Bancorp, Inc. (TBBK) Business

ITEM 1. BUSINESS.

Overview

The Bancorp, Inc. (the “Company,” “we,” “us,” “our” or “the holding company”) is a Delaware financial holding company and our primary, wholly-owned subsidiary is The Bancorp Bank, National Association (the “Bank”). The Bank is a federally chartered commercial bank located in Sioux Falls, South Dakota and is a Federal Deposit Insurance Corporation (“FDIC”) insured institution. The vast majority of our revenue and income is generated through the Bank. As described more fully below, our business strategy is focused on Fintech Solutions, including program sponsorship, payment services, and sponsored lending. We expect our fintech business to generate non-interest income and attract stable, lower cost deposits which we then seek to deploy into lower risk assets in specialized markets through the specialty lending activities of our Credit Solutions business.

An overview of our operations follows, including discussion of Fintech Solutions, Credit Solutions, and Other Operations.

Fintech Solutions

We are a leading fintech bank, focused on partnering with fintech innovators and providing a dynamic portfolio of payment and lending solutions. Our focus is on continually evolving our product offerings to meet the needs and goals of different partners, and building a strong foundation of technology and services, while maintaining a focus on strong and effective regulatory compliance.

The Fintech Solutions business line partners with fintech companies and other technology focused payment-based providers (collectively “partners”) to deliver payment, deposit, and sponsored lending products that attract stable, lower-cost deposits and generate fee income. Deposits generated through these partner relationships are deployed into loan and lease products offered by both Sponsored Lending and the Credit Solutions business line.

Our fintech services are provided to organizations with a pre-existing customer base, and the products are tailored to support or complement the services provided by these organizations to their customers. We typically provide these services under the name and through the facilities of each partner.

The Fintech Solutions division’s capabilities include: the sponsored issuance of deposit accounts and debit, credit, and prepaid cards; sponsored lending products for fintech partners; and payment processing solutions, including acquiring, ACH, and near-and real-time payment services in support of its partners.

An overview of our fintech products is as follows:

Program sponsorship includes debit, credit and prepaid cards that we issue for companies that market directly to end users. The Bank issues the cards, provides access to the card networks, maintains deposits, and is the sponsor bank of record for accounts. Our card-accessed deposit account types are diverse and include consumer and business debit, general purpose reloadable prepaid, pre-tax medical spending benefit, payroll, gift, government, corporate incentive, reward, business payment accounts and others.

Fee income from Prepaid, debit card and related sources was $103.5 million and $97.4 million for 2025 and 2024, respectively. The majority of fees that we earn result from contractual fees paid by our partners, computed on a per transaction basis, and monthly service fees. Additionally, we earn interchange fees paid through settlement networks such as Visa or Mastercard, which are also determined on a per transaction basis.

Payment services delivers real-time, end-to-end payment processing, including automated clearing house (“ACH”) and Rapid Funds Transfer products. Our ACH accounts facilitate bill payments and our acquiring accounts provide clearing and settlement services for payments made to merchants which must be settled through networks such as Visa or Mastercard.

Fee income from ACH, card and other payment processing was $21.0 million and $14.6 million for 2025 and 2024, respectively.

5

Sponsored lending, or Fintech loans, consist of short-term loans originated by the Bank, with the marketing and servicing assistance of our partners. Loans receivable originated under fintech agreements are governed by an agreement with the borrower and may include secured credit cards and unsecured short-term extensions of credit. For the secured credit card program, we recognize a loan receivable and a deposit liability for the cash collateral that secures those accounts. Unsecured fintech loans include payroll advance and other short term-extensions of credit, which are typically repaid within a year of origination. As of December 31, 2025, all fintech loans are covered by credit enhancement agreements as discussed further in Item 7, “Management’s Discussion and Analysis—Financial Condition—Total Loan Portfolio—Fintech Programs.”

We began originating significant volumes of fintech loans in the fourth quarter of 2024, and this segment of our total loan portfolio has grown significantly in 2025, to $1.10 billion, or 15% of our total loan portfolio as of December 31, 2025, from $454.4 million, or 7% as of December 31, 2024.

The revenue generated through fintech loan agreements is primarily fee revenue, and not interest income. Fintech fees were $16.6 million and $4.8 million for 2025 and 2024, respectively.

As of December 31, 2025, 91% of our total deposits were sourced from Fintech Solutions business, primarily from Program sponsorship.

Prepaid and debit card gross dollar volume (“GDV”) is one metric used in measuring volume of activity for Fintech Solutions, and was $178.21 billion in 2025, a 17% increase from $152.64 billion in 2024.

Credit Solutions

Our Credit Solutions business offers flexible, specialty credit solutions, focused on developing customized products and programs to meet the needs of our clients.

An overview of our total loan portfolio as of December 31, 2025 follows:

Real estate bridge lending (“REBL”) is $2.26 billion of loans, or 31% of our total loan portfolio, and consists of commercial real estate bridge loans for purchase and rehabilitation of existing multi-family workforce housing properties that have existing cash flow. REBL loans generally have three-year terms with two one-year extension options. These loans are primarily collateralized by apartment buildings, or other commercial real estate, and generally do not have recourse to the borrower (except for carve-outs such as fraud) and, accordingly, generally depend on cash reserves and cash generated by the underlying properties for repayment. As of December 31, 2025 78% of the loans were fixed rate, and 22% were variable rate with monthly adjustment. The weighted average origination date loan-to-value (“LTV”) for the December 31, 2025 REBL portfolio was 71%.

Institutional banking is $1.96 billion of loans, or 27% of our total loan portfolio, and includes lending and banking services to wealth management clients, including securities-backed lines of credit (“SBLOCs”), insurance policy cash value-backed lines of credit (“IBLOCs”), and financing to investment advisors, made for purposes of debt refinance, acquisition of another firm or internal succession. SBLOCs and IBLOCs are collateralized by marketable securities and the cash value of insurance policies, respectively, and are typically offered in conjunction with brokerage accounts. Advisor loans are collateralized by investment advisors’ business franchises. SBLOC and IBLOC loans are variable-rate demand loans and generally reprice monthly, as the prime rate changes. Investment advisor loans generally have seven-year terms with fixed rates.

Small business lending (“SBL”) is $1.01 billion of loans, or 14% of our total loan portfolio, and is comprised primarily of Small Business Administration (“SBA”) loans, including the 7(a) Loan Guarantee Program and the 504 Fixed Asset Financing Program. This segment also includes SBL non-real estate loans that are collateralized by business assets and SBL commercial mortgage and construction loans that are collateralized by real estate for small businesses.

Direct lease financing is $685.4 million of loans, or 9% of our total loan portfolio, and includes our fleet management services business which is primarily vehicle fleet leasing to commercial and government entities, and to a lesser extent other equipment leasing. Terms for leases are generally 36 to 60 months.

In addition to loans under our Credit Solutions business, we have sponsored lending, or Fintech loans. Fintech loans total $1.10 billion, or 15% of our total loan portfolio as of December 31, 2025. See further discussion above under “Fintech Solutions- Sponsored Lending”.

6

The remaining (3%) balance of our loan portfolio consists of deferred loan fees and other loans, which includes warehouse financing related to loan sales to third-party purchasers of real estate bridge loans and certain HELOC and commercial loan legacy products.

The total loan portfolio outlined above includes loans recorded at fair value of $139.4 million as of December 31, 2025 that were originated for sale or securitization through the first quarter of 2020. That portfolio is now held for investment at fair value, and continues to be in runoff. All loan originations now are being recorded as held for investment.

Other Operations

Account Services. Depending upon the product, account holders may access our products through the website or app of our partners, or through our website. This access may allow account holders to apply for loans, review account activity, pay bills electronically, receive statements electronically and print statements.

Third-Party Service Providers. To reduce operating costs and capitalize on the technical capabilities of selected vendors, we outsource certain bank operations and systems to third-party service providers, principally the following:

data processing services, check imaging, loan processing, electronic bill payment and statement rendering;

servicing of prepaid and debit card accounts;

call center customer support, including institutional banking for overflow and after-hours support;

access to automated teller machine (“ATM”) networks;

bank accounting and general ledger system;

data warehousing services; and

certain software development.

