TRICO BANCSHARES / (TCBK) Business

ITEM 1.    BUSINESS

Overview

TriCo Bancshares is a registered bank holding company under the Bank Holding Company Act of 1956, as amended (the “BHC Act”). TriCo's principal business is to serve as the holding company for our wholly-owned subsidiary, Tri Counties Bank, a California-chartered commercial bank (the “Bank”). TriCo is a California corporation and was incorporated in 1981. Our common stock is traded on the Nasdaq Global Select Market under the trading symbol "TCBK". The Company and the Bank are headquartered in Chico, California.

As a bank holding company, TriCo is subject to the supervision of the Board of Governors of the Federal Reserve System (the “FRB”) under the BHC Act. The Bank is subject to the supervision of the California Department of Financial Protection & Innovation (the “DFPI”) and the Federal Deposit Insurance Corporation (the "FDIC"). See “Regulation and Supervision.”

The Company maintains two capital subsidiary business trusts (collectively, the Trusts), both organized by the Company. For financial reporting purposes, the Company’s remaining investments in the Trusts of $1.2 million are accounted for under the equity method and, accordingly, are not consolidated and are included in other assets on the consolidated balance sheet. For more information regarding the trust preferred securities please refer to “Note 14 – Junior Subordinated Debt” to the consolidated financial statements within Part II, Item 8 of this report.

Additional Information

Our executive offices are located at 63 Constitution Drive, Chico, California 95973, and our telephone number is (530) 898-0300. Additional information concerning the Company can be found on our website at www.tcbk.com. Copies of our annual reports on Form 10-K, quarterly reports on Form 10-Q, current reports on Form 8-K and amendments to these reports are available free of charge through the investor relations page of our website, www.tcbk.com/about/investor-relations, as soon as reasonably practicable after the Company files these reports with the U.S. Securities and Exchange Commission (“SEC”). The information on our website is not part of this annual report.

Tri Counties Bank

The Bank was organized in 1975 and had total assets of approximately $9.8 billion at December 31, 2025. Based in Chico, California, the Bank offers an extensive and competitive breadth of consumer, small business and commercial banking services through its network of stand-alone and in-store branches in communities throughout California. In addition to its California community bank network, the Bank provides advanced online and mobile banking, a shared nationwide network of over 40,000 surcharge-free ATMs, and bankers available by phone 7 days per week.

The Bank provides a breadth of personal, small business and commercial financial services including accepting demand, savings and time deposits and making small business, commercial, real estate, and consumer loans, as well as a range of treasury management services and other customary banking services including safe deposit boxes at some branches. Brokerage and wealth management services are provided at the Bank’s offices by Tri Counties Advisors through the Bank’s arrangement with Raymond James Financial Services, Inc., an independent financial services provider and broker-dealer.

The Bank offers a variety of banking and financial services to both personal, small business and commercial customers. In many instances the owners or stakeholders of the business and commercial customers are also personal customers. The industries that we serve are diverse in both number and type and include, but are not limited to, manufacturing, real estate development, retail, wholesale, transportation, agriculture, commerce, oil & gas, and professional services. The majority of the Bank’s loans are direct loans made to individuals and businesses in California where its branches or business lending centers are located. At December 31, 2025, the Bank’s consumer loans net of deferred fees outstanding were $1.3 billion (18.5%), commercial and industrial loans outstanding were $464.4 million (6.5%), real estate construction loans of $301.0 million (4.2%), and commercial real estate loans were $4.9 billion (68.3%) of total loans. The Bank takes real estate, listed and unlisted securities, savings and time deposits, automobiles, machinery, equipment, inventory, accounts receivable and notes receivable secured by property as collateral for loans.

Most of the Bank’s deposits are from individuals and business-related sources. No single person or group of persons provides a material portion of the Bank’s deposits, the loss of any one or more of which would have a materially adverse effect on the business of the Bank, nor is a material portion of the Bank’s loans concentrated within a single industry or group of related industries.

Human Capital Resources

At December 31, 2025, we employed 1,148 persons. Full-time equivalent employees numbered 1,135. Additionally, we at times will utilize temporary personnel to supplement our workforce. None of our employees are presently represented by a union or covered under a collective bargaining agreement. Management believes that its employee relations are good.

