments

In July 2025, the Guiding and Establishing National Innovation for U.S. Stablecoins Act, or the “GENIUS Act,” was signed into law, establishing a federal licensing and supervisory
framework for payment stablecoins and their issuers. The GENIUS Act may accelerate and increase the competition that non-traditional financial institutions pose to banks’ payment services, but may also create opportunities for banks to hold
stablecoin reserve assets, custody stablecoins, or issue stablecoins. Several key provisions of the GENIUS Act require federal regulatory agencies to adopt implementing regulations, and the GENIUS Act will take effect the earlier of 18 months after
its enactment or 120 days after the agencies issue final implementing regulations.

In July 2025, the One Big Beautiful Bill Act (“OBBBA”) was signed into law, introducing significant tax changes. The OBBBA extends or makes permanent various tax provisions that
were originally enacted in the 2017 Tax Cuts and Jobs Act and were set to expire at the end of 2025. The OBBBA features modified versions of individual and business tax relief proposals, and other new tax relief measures. In addition, it includes
various revenue-raising measures, including changes to various limits on business and individual tax deductions that are intended to offset part of the cost of the legislation. The Company is currently evaluating the impact of the OBBBA on its
business and consolidated financial statements.

Other Pending and Proposed Legislation

Other legislative and regulatory initiatives which could affect the Company, the Bank and the banking industry in general may be proposed or introduced before the U.S. Congress,
the Texas Legislature and other governmental bodies in the future. Such proposals, if enacted, may further alter the structure, regulation and competitive relationship among financial institutions, and may subject the Company or the Bank to increased
regulation, disclosure and reporting requirements. In addition, the various banking regulatory agencies often adopt new rules and regulations to implement and enforce existing legislation. It cannot be predicted whether, or in what form, any such
legislation or regulations may be enacted or the extent to which the business of the Company or the Bank would be affected thereby.

AVAILABLE INFORMATION

The Company maintains an Internet web site at www.spfi.bank. The Company makes available, free of charge, on its web site (under www.spfi.bank/financials-filings/sec-filings) the
Company’s annual reports on Form 10-K, quarterly reports on Form 10-Q, current reports on Form 8-K, and amendments to those reports filed or furnished pursuant to Section 13(a) or Section 15(d) of the Exchange Act as soon as reasonably practicable
after the Company files such material with, or furnishes it to, the SEC. The Company also makes, free of charge, through its web site (under www.spfi.bank/corporate-governance/documents-charters) links to the Company’s Code of Business Conduct and
Ethics and the charters for its Board committees. In addition, the SEC maintains an Internet web site (at www.sec.gov) that contains reports, proxy and information statements, and other information regarding issuers that file electronically with the
SEC.

22

Table of Contents

The Company routinely posts important information for investors on its web site (under www.spfi.bank and, more specifically, under the News & Events tab at
www.spfi.bank/news-events/press-releases). The Company intends to use its web site as a means of disclosing material non-public information and for complying with its disclosure obligations under SEC Regulation FD (Fair Disclosure). Accordingly,
investors should monitor the Company’s web site, in addition to following the Company’s press releases, SEC filings, public conference calls, presentations and webcasts.

The information contained on, or that may be accessed through, the Company’s web site is not incorporated by reference into, and is not a part of, this Report.