Because we outsource these operational functions to experienced third-party service providers with the capacity to process a high volume of transactions, we believe we can more readily and cost-effectively respond to growth than if we sought to develop these capabilities internally. Should any of our current relationships terminate, we believe we could maintain business continuity by securing the required services from an alternative source without material interruption of our operations.

Our Strategies

Our principal strategies are to:

Generate Non-Interest Income from Fintech Solutions Products.

Our principal focus is the growth of our Fintech Solutions business, and related fintech fee income, through growing our program sponsorship balances, growing our product offerings, and expanding our platform. We have steadily grown our fintech loan receivable balance since the fourth quarter of 2024, and we have been growing our gross dollar volume of prepaid and debit card transactions. These efforts have led to a $1.10 billion balance of fintech loans as of December 31, 2025, a 142% increase from $454.4 million as of prior year end. Further, our total fintech fee income has increased to $141.1 million for the year ended December 31, 2025, a 21% increase from $116.8 million for 2024.

Develop New Partner Relationships, and Retain and Grow Existing Relationships.

Our Fintech Solutions business is driven by our relationships with our partners, through which we gain access to an organization’s members, clients and customers under the organization’s sponsorship. We seek to continue to develop these relationships with new organizations with established membership, customer or client bases, as well as maintain and expand our product offerings with current partners.

We believe that marketing targeted products and services to customers through their pre-existing relationships with our partners, we will continue to generate stable and lower cost deposits compared to certain other funding sources, generate and grow fee income and, with respect to private label banking, lower our customer acquisition costs and build close customer relationships.

7

Fund our Loan and Investment Portfolio with Low-Cost, Stable Deposits and Optimize our Balance Sheet Allocation.

We fund our Credit Solutions business through deposits that are primarily sourced from our Fintech Solutions business. This source is primarily comprised of millions of small transaction-based consumer balances which are obtained through and with the assistance of partner relationships. These accounts have an established history of stability and lower cost than certain other types of funding and certain components of our deposits experience seasonality, creating excess liquidity at certain times. We utilize this funding to invest in our assets, primarily our loan and investment portfolios.

We manage our balance sheet to remain under $10 billion in assets to maintain our exemption from regulated limits on interchange fees, among other benefits, under the Durbin Amendment. Failure to do so could adversely impact our revenues and relationships, as certain of our fee-sharing relationship agreements include the right to terminate our agreement in such an event. Our strategies in managing our balance sheets includes balancing our loan and investment portfolio to strategically optimize earnings while supporting the growth of our business. We may utilize a number of strategies to manage the composition of our balance sheet, including deposit sweeps, loan sale and flow sale arrangements, and other off-balance sheet funding strategies.

Use our Robust Infrastructure as a Platform for Continued Innovation and Growth, and Develop AI tools to Increase Efficiency.

Historically, we have made significant investments in our banking platform and infrastructure to support our growth. We continue to invest in our infrastructure, with a focus on investing in automation and AI tools to gain cost efficiency and increase productivity of our people and platform, and redeploying or reducing resources where appropriate. We believe that our infrastructure can accommodate significant additional growth without a proportionate increase in expense. We believe that this infrastructure enables us to maximize efficiencies through economies of scale as we grow without adversely affecting our relationships with our customers.

Competition

We compete with numerous banks and other financial institutions such as finance companies, leasing companies, credit unions, insurance companies, money market funds, investment firms and private lenders, as well as online lenders and other non-traditional competitors. Our primary competitors in each of our business lines differ significantly from those in our other business lines principally because few financial institutions compete against us in all business segments in which we operate. For prepaid and debit card accounts, our largest source of funding and fee income, competitors include banking as a service banks, such as Pathward Financial, Coastal Community, and others. SBLOC competitors include TriState Capital. For SBA loans, our competitors include Live Oak Bank, and for leasing our competitors include Enterprise. For REBL loans, competitors include companies such as Bridge Investment Group. Significant costs of entry in many of the products we offer or markets we compete in include consumer protection compliance, and Bank Secrecy Act (“BSA”) and other regulatory compliance costs, which may impact competition for prepaid and debit card accounts. We believe that our ability to compete successfully depends on a number of factors, including:

our ability to expand our partner relationships;

the scope of our products and services;

the relevance of our products and services to customer needs and the rate at which we and our competitors introduce them;

satisfaction of our customers with our customer service;

our perceived safety as a depository institution, including our size, credit rating, capital strength, earnings strength and regulatory posture;

ease of use of our banking websites and other customer interfaces;

the capacity, reliability and security of our network infrastructure; and

competitors’ interest rates and service fees;

The risks associated with our competitors are more fully discussed in Item 1A, “Risk Factors”.

8

Sales and Marketing

Partner Relationships. Our sales and marketing efforts to existing and potential fintech company partners and other organizations are national in scope. We use a personal sales and targeted media advertising approach to market to these potential business partners. Under our direction, the partners with which we have relationships perform additional sales and marketing functions to the ultimate individual customers. Our marketing program consists of:

direct contact with potential partners by our marketing staff, with relationship managers focusing on particular regional markets;

attending and creating presentations at trade shows and other events for targeted organizations; and

print and digital advertising.

Technology and Cybersecurity

Primary System Architecture. We provide financial products and services through a secure, tiered architecture using commercially available software and with third-party providers whom we believe to be industry leaders. We maintain a platform of web technologies, databases, firewalls, and licensed and proprietary financial services software to support our unique product offerings and to serve our partners, customers, and clients. User activity is distributed across our service offerings, with internally developed software and cloud services, as well as third-party platforms and processors. The goal of our systems design is to service our partner and client requirements efficiently, which has been accomplished using data and service replication between data centers and cloud platforms for our critical applications. The system’s flexible architecture is designed to meet current capacity needs and allow expansion for future demands. In addition to built-in redundancies, we monitor our systems using automated internal tools as well as third-parties for Security and Network Operations Center Services and to validate our controls.

Cybersecurity. We have an established Cybersecurity Program that is mapped to the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework, the Center for Internet Security® (“CIS”) Critical Security Controls, and relevant International Organization for Standardization (“ISO”) standards. We also obtain annual Payment Card Industry (“PCI”) certification. Highlights of the program include:

Monitoring and reporting of systems and critical applications;

File access and integrity monitoring and reporting;

Data loss prevention controls;

Threat intelligence;

Detailed vulnerability management;

Regular vulnerability assessments;

A security testing schedule, which includes internal/external penetration testing;

A training and compliance program for staff, including a detailed policy; and

Third-party vendor management.

Intellectual Property and Other Proprietary Rights

We use third-party providers for a significant portion of our core and internet banking systems and operations. Where applicable, we rely principally upon trade secret and trademark law to protect our intellectual property. We do not typically enter into intellectual property-related confidentiality agreements with our partners, because we maintain control over the software used for banking functions rather than licensing them for customers to use. Moreover, we believe that factors such as the relationships we develop with our partners, customers and clients, the quality of our banking products, the level and reliability of the service we provide, and the customization of our products and services to meet the needs of our partners are substantially more significant to our ability to succeed.

9

Human Capital Management

We believe that human capital management is an essential component of our continued growth and success. Key human capital resources and management strategies are described below.

Employees. As of December 31, 2025, we had 733 full-time employees and believe our relationship with our employees to be good. None of our employees are covered by a collective bargaining agreement.

Oversight. Our Chief Human Resources Officer reports directly to the President and Chief Executive Officer (“CEO”) and oversees most aspects of the employee experience, including talent acquisition, learning and development, talent management, inclusion, employee relations, payroll, compensation and benefits.

Talent Acquisition and Development. We aim to attract, develop and retain high-performing talent with a range of backgrounds and experiences who can further our strategic business objectives. To that end, we offer market-competitive compensation and strive to accelerate employees’ professional development through performance management and fostering a learning culture. Our employees work together with their managers to set business and professional development goals, supported by a variety of resources and tools developed to help employees enhance their technical, managerial and leadership skills.

Total Rewards and Employee Well-Being. We are committed to providing competitive benefit programs designed with the everyday needs of our employees and their families in mind. Full-time employees are eligible for healthcare coverage, life and disability coverage, retirement benefits, paid and unpaid leave, employee assistance programs, and tuition reimbursement. These programs offer resources that promote employee well-being in various aspects, including mental, physical, and financial wellness.