Our employees are critical to our success and competition for qualified banking personnel has historically been intense; therefore, our corporate culture is an important element of our board of directors' oversight of risk. Senior management is responsible for embodying, maintaining, and communicating our culture to employees. In that regard, our culture is designed to promote our commitment to improving

2 TriCo Bancshares 2025 10-K

Table of Contents

the livelihood of our employees and guides us in making decisions throughout the Company. Our culture adheres to TriCo’s values of trust, respect, integrity, communication and opportunity. We expect our people to treat each other and our customers with the highest level of honesty and respect and to do the right thing. We strive to be a force for good in everyday life. We dedicate resources to provide a safe and inclusive workplace; promoting diversity of thought and perspective, attracting and retaining diverse talent, and promoting our values by recognizing employees for both the results they deliver and how they achieve them. We offer professional growth opportunities through various training and development programs. We aim to engage our workforce through proactive listening, career conversations, performance discussions, and employee surveys.

We attract and retain employees by offering competitive compensation and benefit programs, considering the position’s location and responsibilities. Our benefits include employer subsidized health insurance, wellness initiatives, employee assistance programs, tuition reimbursement, a 401(k) retirement plan and an employee stock ownership plan. In addition, we offer a portfolio of additional services and tools to support our employees’ health and well-being.

We encourage our team members to share their talents in their communities through volunteer activities in education, economic development, human and health services, and community reinvestment. During 2025, our team members logged more than 10,100 volunteer hours, supporting more than 350 organizations, and approximately 4,500 of those hours were for the benefit of community development efforts to support programs and services to low- or moderate-income communities.

We strive to have a workforce that reflects the communities we serve and continue to promote diversity in leadership roles. We are dedicated to providing an inclusive, supportive, and discrimination-free workplace. We recognize employees based on their individual and departmental results, as well as overall Company results.

Competition

The banking business in California generally is highly competitive with respect to both loans and deposits. It is dominated by a relatively small number of national and regional banks with many offices operating over a wide geographic area, with the more metropolitan areas that we serve having a larger number of national and regional banks than the rest of our footprint. Among the advantages such major banks have over the Bank are their greater ability to finance investments in technology and marketing campaigns and to allocate their investment assets to regions of high yield and demand. By virtue of their greater total capitalization, such institutions also have substantially higher lending limits than the Bank.

In addition to competing with other banks, the Bank competes with savings institutions, credit unions, brokerage firms and the financial markets for funds. Yields on corporate and government debt securities and other commercial paper may be higher than on deposits, and therefore affect the ability of commercial banks to attract and hold deposits. We also compete for available funds with money market instruments and mutual funds. During periods of high or rising interest rates, money market funds have provided substantial competition to banks for deposits and they may continue to do so in the future. Mutual funds are also a major source of competition for savings dollars.

As the financial services industry becomes increasingly oriented toward technology-driven delivery systems, we face competition from banks and non-bank institutions without offices in our primary service area. We also increasingly compete with financial technology or “fintech” companies for loans and other financial services customers.

To compete effectively, the Bank relies substantially on local promotional activity, personal contacts by its officers, directors, employees and shareholders, extended hours, personalized service and its reputation in the communities it service.

Regulation and Supervision

General

The Company and the Bank are subject to extensive regulation under both federal and state law affecting most aspects of our operations. This regulation is intended primarily for the protection of customers, depositors, the FDIC deposit insurance fund and the banking system as a whole, and not for the protection of our shareholders. Set forth below is a summary description of the significant laws and regulations applicable to the Company and the Bank. The description is qualified in its entirety by reference to the applicable laws and regulations.

Regulatory Agencies

The Company is a legal entity separate and distinct from the Bank and its other subsidiaries. As a bank holding company, the Company is regulated under the BHC Act, and is subject to supervision, regulation and examination by the FRB. The Company is also under the jurisdiction of the SEC and is subject to the disclosure and regulatory requirements of the Securities Act of 1933 and the Securities Exchange Act of 1934, each administered by the SEC. The Company’s common stock is listed on the Nasdaq Global Select Market (“Nasdaq”) under the trading symbol “TCBK” and the Company is, therefore, subject to the rules of Nasdaq for listed companies.

The Bank is subject to regulation, supervision and periodic examination by the FDIC, which is the Bank’s primary federal regulator and the DFPI.

The Dodd-Frank Wall Street Reform and Consumer Protection Act (the “Dodd-Frank Act”) created the Consumer Financial Protection Bureau (the “CFPB”) as an independent entity with broad rulemaking, supervisory and enforcement authority over consumer financial products and services. In addition, the CFPB is authorized to investigate consumer complaints and enforce rules related to consumer financial products and services. CFPB regulations and guidance apply to all financial institutions, including the Bank. Banks with $10 billion

3 TriCo Bancshares 2025 10-K

Table of Contents

or more in assets are subject to examination by the CFPB, while banks with less than $10 billion in assets, including the Bank, continue to be examined for compliance with federal consumer laws by their primary federal banking agency. At December 31, 2025, the Company had $9.8 billion in total assets. See the Risk Factors section for a discussion of some of the risks the Bank will encounter when it exceeds $10 billion in assets as of a December 31 annual measurement date.

The Bank Holding Company Act

The Company is registered as a bank holding company under the BHC Act. In general, the BHC Act limits the business of bank holding companies to banking, managing or controlling banks and other activities that the FRB has determined to be so closely related to banking as to be a proper incident thereto. Qualified bank holding companies that elect to be financial holding companies may engage in any activity, or acquire and retain the shares of a company engaged in additional activities that are either (i) financial in nature or incidental to such financial activity or (ii) complementary to a financial activity, and do not pose a substantial risk to the safety and soundness of depository institutions or the financial system generally, as determined by the FRB. Activities that are financial in nature include securities underwriting and dealing, insurance underwriting and agency, and making merchant banking investments. The Company has not elected to become a financial holding company.

As a bank holding company, TriCo is required to file reports with the FRB and the FRB periodically examines the Company. A bank holding company is required by law to serve as a source of financial and managerial strength to its subsidiary bank and, under appropriate circumstances, to commit resources to support the subsidiary bank.

Bank Acquisitions

We are required to obtain prior FRB approval before acquiring more than 5% of the voting shares, or substantially all of the assets, of a bank holding company, bank or savings association. In addition, the prior approval of the FDIC and DFPI is required for a California chartered bank to merge with another bank or purchase the assets or assume the deposits of another bank. In determining whether to approve a proposed bank acquisition, bank regulators will consider, among other factors, the effect of the acquisition on competition, the public benefits expected to be received from the acquisition, capital adequacy and the acquiring institution’s effectiveness in combating money laundering and its record of addressing the credit needs of the communities it serves, including the needs of low- and moderate-income neighborhoods under the Community Reinvestment Act of 1997, as amended ("CRA").

The standards by which mergers and acquisitions involving depository institutions or bank holding companies are evaluated by regulators continue to evolve. For example, the DOJ announced in September 2024 its withdrawal from the 1995 Bank Merger Guidelines to assess the competitive effects of bank merger transactions.

Safety and Soundness Standards

Under the Federal Deposit Insurance Corporation Improvement Act of 1991 (“FDICIA”), the federal bank regulatory agencies have established safety and soundness standards for insured depository institutions covering internal controls, information systems and internal audit systems; loan documentation; credit underwriting; interest rate exposure; asset growth; compensation (including executive compensation) fees and benefits; and asset quality, earnings and stock valuation.

If a federal bank regulatory agency determines that a depository institution fails to meet any standard established by the guidelines, the agency may require the institution to submit to the agency an acceptable plan to achieve compliance with the standard. The agencies may elect to initiate enforcement actions in certain cases rather than relying on a plan, particularly where an institution has failed to comply with an acceptable plan or where a failure to meet one or more of the standards could threaten the safe and sound operation of the institution.

In October 2025, the FDIC and Office of the Comptroller of the Currency (“OCC”) issued a proposed rule that would define the term “unsafe or unsound practice” for purposes of their enforcement powers under the Federal Deposit Insurance Act. The proposed definition would focus on whether the practice is likely to materially harm, or already has materially harmed, the financial condition of an institution. The FRB has not issued a similar proposal.

Dividends, Distributions and Stock Repurchases

A California corporation such as TriCo may make a distribution to its shareholders to the extent that either the corporation’s retained earnings meet or exceed the amount of the proposed distribution or the value of the corporation’s assets exceed the amount of its liabilities plus the amount of shareholders preferences, if any, and certain other conditions are met. It is the FRB’s policy that bank holding companies should generally pay dividends on common stock only out of income available over the past year, and only if prospective earnings retention is consistent with the organization’s expected future needs and financial condition. In addition, a bank holding company’s ability to pay dividends on its common stock may be limited if it fails to maintain an adequate capital conservation buffer under these capital rules. See “Regulatory Capital Requirements.”

In certain circumstances, the Company's repurchases of its common stock may be subject to a prior approval or notice requirement under other regulations, policies or supervisory expectations of the FRB.

In August 2022, the Inflation Reduction Act of 2022 (the “IRA”) was enacted. Among other things, the IRA imposes a new 1% excise tax on the fair market value of stock repurchased after December 31, 2022 by publicly traded U.S. corporations. With certain exceptions, the value of stock repurchased is determined net of stock issued in the year, including shares issued pursuant to compensatory arrangements.