Inclusive Work Environment. We strive to maintain an inclusive work culture in which individual differences and experiences are valued, and all employees have the opportunity to contribute and thrive. We believe that leveraging the wide range of perspectives and capabilities will enhance innovation, foster a collaborative work culture and enable us to better serve our customers and communities. We implement strategies and initiatives that promote these values at all levels, such as training, employee resource groups (“ERGs”), and community service activities.

Employee Engagement. We strive to foster and maintain a workplace that offers a positive, inclusive culture for all employees and annual employee engagement surveys are used to gather employee feedback. These survey results are considered in the planning and implementation of employee programs, initiatives, and communications.

Regulation and Supervision

Overview

The Bancorp, Inc. is a Delaware corporation and a financial holding company registered with the Board of Governors of the Federal Reserve System (“Federal Reserve”). The Company maintains its headquarters in Wilmington, Delaware. The Company’s subsidiary, The Bancorp Bank, National Association, is a federally chartered and federally insured commercial bank supervised and examined by the Office of the Comptroller of the Currency (“OCC”) as its primary regulator, and the Federal Deposit Insurance Corporation (“FDIC”), the federal agency that administers the Deposit Insurance Fund (“DIF”).

Both the Company and the Bank are subject to extensive regulation in connection with their respective activities and operations. The regulatory framework by which both the Company and Bank are supervised and examined is complex and dynamic and is designed to protect customers of and depositors in insured depository institutions, the DIF, and the U.S. banking system. This framework includes acts of the U.S. Congress (“Congress”), regulations, policy statements and guidance, and other interpretative materials that define the obligations and requirements for entities participating in the U.S. banking system. Moreover, regulation of holding companies and their subsidiaries is subject to continual revision, both through statutory changes and corresponding regulatory revisions as well as through evolving supervisory objectives of applicable banking agencies that supervise the Company and the Bank.

The requirements and restrictions under federal and state laws to which the Bank is subject include restrictions on the types and amounts of loans that may be made and the interest that may be charged, and limitations on the types of investments that may be made and the types of services that may be offered. Various consumer laws and regulations also affect the Bank’s operations. Any change in the regulatory requirements and policies by the OCC, the Federal Reserve, other federal regulatory agencies, Congress, or the states in which we operate or where our customers reside, could have a material adverse impact on the Company, the Bank, and our operations.

10

In addition to regulation and supervision by the Federal Reserve Bank (“FRB”), the Company is a reporting company under the Securities Exchange Act of 1934, as amended (“Exchange Act”), and is required to file reports with the Securities and Exchange Commission (“SEC”) and otherwise comply with federal securities laws.

Set forth below is a summary of certain regulatory requirements applicable to the Company and the Bank. Descriptions of statutes and regulations in this summary are not intended to be complete explanations of such statutes and regulations, or their effects on the Bank or the Company, and are qualified in their entirety by reference to the actual statutes and regulations. While we continue to have a compliance framework in place to comply with both existing and proposed rules and regulations, it is possible that the existing regulatory framework may be amended, which amendments could have a positive or negative impact on our business, financial condition, results of operations and prospects.

Federal Regulation

As a financial holding company, the Company is subject to regular examination by the Federal Reserve and must file quarterly reports and provide any additional information the Federal Reserve may request. Under the Bank Holding Company Act of 1956, as amended (the “BHCA”), a financial holding company may not directly or indirectly acquire ownership or control of more than 5% of the voting shares or substantially all of the assets of any bank, or merge or consolidate with another financial holding company, without prior approval of the Federal Reserve.

Permitted Activities. The BHCA generally limits the activities of a financial holding company and its subsidiaries to that of banking, managing or controlling banks, or any other activity that is determined to be so closely related to banking or to managing or controlling banks that an exception is allowed for those activities.

Change in Control. Additionally, under the Change in Bank Control Act and the BHCA, a person or company that acquires control of a bank holding company or bank must obtain the non-objection or approval of the Federal Reserve in advance of the acquisition. For a publicly-traded bank holding company such as The Bancorp, Inc., control for purposes of the Change in Bank Control Act is presumed to exist if the acquirer will have 10% or more of any class of the company’s voting securities.

Limitations on Company Dividends. It is the policy of the Federal Reserve that financial holding companies should pay cash dividends on common stock only out of income available over the past year and only if prospective earnings retention is consistent with the organization’s expected future needs and financial condition. The policy provides that financial holding companies should not maintain a level of cash dividends that undermines the financial holding company’s ability to serve as a source of strength to its banking subsidiaries. See “Holding Company Liability” below. Federal Reserve policies also affect the ability of a financial holding company to pay in-kind dividends.

Limitations on Bank Dividends. Various federal provisions limit the amount of dividends that subsidiary banks can pay to their holding companies without regulatory approval. Without the prior approval of the OCC, a dividend may not be paid if the total of all dividends declared by a bank in any calendar year is in excess of the current year’s net income combined with the retained net income of the two preceding years. Additionally, a dividend may not be paid in excess of a bank’s retained earnings. Moreover, an insured depository institution may not pay a dividend if the payment would cause it to be less than “adequately capitalized” under the prompt corrective action framework or if the institution is in default in the payment of an assessment due to the FDIC. Similarly, under other regulatory capital rules, a banking organization that fails to satisfy the minimum capital conservation buffer requirement will be subject to certain limitations, which include restrictions on capital distributions. Additionally, regulators are authorized to prohibit a banking subsidiary or financial holding company from engaging in unsafe or unsound banking practices. Depending upon the circumstances, agencies could take the position that paying a dividend would constitute an unsafe or unsound banking practice.

Because the Company is a legal entity separate and distinct from the Bank, its rights to participate in the distribution of assets of the Bank, or any other subsidiary, upon the Bank’s or the subsidiary’s liquidation or reorganization will be subject to the prior claims of the Bank’s or subsidiary’s creditors. In the event of liquidation or other resolution of an insured depository institution, the claims of depositors and other general or subordinated creditors have priority of payment over the claims of holders of any obligation of the institution’s holding company or any of the holding company’s shareholders or creditors.

Holding Company Liability. Under Federal Reserve policy as codified by the Dodd-Frank Wall Street Reform and Consumer Protection Act (“Dodd-Frank”), a financial holding company is expected to act as a source of financial strength to each of its banking subsidiaries. Under this requirement, the Company is expected to commit resources to support the Bank, including at times when it may not be in a financial position to provide such resources. As discussed below under “Prompt Corrective Action” a financial holding company in certain circumstances could be required to guarantee the capital plan of an undercapitalized banking subsidiary.

11

Capital Adequacy. The Federal Reserve and OCC have issued standards for measuring capital adequacy for financial holding companies and banks that are designed to provide risk-based capital guidelines and to incorporate a consistent framework. The risk-based guidelines are used by the agencies in their examination and supervisory process, as well as in the analysis of any bank regulatory applications. As discussed below under “Prompt Corrective Action” a failure to meet minimum capital requirements could subject the Company or the Bank to a variety of enforcement remedies available to federal regulatory authorities, including, in the most severe cases, termination of deposit insurance by the FDIC and placing the Bank into conservatorship or receivership.

In general, these risk-related standards require banks and financial holding companies to maintain capital based on “risk-adjusted” assets so that the categories of assets with potentially higher credit risks will require more capital backing than categories with lower credit risk. In addition, banks and financial holding companies are required to maintain capital to support off-balance sheet activities such as loan commitments.

The risk-related standards classify capital into two tiers, referred to as Tier 1 and Tier 2. Together, these two categories of capital comprise a bank’s or financial holding company’s “qualifying total capital.” However, capital that qualifies as Tier 2 capital is limited in amount to 100% of Tier 1 capital in testing compliance with the total risk-based capital minimum standards. Banks and financial holding companies must have a minimum ratio of 8% of qualifying total capital to total risk-weighted assets, and a minimum ratio of 4% of qualifying Tier 1 capital to total risk-weighted assets. At December 31, 2025, the Company and the Bank had total capital to risk-adjusted assets ratios of 12.19% and 15.13%, respectively, and Tier 1 capital to risk-adjusted assets ratios of 11.08% and 14.03%, respectively.