4 TriCo Bancshares 2025 10-K

Table of Contents

The primary source of funds for payment of dividends by TriCo to its shareholders has been and will be the receipt of dividends. TriCo’s ability to receive dividends from the Bank is limited by applicable state and federal law. Under the California Financial Code, funds available for cash dividend payments by a bank are restricted to the lesser of: (i) retained earnings or (ii) the bank’s net income for its last three fiscal years (less any distributions to shareholders made during such period). However, with the prior approval of the Commissioner of the DFPI, a bank may pay cash dividends in an amount not to exceed the greatest of the: (1) retained earnings of the bank; (2) net income of the bank for its last fiscal year; or (3) net income of the bank for its current fiscal year. However, if the DFPI finds that the shareholders’ equity of the bank is not adequate or that the payment of a dividend would be unsafe or unsound, the Commissioner may order the bank not to pay a dividend to shareholders.

In addition, the Bank’s ability to pay dividends may be limited if the Bank fails to maintain an adequate capital conservation buffer. See “Regulatory Capital Requirements.”

The FRB, FDIC and the DFPI have authority to prohibit a bank holding company or a bank from engaging in practices which are considered to be unsafe and unsound. Depending on the financial condition of TriCo and the Bank and other factors, our regulators could determine that payment of dividends or other payments or stock repurchases by TriCo or the Bank might constitute an unsafe or unsound practice.

The Community Reinvestment Act

The CRA requires the federal banking regulatory agencies to periodically assess a bank’s record of helping meet the credit needs of its entire community, including low- and moderate-income neighborhoods. The CRA also requires the agencies to consider a financial institution’s record of meeting its community credit when evaluating applications for, among other things, domestic branches and mergers or acquisitions. The federal banking agencies rate depository institutions’ compliance with the CRA. The ratings range from a high of “outstanding” to a low of “substantial noncompliance.” A less than “satisfactory” rating could result in the suspension of any growth of the Bank through acquisitions or opening de novo branches until the rating is improved.

In October 2023, the FRB, the FDIC, and the OCC issued a final rule amending the agencies’ CRA regulations. In July 2025, the federal banking agencies issued a joint Notice of Proposed Rulemaking, which, if finalized, would rescind the 2023 final rule and reinstate the CRA framework that existed prior to the issuance of that rule. Implementation of the October 2023 final rule, which was subject to an injunction and has not taken effect, would have materially changed the CRA framework, including imposing additional costs and changing how CRA performance would be assessed.

Consumer Protection Laws and Supervision

The Bank is subject to many federal consumer protection statutes and regulations, some of which are discussed below.

•The Equal Credit Opportunity Act generally prohibits discrimination in any credit transaction, whether for consumer or business purposes, on the basis of race, color, religion, national origin, sex, marital status, age (except in limited circumstances), receipt of income from public assistance programs, or good faith exercise of any rights under the Consumer Credit Protection Act.

•The Truth-in-Lending Act is designed to ensure that credit terms are disclosed in a meaningful way so that consumers may compare credit terms more readily and knowledgeably.

•The Fair Housing Act regulates many practices, including making it unlawful for any lender to discriminate in its housing-related lending activities against any person because of race, color, religion, national origin, sex, handicap or familial status.

•The Home Mortgage Disclosure Act, which includes a “fair lending” aspect, requires the collection and disclosure of data about applicant and borrower characteristics as a way of identifying possible discriminatory lending patterns and enforcing anti-discrimination statutes.

•The Real Estate Settlement Procedures Act requires lenders to provide borrowers with disclosures regarding the nature and cost of real estate settlements and prohibits certain abusive practices, such as kickbacks, and places limitations on the amount of escrow accounts.

The CFPB has broad rule making authority for a wide range of consumer financial laws that apply to all banks, including, among other things, laws relating to fair lending and the authority to prohibit “unfair, deceptive or abusive” acts and practices. The CFPB has promulgated many mortgage-related rules, including rules related to requirements for "qualified mortgages," standards by which lenders must satisfy themselves of a borrower's ability to repay a mortgage loan, mortgage servicing standards, disclosure requirements, loan originator compensation standards, high-cost mortgage requirements, HMDA requirements, and appraisal and escrow standards for higher priced mortgages. The mortgage-related rules issued by the CFPB have materially restructured the origination, servicing, and securitization of residential mortgages in the United States. The CFPB has also taken positions on fair lending, including applying the disparate impact theory in auto financing, which could make it harder for lenders, such as the Bank, to charge different rates or apply different terms to loans to different customers. The CFPB’s rules and policies have impacted, and will continue to impact, the business practices of mortgage lenders, including the Bank.