In addition, the Federal Reserve and the OCC have established minimum leverage ratio guidelines to supplement the risk-based capital guidelines. The principal objective of these guidelines is to constrain the maximum degree to which a financial institution can leverage its equity capital base. These guidelines provide for a minimum ratio of Tier 1 capital to adjusted average total assets of 3% for financial holding companies that meet certain specified criteria, including those having the highest regulatory rating. Other financial institutions generally must maintain a leverage ratio of at least 3% plus 100 to 200 basis points. However, banks under $10 billion in assets typically maintain a Tier 1 capital to adjusted average total assets ratio exceeding 8%. Currently, the Bank’s internal guidelines suggest a ratio of 9%. The regulatory guidelines also provide that financial institutions experiencing internal growth or making acquisitions will be expected to maintain strong capital positions substantially above minimum supervisory levels, without significant reliance on intangible assets. Furthermore, the banking agencies have indicated that they may consider other indicia of capital strength in evaluating proposals for expansion or new activities. At December 31, 2025, the Company and the Bank had leverage ratios of 7.64% and 9.70%, respectively.

The federal banking agencies’ standards provide that concentration of credit risk and certain risks arising from non-traditional activities, as well as an institution’s ability to manage these risks, are important factors when assessing a financial institution’s overall capital adequacy. The risk-based capital standards also provide for the consideration of interest rate risk in the determination of a financial institution’s capital adequacy, which requires financial institutions to effectively measure and monitor their interest rate risk and to maintain capital adequate for that risk.

Dodd-Frank also includes provisions referred to as the “Collins Amendment,” which subject bank holding companies to the same capital requirements as their bank subsidiaries and eliminate or significantly reduce the use of hybrid capital instruments, especially trust preferred securities, as regulatory capital. Under the Collins Amendment, trust preferred securities issued by a company, such as our Company, with total consolidated assets of less than $15 billion before May 19, 2010 and treated as regulatory capital were grandfathered, but any such securities issued later are not eligible as regulatory capital. The Company’s $13.4 million of outstanding trust preferred securities qualified as Tier 1 capital under this grandfathering.

Basel III Capital Rules. The federal banking agencies have adopted rules, referred to as the Basel III rules, which implement the Basel Committee on Banking Supervision’s December 2010 final capital framework for strengthening international capital standards. The Basel III rules, among other things: (i) introduced a new capital measure called “Common Equity Tier 1” (“CET1”) and related regulatory capital ratio of CET1 to risk-weighted assets; (ii) specified that Tier 1 capital consists of CET1 and “Additional Tier 1 capital” instruments meeting certain revised requirements; (iii) mandated that most deductions/adjustments to regulatory capital measures be made to CET1 and not to the other components of capital; and (iv) expanded the scope of the deductions from and adjustments to capital as compared to existing regulations. Under the Basel III rules, for most banking organizations, the most common form of Additional Tier 1 capital is non-cumulative perpetual preferred stock and the most common form of Tier 2 capital is subordinated notes and a portion of the allocation for loan and lease losses, in each case, subject to the specific requirements of the Basel III rules.

12

Minimum capital ratios in effect at December 31, 2025 were as follows:

4.5% CET1 to risk-weighted assets;

6.0% Tier 1 capital (that is, CET1 plus Additional Tier 1 capital) to risk-weighted assets;

8.0% Total capital (that is, Tier 1 capital plus Tier 2 capital) to risk-weighted assets; and

4.0% Tier 1 capital to average consolidated assets as reported on consolidated financial statements (known as the “leverage ratio”).

The Basel III rules also introduced a new “capital conservation buffer,” composed entirely of CET1, on top of the minimum risk-weighted asset ratios. The capital conservation buffer was designed to absorb losses during periods of economic stress. Banking institutions with a ratio of CET1 to risk-weighted assets above the minimum but below the capital conservation buffer face constraints on dividends, equity repurchases, and compensation based on the amount of the shortfall. Thus, the Company and the Bank are required to maintain an additional capital conservation buffer of 2.5% of CET1, effectively resulting in minimum ratios of (i) CET1 to risk-weighted assets of at least 7%, (ii) Tier 1 capital to risk-weighted assets of at least 8.5%, and (iii) Total capital to risk-weighted assets of at least 10.5%.

The Basel III rules provide for a number of deductions from and adjustments to CET1. These include, for example, the requirement that deferred tax assets arising from temporary differences that could not be realized through net operating loss carrybacks and significant investments in non-consolidated financial entities be deducted from CET1 to the extent that any one such category exceeds 10% if CET1 or all such items, in the aggregate, exceed 15% of CET1.

With respect to the Bank, the Basel III rules revised the “prompt corrective action” (“PCA”) regulations adopted pursuant to Section 38 of the Federal Deposit Insurance Act (the “FDIA”), by: (i) introducing a CET1 ratio requirement at each PCA category (other than critically undercapitalized), with the required CET1 ratio being 6.5% for well-capitalized status; (ii) increasing the minimum Tier 1 capital ratio requirement for each category, with the minimum Tier 1 capital ratio for well-capitalized status being 8% (as compared to the current 6%); and (iii) eliminating the provision that a bank with a composite supervisory rating of 1 may have a 3% leverage ratio and still be adequately capitalized. The Basel III rules did not change the total risk-based capital requirement for any PCA category.

The Basel III rules prescribe a standardized approach for risk weightings that expanded the risk-weighting categories from four Basel I-derived categories (0%, 20%, 50% and 100%) to a larger and more risk-sensitive number of categories, depending on the nature of the assets, generally ranging from 0% for U.S. government and agency securities, to 600% for certain equity exposures resulting in higher risk weights for a variety of asset classes.

As of December 31, 2025, we were in compliance with the Basel III rules. We remain in compliance with such rules and believe the Company and the Bank will continue to be able to meet targeted capital ratios. Actual ratios as of December 31, 2025 are shown in the following paragraph.

Prompt Corrective Action. Federal banking agencies must take prompt supervisory and regulatory actions against undercapitalized depository institutions pursuant to the PCA provisions of the FDIA. Depository institutions are assigned one of five capital categories – “well capitalized,” “adequately capitalized,” “undercapitalized,” “significantly undercapitalized,” and “critically undercapitalized” – and are subject to different regulation corresponding to the capital category within which the institution falls. Under certain circumstances, a well capitalized, adequately capitalized, or undercapitalized institution may be treated as if the institution were in the next lower capital category. As described in Item 7, “Management’s Discussion and Analysis of Financial Condition and Results of Operations –Capital Resources,” an institution is deemed well capitalized if it has a total risk-based capital ratio of at least 10.00%, a Tier 1 risk-based capital ratio of at least 6.50%, and a leverage ratio of at least 5.00%. An institution is adequately capitalized if it has a total risk-based capital ratio of at least 8.00%, a Tier 1 risk-based capital ratio of at least 4.50%, and a leverage ratio of at least 4.00%. At December 31, 2025, the Company’s total risk-based capital ratio was 12.19%, Tier 1 risk-based capital ratio was 11.08%, and leverage ratio was 7.64% while the Bank’s ratios were 15.13%, 14.03% and 9.70%, respectively and, accordingly, both the Company and the Bank were well capitalized within the meaning of applicable regulations. A depository institution is generally prohibited from making capital distributions (including paying dividends) or paying management fees to a holding company if the institution would thereafter be undercapitalized.

As a result of Dodd-Frank, our financial holding company status depends upon our maintaining our status as “well capitalized” and “well managed” under applicable Federal Reserve regulations. Should a financial holding company cease meeting these requirements,

13

the Federal Reserve may impose corrective capital and managerial requirements on the financial holding company and place limitations on its ability to conduct the broader financial activities permissible for financial holding companies. In addition, the Federal Reserve may require divestiture of the holding company’s depository institution if the deficiencies persist.

Brokered Deposits. A “brokered deposit” is any deposit that is obtained from or through the mediation or assistance of a deposit broker. Prior to June 30, 2021, the majority of the Bank’s deposits were classified as brokered, because related accounts, primarily prepaid and debit card deposit accounts, are obtained with the assistance of third-parties. In December 2020, the FDIC issued a regulation which resulted in the reclassification of the majority of the Bank’s deposits from brokered to non-brokered, which generally resulted in a reduction of FDIC insurance expense rates. See “Insurance of Deposit Accounts” below. These designations are subject to the FDIC’s ongoing assessment and there can be no assurance that such classifications will be permanent.

Adequately capitalized institutions cannot accept, renew or roll over brokered deposits, except with a waiver from the FDIC, and are subject to restrictions on the interest rates that can be paid on such deposits. Undercapitalized institutions may not accept, renew, or roll over brokered deposits.

Insurance of Deposit Accounts. The Bank’s deposits are insured to the maximum extent permitted by the DIF. Dodd-Frank permanently increased the maximum amount of deposit insurance to $250,000 per depositor, per insured institution for each account ownership category. FDIC insurance is backed by the full faith and credit of the United States government.

As the insurer, the FDIC is authorized to conduct examinations of, and to require reporting by, FDIC-insured institutions. The FDIC also may prohibit any FDIC-insured institution from engaging in any activity the FDIC determines by regulation or order to pose a serious threat to the DIF. The FDIC also has the authority to initiate enforcement actions against banks.

The FDIC has implemented a risk-based assessment system under which FDIC-insured depository institutions pay annual premiums at rates based on their risk classification. A bank’s risk classification is based on its capital levels and the level of supervisory concern the bank poses to the regulators. Institutions assigned to higher risk classifications pay assessments at higher rates than institutions that pose a lower risk. A decrease in the Bank’s capital ratios or the occurrence of events that have an adverse effect on the Bank’s asset quality, management, earnings, liquidity or sensitivity to market risk could result in a substantial increase in deposit insurance premiums paid by the Bank, which would adversely affect earnings. In addition, the FDIC can impose special assessments in certain instances. The range of assessments in the risk-based system is a function of the reserve ratio in the DIF. Each insured institution is assigned to one of four risk categories based on supervisory evaluations, regulatory capital levels and certain other factors and its assessment rate depends upon the category to which it is assigned. Unlike the other categories, Risk Category I contains further risk differentiation based on the FDIC’s analysis of financial ratios, examination component ratings and other information. Assessment rates are determined by the FDIC and, including potential adjustments to reflect an institution’s risk profile, currently range from five to nine basis points for the healthiest institutions (Risk Category I) to 35 basis points of assessable liabilities for the riskiest (Risk Category IV). Rates may be increased an additional ten basis points depending on the amount of brokered deposits utilized. The above-referenced rates apply to institutions with assets under $10 billion. Other rates apply for larger or “highly complex” institutions. The FDIC may adjust rates uniformly from one quarter to the next, except that no single adjustment can exceed three basis points. At December 31, 2025, the Bank’s DIF assessment rate was 5.96 basis points, subject to increase at any time in the future.

Pursuant to Dodd-Frank, the FDIC has established 2.0% as the designated reserve ratio (“DRR”), or the ratio of the DIF to insured deposits of the total industry. In 2022, the FDIC projected that the DRR was at risk of not reaching the statutory minimum of 1.35% by the statutory deadline of September 30, 2028 and, based on this update, increased the initial base deposit insurance assessment rate schedules applicable to all insured depository institutions uniformly by 2 basis points. The increase was effective as of January 1, 2023 and applicable to the first quarterly assessment period of 2023 (i.e., January 1 through March 31, 2023).

Loans-to-One Borrower. Generally, a bank may not make a loan or extend credit to a single or related group of borrowers in excess of 15% of its unimpaired capital and surplus. At December 31, 2025, the Bank’s limit on loans to one borrower was $138.9 million. An additional amount may be lent, equal to 10% of unimpaired capital and surplus, if such loan is secured by marketable securities.

Transactions with Affiliates and other Related Parties. There are various legal restrictions on the extent to which a financial holding company and its non-bank subsidiaries can borrow or otherwise obtain credit from banking subsidiaries or engage in other transactions with or involving those banking subsidiaries. The Bank’s authority to engage in transactions with related parties or “affiliates” (that is, any entity that controls, is controlled by or is under common control with an institution, including the Company and our non-bank subsidiaries) is limited by Sections 23A and 23B of the Federal Reserve Act (the “FRA”) and Regulation W promulgated thereunder. Section 23A restricts the aggregate amount of covered transactions with any individual affiliate to 10% of the Bank’s capital and surplus. At December 31, 2025, the Company was not indebted to the Bank. The aggregate amount of covered transactions with all affiliates is

14

limited to 20% of the Bank’s capital and surplus. Certain transactions with affiliates are required to be secured by collateral in an amount and of a type described in Section 23A and the purchase of low-quality assets from affiliates are generally prohibited. Section 23B generally provides that certain transactions with affiliates, including loans and asset purchases, must be on terms and under circumstances, including credit standards, that are substantially the same or at least as favorable to the institution as those prevailing at the time for comparable transactions with non-affiliated companies.

Dodd-Frank generally enhanced the restrictions on transactions with affiliates under Sections 23A and 23B of the FRA, including an expansion of the definition of “covered transactions” and an increase in the amount of time for which collateral requirements regarding covered credit transactions must be satisfied. Insider transaction limitations were expanded through the strengthening of loan restrictions to insiders and the expansion of the types of transactions subject to the various limits, including derivatives transactions, repurchase agreements, reverse repurchase agreements and securities lending or borrowing transactions. Restrictions were also placed on certain assets sales to and from an insider to an institution including requirements that such sales be on market terms and, in certain circumstances, approved by the institution’s board of directors.

The Bank’s authority to extend credit to its directors, executive officers and 10% shareholders, as well as to entities controlled by such persons, is governed by the requirements of Sections 22(g) and 22(h) of the FRA and Regulation O of the Federal Reserve. Among other things, these provisions require that extensions of credit to insiders: (i) be made on terms that are substantially the same as, and follow credit underwriting procedures that are not less stringent than, those prevailing for comparable transactions with unaffiliated persons and that do not involve more than the normal risk of repayment or present other unfavorable features; and (ii) not exceed certain limitations on the amount of credit extended to such persons, individually and in the aggregate, which limits are based, in part, on the amount of the Bank’s capital. In addition, extensions of credit in excess of certain limits must be approved by the Bank’s Board of Directors. At December 31, 2025 and 2024, loans to these related parties amounted to $4.8 million and $6.9 million, respectively.

Standards for Safety and Soundness. The FDIA requires each federal banking agency to prescribe for all insured depository institutions standards relating to, among other things, internal controls, information and audit systems, loan documentation, credit underwriting, interest rate risk exposure, asset growth, compensation, fees, benefits and such other operational and managerial standards as the agency deems appropriate. The federal banking agencies have adopted final regulations and interagency guidelines to implement these safety and soundness standards. The guidelines set forth the safety and soundness standards that the federal banking agencies use to identify and address problems at insured depository institutions before capital becomes impaired. If the appropriate federal banking agency determines an institution fails to meet any standard prescribed by the guidelines, the agency may require the institution to submit to the agency an acceptable plan to achieve compliance with the standard.

Privacy and Information Security. Financial institutions are required to disclose their policies for collecting and protecting confidential information. Customers generally may prevent financial institutions from sharing nonpublic personal financial information with nonaffiliated third-parties except under narrow circumstances, such as the processing of transactions requested by the consumer or when the financial institution is jointly sponsoring a product or service with a nonaffiliated third-party. Additionally, financial institutions generally may not disclose consumer account numbers to any nonaffiliated third-party for use in telemarketing, direct mail marketing or other marketing to consumers. The Bank has adopted privacy standards that we believe will satisfy regulatory scrutiny and communicates its privacy practices to its customers through privacy disclosures designed in a manner consistent with recommended model forms. The Gramm-Leach-Bliley Act (the “GLBA”) and other laws require us to implement a comprehensive information security program that includes administrative, technical, and physical safeguards to provide for the security and confidentiality of customer records and information. As a result, we have implemented and continue to assess and improve our security and privacy policies and procedures to protect personal and confidential information.

Data privacy and data protection are areas of increasing regulatory focus, particularly at the state level. For instance, the California Consumer Privacy Act of 2018 (as modified by the California Privacy Rights Act, the “CCPA”) gives California consumers each of the following rights, among other things: to request disclosure of information collected about them and be informed about whether such information has been sold or shared; to request deletion of personal information (subject to certain exceptions); to opt out of the sale of such consumer’s personal information; and to not be discriminated against for having exercised the foregoing rights. The CCPA contains several exemptions, including an exemption applicable to information that is collected, processed, sold or disclosed pursuant to GLBA. Other states have implemented, or are considering implementing, similar legislation. We believe that the Company is taking the necessary steps to comply with these evolving laws where applicable.

Fair and Accurate Credit Transactions Act of 2003. The Fair and Accurate Credit Transactions Act of 2003 (the “FACT Act”) provides consumers with the ability to restrict companies from using certain information obtained from affiliates to make marketing solicitations. In general, a person is prohibited from using information received from an affiliate to make a solicitation for marketing purposes to a consumer, unless the consumer is given notice and had a reasonable opportunity to opt out of such solicitations. The rule permits opt-

15

out notices to be given by any affiliate that has a pre-existing business relationship with the consumer and permits a joint notice from two or more affiliates. Moreover, such notice would not be applicable if the company using the information has a pre-existing business relationship with the consumer. This notice may be combined with other required disclosures, including notices required under other applicable privacy provisions.

Section 315 of the FACT Act requires each financial institution or creditor to develop and implement a written Identity Theft Prevention Program to detect, prevent and mitigate identity theft in connection with the opening of certain accounts or certain existing accounts. In accordance with this rule, the Bank adopted such a program.

Cybersecurity. The federal banking regulators regularly issue guidance regarding cybersecurity that is intended to enhance cyber risk management among financial institutions. A financial institution is expected to establish lines of defense and to ensure that its risk management processes address the risk posed by potential threats to the institution. A financial institution’s management is expected to maintain sufficient business continuity planning processes to ensure the rapid recovery, resumption, and maintenance of the institution’s operations after a cyberattack. A financial institution is also expected to develop appropriate processes to enable recovery of data and business operations if the institution or its critical service providers fall victim to a cyberattack.

Pursuant to a joint final rule issued by the federal banking agencies that became effective in May 2022, a banking organization must notify its primary federal regulator of any significant computer-security incident as soon as possible and no later than 36 hours after the banking organization determines that a cyber incident has occurred. Notification is required for incidents that have materially affected—or are reasonably likely to materially affect—the viability of a banking organization's operations, its ability to deliver banking products and services, or the stability of the financial sector. The final rule also requires a bank service provider to notify affected banking organization customers as soon as possible when the provider determines that it has experienced a computer-security incident that has materially affected or is reasonably likely to materially affect banking organization customers for four or more hours. In addition, certain state laws could potentially impact the Bank’s operations, including those related to applicable notification requirements when computer-security incidents or unauthorized access to customers’ nonpublic personal information have occurred.

See Item 1A, “Risk Factors”, for a further discussion of risks related to cybersecurity and Item 1C. Cybersecurity for a further discussion of risk management strategies and governance processes related to cybersecurity.

Anti-Money Laundering, Sanctions, and Related Regulations. The BSA requires the Bank to implement a risk-based compliance program in order to protect the Bank from being used as a conduit for financial or other illicit crimes including but not limited to money laundering and terrorist financing. These rules are administered by the Financial Crimes Enforcement Network, (“FinCEN”), a bureau of the U.S. Department of the Treasury. Under the law, the Bank must have a written BSA/Anti-Money Laundering (“AML”) program which has been approved by the board of directors and contains the following key requirements: (1) appointment of responsible persons to manage the program, including a BSA Officer; (2) ongoing training of all appropriate Bank staff and management on BSA-AML compliance; (3) development of a system of internal controls (including appropriate policies, procedures and processes); and (4) required independent testing to ensure effective implementation of the program and appropriate compliance. Under BSA regulations, the Bank is subject to various reporting requirements such as currency transaction reporting, monitoring of customer activity and transactions and filing a suspicious activity report when warranted. The BSA also contains numerous recordkeeping requirements.

USA PATRIOT Act. The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (the “USA PATRIOT Act”) expanded provisions of the BSA, criminalized the financing of terrorism and augmented the existing BSA framework by strengthening customer identification procedures, requiring financial institutions to implement a written customer identification program, have due diligence procedures, including enhanced due diligence procedures and, most significantly, improving information sharing between financial institutions and the U.S. government. In January 2021, the Anti-Money Laundering Act of 2020 ("AMLA") was enacted, amending the Bank Secrecy Act ("BSA").The AMLA was intended to comprehensively reform and modernize U.S. bank secrecy and anti-money laundering laws, to include goals of preventing money laundering, terrorism financing, tax evasion and fraud. impacting our operations. Key provisions include the codification of a risk-based approach to anti-money laundering compliance, the requirement for the U.S. Department of the Treasury to establish priorities for anti-money laundering policies, and the development of standards for testing technology and internal processes related to BSA compliance. Additionally, the AMLA imposed ultimate beneficial ownership reporting requirements via corporate transparency requirements, subject to multiple categories of exemptions. In June 2021, the Financial Crimes Enforcement Network ("FinCEN") issued priorities for anti-money laundering and countering the financing of terrorism policy as mandated by AMLA. These national priorities, including corruption, cybercrime, terrorist financing, fraud, transnational crime, drug trafficking, human trafficking, and proliferation financing, guide our compliance efforts. Certain statutory provisions in the AMLA are expected to require additional rulemakings, reports and other measures by FinCEN, and the impact of the AMLA will depend on, among other things, rulemaking and implementation guidance.

16

The Company has implemented the required customer identification program and the other required elements of these laws and related regulations.

Under the USA PATRIOT Act, FinCEN can send bank regulatory agencies lists of the names of persons suspected of involvement in terrorist activities or money laundering. The Bank must search its records for any relationships or transactions with persons on those lists and, if it finds any such relationships or transactions, must report specific information to FinCEN and implement other internal compliance procedures in accordance with the Bank’s BSA/AML compliance procedures.

Office of Foreign Assets Control. The Office of Foreign Assets Control (“OFAC”), a division of the U.S. Department of the Treasury, administers and enforces economic and trade sanctions based on U.S. foreign policy and national security goals against targeted foreign countries, terrorists, international narcotics traffickers, and those engaged in activities related to the proliferation of weapons of mass destruction. OFAC maintains lists of names of persons and organizations suspected of aiding, harboring or engaging in terrorist acts, as well as sanctions programs for certain countries. If the Bank finds a name on any transaction, account or wire transfer that is on an OFAC list or is otherwise asked to facilitate a transaction prohibited under a government sanctions program, the Bank must freeze or block such account or reject a transaction, and perform additional procedures as required by OFAC regulations. The Bank filters its customer base and transactional activity against OFAC-issued lists. The Bank performs these checks using purpose directed software, which is updated each time a modification is made to the lists provided by OFAC and other agencies.

Unfair or Deceptive or Abusive Acts or Practices. Section 5 of the Federal Trade Commission Act prohibits all persons, including financial institutions, from engaging in any unfair or deceptive acts or practices in or affecting commerce. Dodd-Frank codified this prohibition and expanded it even further by prohibiting abusive practices. These prohibitions, commonly referred to as “UDAAP,” apply to all areas of the Bank’s operations, including its marketing and advertising practices, product features, account agreements terms and conditions, operational practices, and the conduct of third-parties with whom the Bank may partner or on whom the Bank may rely in bringing Bank products and services to the marketplace.

Other Consumer Protection-Related Laws and Regulations. The Bank is subject to a wide range of consumer protection laws and regulations which may have an enterprise-wide impact or may principally govern its lending or deposit operations. To the extent the Bank engages third-party service providers in any aspect of its products and services, the third-parties may also be subject to compliance with applicable law and must therefore be subject to Bank oversight.

The Bank is subject to numerous federal consumer protection laws related to its lending activities, including but not limited to: (1) the Truth in Lending Act, governing disclosures of credit terms to consumer borrowers; (2) the Home Mortgage Disclosure Act of 1975, requiring financial institutions to provide information to enable the public and public officials to determine whether a financial institution is fulfilling its obligation to help meet the housing needs of the community it serves; (3) the Equal Credit Opportunity Act, prohibiting discrimination on the basis of race, creed or other prohibited factors in extending credit; (4) the Fair Credit Reporting Act of 1978, as amended by the Fair and Accurate Credit Transactions Act, governing the use and provision of information to credit reporting agencies, certain identity theft protections and certain credit and other disclosures; (5) the Fair Debt Collection Practices Act, governing the manner in which consumer debts may be collected by collection agencies; (6) the Home Ownership and Equity Protection Act prohibiting unfair, abusive or deceptive home mortgage lending practices, restricting mortgage lending activities and providing advertising and mortgage disclosure standards; (7) the Service Members Civil Relief Act, postponing or suspending some civil obligations of service members during periods of transition, deployment and other times; and (8) related rules and regulations of the various federal agencies charged with implementing these federal laws. In addition, interest and other charges collected or contracted for by the Bank will be subject to state usury laws and federal laws concerning interest rates.

Deposit-related activities of the Bank are also subject to various consumer protection laws, including but not limited to: (1) the Truth in Savings Act, which imposes disclosure obligations to enable consumers to make informed decisions about accounts at depository institutions; (2) the Right to Financial Privacy Act, which imposes a duty to maintain confidentiality of consumer financial records and prescribes procedures for complying with administrative subpoenas of financial records; (3) the Expedited Funds Availability Act, which establishes standards related to when financial institutions must make various deposit items available for withdrawal, and requires depository institutions to disclose their availability policies to their depositors; (4) the Electronic Fund Transfer Act, which governs electronic fund transfers to and withdrawals from deposit accounts and customers’ rights and liabilities arising from the use of ATMs and other electronic banking services as well as the process for reporting and investigating errors; and (5) related rules and regulations of various federal agencies charged with implementing these federal laws.

Prepaid Account Rule Amending Regulation E and Regulation Z. The Consumer Financial Protection Bureau (“CFPB”) has adopted amendments to Regulation E and Regulation Z to add protections for prepaid accounts (the “Prepaid Rule”). The Prepaid Rule includes a significant number of changes to the regulatory framework for prepaid products, some of which include: (1) establishment of a

17

definition of “prepaid account” within Regulation E to include reloadable and non-reloadable physical cards, as well as codes or other devices; (2) modification of Regulation E to require prescribed disclosures be provided to the consumer; (3) extending to prepaid accounts the periodic transaction history and statement requirements of Regulation E applicable to payroll and federal government benefit accounts; (4) extending the error resolution and limited liability provisions of Regulation E applicable to payroll cards to registered network branded prepaid cards; (5) requiring financial institutions to post prepaid account agreements to the issuers’ websites and to submit them to the CFPB; (6) extending Regulation Z’s credit card rules and disclosure requirements to prepaid accounts providing overdraft protection and other credit features; (7) requiring a prepaid account holder’s consent prior to adding overdraft services or other credit features and prohibiting an issuer from adding such services or features for at least 30 calendar days after the consumer registers the prepaid account; and (8) prohibiting application of different terms and conditions, such as charging different fees, to a prepaid account depending on whether the consumer elects to link the prepaid account to overdraft services or other credit features. The Bank has evaluated the impact of the Prepaid Rule on its operations and its third-party relationships and established internal processes accordingly.

Community Reinvestment Act. Under the Community Reinvestment Act of 1977 (“CRA”), a federally-insured institution has a continuing and affirmative obligation to help meet the credit needs of its community, including low-and moderate-income neighborhoods, consistent with the safe and sound operation of the institution. The CRA requires financial institutions to delineate one or more assessment areas within which the regulator evaluates the bank’s record of helping to meet the credit needs of its community. The CRA further requires that a record be kept of whether a financial institution meets its community’s credit needs, which record will be considered when evaluating applications for, among other things, domestic branches and mergers and acquisitions. The regulations promulgated pursuant to the CRA contain three tests which are part of the traditional CRA evaluation. As an alternative to the traditional evaluation tests, the CRA permits a financial institution to develop its own strategic plan with specific goals for CRA compliance and related performance ratings. If its strategic plan is approved by its regulator, the financial institution’s CRA ratings will be applied based on its performance under the strategic plan.

The Bank operates its CRA program under a strategic plan approved by its regulator. The current strategic plan covers the period of January 1, 2026 through December 31, 2030 and was approved by the OCC on December 19, 2025. The Bank continues to closely monitor its performance in alignment with the strategic plan to meet the lending, service and investment requirements it contains. Additionally, the Bank was assigned a “Satisfactory” CRA rating in its most recent CRA performance evaluation, which was completed in February 2023.

Enforcement. Under the FDIA, federal banking regulators have authority to bring actions against a bank and all affiliated parties, including stockholders, attorneys, appraisers and accountants, who knowingly or recklessly participate in wrongful actions likely to have an adverse effect on the Bank. Formal enforcement action may range from the issuance of a capital directive or cease and desist order, to removal of officers and/or directors, to the institution of receivership or conservatorship proceedings, or termination of deposit insurance. Civil money penalties cover a wide range of violations and can be assessed on a per-day basis, with substantially higher amounts in egregious cases. Federal law also establishes criminal penalties for certain violations.

Reserve Requirements. Federal Reserve regulations require banks to maintain reserves against their demand deposits, with lesser reserves on limited transaction accounts, after subtraction of exempted amounts. For 2025, the exemptions for demand deposits and limited transaction accounts were, respectively, $37.8 million and $645.8 million. At December 31, 2025, the Bank had $104.6 million in cash and balances at the Federal Reserve. While legal statutes require recalculation of these exemptions annually, the Federal Reserve, as a result of the COVID-19 pandemic, waived reserve requirements and has not reinstated them through December 31, 2025. We believe we have sufficient sources of liquidity to offset the impact of reserve requirements if or when they are reinstated.

Dodd-Frank. Enacted in 2010, Dodd-Frank implemented far-reaching changes across the financial regulatory landscape in the United States. Since its enactment, banks and financial services firms have experienced enhanced regulation and oversight. Certain Dodd-Frank provisions directly impacting the Company or the Bank included: (1) creation of the CFPB which was given broad rulemaking, supervision and enforcement authority for a wide range of consumer protection laws applicable to all banks and certain others, and examination and enforcement powers with respect to any bank with more than $10 billion in assets; (2) restriction of the preemption of state consumer financial protection law by federal law, and disallowing subsidiaries and affiliates of national banks from availing themselves of such preemption; (3) requiring new capital rules and application of the same leverage and risk-based capital requirements that apply to insured depository institutions to most bank holding companies; changing the assessment base for federal deposit insurance from the amount of insured deposits to consolidated average assets less tangible capital, increasing the minimum DRR from 1.15% to 1.35%, and requiring the FDIC, in setting assessments, to offset the effect of the increase on institutions with assets of less than $10 billion; see “Capital Adequacy,” “Basel III Capital Rules,” and “Prompt Corrective Action” above; (4) requiring all bank holding companies to serve as a source of financial strength to their depository institution subsidiaries in the event such subsidiaries suffer from financial distress; see “Holding Company Liability,” “Capital Adequacy,” and “Prompt Corrective Action” above; (5) providing new

18

disclosure and other requirements relating to executive compensation and corporate governance, including guidelines or regulations on incentive-based compensation and a prohibition on compensation arrangements that encourage inappropriate risks or that could provide excessive compensation; see “Federal Regulatory Guidance on Incentive Compensation” below for details; (6) repeal of the federal prohibitions on the payment of interest on demand deposits, thereby permitting depository institutions to pay interest on business transaction and other accounts; (7) provisions in what is known as the Durbin Amendment designed to restrict interchange fees for certain debit card issuers and limiting the ability of networks and issuers to restrict debit card transaction routing; see “Regulation II” below; (8) increasing the authority of the Federal Reserve to examine holding companies and their non-bank subsidiaries; and (9) restricting proprietary trading by banks, bank holding companies and others, and their acquisition and retention of ownership interests in and sponsorship of hedge funds and private equity funds. This restriction is commonly referred to as the “Volcker Rule.” See “Volcker Rule Adoption” below.

Federal Regulatory Guidance on Incentive Compensation. The federal banking regulators have issued guidance on sound incentive compensation policies for banking organizations. This guidance, which covers all employees with the ability to materially affect the risk profile of an organization either individually or as a part of a group, is based upon key principles designed to ensure that incentive compensation practices are not structured in a manner to give employees incentives to take imprudent risks. Federal regulators actively monitor actions being taken by banking organizations with respect to incentive compensation arrangements and review and update their guidance as appropriate to incorporate emerging best practices.

The Federal Reserve reviews, as part of the regular, risk-focused examination process, the incentive compensation arrangements of banking organizations such as ours that are not considered “large, complex banking organizations.” The reviews are tailored to each organization based on the scope and complexity of the organization’s activities and the prevalence of incentive compensation arrangements and any findings are included in reports of examination. Deficiencies are incorporated into the organization’s supervisory ratings, which can affect the organization’s ability to make acquisitions and take other actions. Enforcement actions may be taken against a banking organization if its incentive compensation arrangements, or related risk-management controls or governance processes, pose a risk to the organization’s safety and soundness, and the organization is not taking prompt and effective measures to correct the deficiencies.

Dodd-Frank requires that the federal banking agencies, including the Federal Reserve and the OCC, issue a rule related to incentive-based compensation. No final rule implementing this provision of Dodd-Frank has, as of the date of the filing of this Annual Report on Form 10-K, been adopted, but a proposed rule was published in 2016 that expanded upon a prior proposed rule published in 2011. The proposed rule is intended to: (i) prohibit incentive-based payment arrangements that the banking agencies determine could encourage certain financial institutions to take inappropriate risks by providing excessive compensation or that could lead to material financial loss, (ii) require the board of directors of those financial institutions to take certain oversight actions related to incentive-based compensation, and (iii) require those financial institutions to disclose information concerning incentive-based compensation arrangements to the appropriate federal regulator. Although a final rule has not been issued, the Company and the Bank have undertaken efforts to ensure that their incentive compensation plans do not encourage inappropriate risks, consistent with the principles identified above.

Regulation II. The “Durbin Amendment” to Dodd-Frank and the Federal Reserve’s implementing Regulation II exempt from debit card interchange fee standards any issuing bank that, together with its affiliates, have assets of less than $10 billion. Because of our asset size, we are exempt from the debit card interchange fee standards but may lose the exemption if Regulation II is amended or if we, together with our subsidiaries, surpass $10 billion in assets. Regulation II also prohibits network exclusivity arrangements on debit card transactions and ensures merchants will have choices in debit card routing, and these provisions apply to us. Under the Durbin Amendment to Dodd-Frank and the Federal Reserve’s implementing regulations, the debit card interchange fee that the Bank charges merchants must be reasonable and proportional to the cost of clearing the transaction. The maximum permissible interchange fee is capped at the sum of $0.21 plus five basis points of the transaction value for many types of debit interchange transactions. The Bank may also recover $0.01 per transaction for fraud prevention purposes if it complies with certain fraud-related requirements. The Federal Reserve also has established rules governing routing and exclusivity that require debit card issuers to offer two unaffiliated networks for routing transactions on each debit or prepaid product.

Volcker Rule. Under provisions of Dodd-Frank known as the “Volcker Rule” and implementing regulations, banking entities may not (1) engage in short-term proprietary trading for their own accounts or (2) have certain ownership interests in and relationships with hedge funds or private equity funds, referred to as “covered funds.” The Volcker Rule also requires each regulated entity to establish an internal compliance program consistent with the extent to which it engages in prohibited activities, which must include (for the largest entities) making regular reports about those activities to regulators. Smaller banks and community banks, including the Bank, are afforded some relief under the Volcker Rule. Smaller banks, including the Bank, that are engaged only in exempted proprietary trading, such as trading in U.S. government, agency, state and municipal obligations, are exempt from compliance program requirements.

19

Moreover, even if a community or small bank engages in proprietary trading or covered fund activities under the Volcker Rule, they need only incorporate references to the Volcker Rule into their existing policies and procedures.

Economic Growth, Regulatory Relief, and Consumer Protection Act of 2018. In 2018, the Economic Growth, Regulatory Relief, and Consumer Protection Act (“EGRRCPA”) was signed into law, which amended provisions of Dodd-Frank and was intended to ease regulatory burdens, particularly with respect to smaller-sized banking institutions, e.g., those with less than $10 billion in assets, such as us. EGRRCPA’s highlights include: (i) exemption of banks with less than $10 billion in assets from the ability-to-repay requirements for certain qualified residential mortgage loans held in portfolio; (ii) clarification that, subject to various conditions, reciprocal deposits of another depository institution obtained using a deposit broker through a deposit placement network for purposes of obtaining maximum deposit insurance would not be considered brokered deposits subject to the FDIC’s brokered-deposit regulations; and (iii) simplification of capital calculations by requiring regulators to establish for institutions under $10 billion in assets a community bank leverage ratio (tangible equity to average consolidated assets) at a percentage not less than 8% and not greater than 10% that such institutions may elect to replace the general applicable risk-based capital requirements for determining well capitalized status.

Consumer Protections for Remittance Transfers. In 2012, the CFPB published a final Remittance Transfer Rule (the “Remittance Rule”) to implement Section 1073 of Dodd-Frank. The Remittance Rule creates a comprehensive set of consumer protections, found in Regulation E, covering remittance transfers sent by consumers in the United States to parties in foreign countries. The Remittance Rule, among other things, mandates certain disclosures and consumer cancellation rights for foreign remittances covered by the rule.

Effect of Governmental Monetary Policies. The commercial banking business is affected not only by general economic conditions but also by both U.S. fiscal policy and the monetary policies of the Federal Reserve. Some of the instruments of fiscal and monetary policy available to the Federal Reserve include changes in the discount rate on member bank borrowings, the fluctuating availability of borrowings at the “discount window,” open market operations, the imposition of and changes in reserve requirements against member banks’ deposits and assets of foreign branches, the imposition of and changes in reserve requirements against certain borrowings by banks and their affiliates, and the placing of limits on interest rates that member banks may pay on time and savings deposits. Such policies influence to a significant extent the overall growth of bank loans, investments, and deposits and the interest rates charged on loans or paid on time and savings deposits. See Item 7,“Management’s Discussion and Analysis of Financial Condition and Results of Operations.” We cannot predict the nature of the future fiscal and monetary policies and the effect of such policies on future business and our earnings.

OCC Supervisory Strategies Related to Banking Regulations. The OCC announced on October 1, 2024 that its supervisory strategies for its fiscal year 2025 would focus on: (a) asset and liability management; (b) credit risk management and allowance for credit losses (“ACL”); (c) cybersecurity; (d) operational resilience; (e) payments-related risk management; (f) change management; (g) third-party risk management; (h) BSA/anti-money laundering and OFAC/sanctions programs compliance management; (i) consumer compliance and fair lending risk; (j) CRA performance; and (k) climate-related financial risk management. The OCC’s 2025 supervisory plan provided the foundation for policy initiatives and for supervisory strategies as applied to national banks as well as their technology service providers.

The OCC typically provides periodic updates about supervisory priorities through the Semiannual Risk Perspective process in the fall and spring of each year. OCC staff members use the supervisory plan to guide their supervisory priorities, planning, and resource allocations.

State Laws and Regulations. Notwithstanding its federal charter, the Bank is governed by other state laws and regulations in connection with some of its business and operational practices. This includes, for example, complying with state laws governing abandoned or unclaimed property, state and local licensing requirements, and other state-based rules which direct how the Bank may conduct its activities, unless otherwise preempted by its federal charter.

20

Available Information

Our principal executive offices are located at 409 Silverside Road, Wilmington, Delaware 19809 and our telephone number is (302) 385-5000. The Bank headquarters are located at 345 North Reid Place, Suite 700, Sioux Falls, South Dakota 57103. We make available free of charge on our website, www.thebancorp.com, our annual reports on Form 10-K, quarterly reports on Form 10-Q, current reports on Form 8-K and amendments to those reports filed or furnished pursuant to Section 13(a) or Section 15(d) of the Exchange Act as soon as reasonably practicable after we electronically file such material with, or furnish it to, the SEC. Investors are encouraged to access these reports and other information about our business on our website. Information found on our website shall not be deemed incorporated by reference into, and does not form any part of, this Annual Report on Form 10-K. We also will provide copies of our Annual Report on Form 10-K, free of charge, upon written request to our Investor Relations Department at our address for our principal executive offices. Also posted on our website, and available in print upon request by any stockholder to our Investor Relations Department, are the charters of the standing committees of our Board and standards of conduct governing our directors, officers and employees.