On October 22, 2024, the CFPB finalized a new rule that requires a provider of payment accounts or products, such as a bank, to make data available to consumers upon request regarding the products or services they obtain from the provider. Any such data provider also has to make such data available to third parties, with the consumer’s express authorization and through an interface that satisfies formatting, performance and security standards, for the purpose of such third parties providing the consumer with financial products or services requested by the consumer. Data required to be made available under the rule includes transaction information, account balance, account

5 TriCo Bancshares 2025 10-K

Table of Contents

and routing numbers, terms and conditions, upcoming bill information, and certain account verification data. The rule is intended to give consumers control over their financial data, including with whom it is shared, and encourage competition in the provision of consumer financial products or services. For banks with at least $10 billion and less than $250 billion in total assets, compliance with the rule’s requirements is required beginning on April 1, 2027. However, the rule is the subject of litigation, which is currently stayed while the CFPB considers revisions to the rule and it is possible the rule will be substantially re-written or rescinded.

During 2025, the CFPB significantly reduced its staff. The reduction in force is the subject of litigation, and the staffing cuts are currently stayed pending the federal circuit court's rehearing of the case. The impact of these developments on banking organizations subject to CFPB regulation and supervision, including the Company in the event we exceed $10 billion in total assets, is uncertain. In addition, there is continued uncertainty about the CFPB’s priorities under the current U.S. administration. For example, in February 2025, the Acting Director of the CFPB instructed agency staff to pause most activity, including supervision and enforcement. While it is presently unclear when and to what extent the CFPB will resume its activities, other governmental authorities, including state attorneys general or banking regulators, may seek to increase their regulation, supervision, and enforcement of providers of consumer financial products and services in response to changes at the CFPB. Moreover, changes at the CFPB may lead to federal legislative efforts to alter the framework for consumer financial services regulation.

We are also subject to certain state consumer protection laws and state attorneys general and other state officials are empowered to enforce certain federal consumer protection laws and regulations. State authorities have increased their focus on and enforcement of consumer protection rules. These federal and state consumer protection laws apply to a broad range of our activities and to various aspects of our business and include laws relating to interest rates, fair lending, disclosures of credit terms and estimated transaction costs to consumer borrowers, debt collection practices, the use of and the provision of information to consumer reporting agencies, and the prohibition of unfair, deceptive, or abusive acts or practices in connection with the offer, sale, or provision of consumer financial products and services.

Penalties for violations of the above laws may include fines, reimbursements, injunctive relief and other penalties. Failure to comply with consumer protection requirements may also result in our failure to obtain any required bank regulatory approval for merger or acquisition transactions we may wish to pursue or our prohibition from engaging in such transactions even if approval is not required.

Privacy and Data Protection

We are subject to a number of U.S. federal, state, local and foreign laws and regulations relating to consumer privacy and data protection. Under privacy protection provisions of the Gramm-Leach-Bliley Act of 1999 ("GLBA") and its implementing regulations and guidance, we are limited in our ability to disclose certain non-public information about consumers to non-affiliated third parties. Financial institutions, such as the Bank, are required by statute and regulation to notify consumers of their privacy policies and practices and, in some circumstances, allow consumers to prevent disclosure of certain personal information to a non-affiliated third party. In addition, such financial institutions must appropriately safeguard their customers’ nonpublic, personal information.

Like other lenders, the Bank uses credit bureau data in their underwriting activities. Use of such data is regulated under the Fair Credit Reporting Act (“FCRA”), and the FCRA also regulates reporting information to credit bureaus, prescreening individuals for credit offers, sharing of information between affiliates, and using affiliate data for marketing purposes. Similar state laws may impose additional requirements on the Company and the Bank.

Data privacy and data protection are areas of increasing state legislative focus. For example, the California Consumer Privacy Act ("CCPA"), which became effective on January 1, 2020, applies to for-profit businesses that conduct business in California and meet certain revenue or data collection thresholds. The CCPA gives consumers the right to request disclosure of information collected about them, and whether that information has been sold or shared with others, the right to request deletion of personal information (subject to certain exceptions), the right to opt out of the sale of the consumer’s personal information, and the right not to be discriminated against for exercising these rights. In addition, the California Privacy Rights Act (“CPRA”), which took effect on January 1, 2023, significantly modified the CCPA, including imposing additional obligations on covered companies and expanding California consumers’ rights with respect to certain sensitive personal information. The CCPA and CPRA do not provide a blanket exemption for financial institutions, but instead contain a partial exemption for information collected by financial institutions where the information is itself subject to the GLBA (e.g., information about individuals who have obtained personal financial products from the institution). Such information is exempt from the privacy requirements of the CCPA, but, is not exempt from the private right of action conferred if a business fails to implement and maintain reasonable security to protect certain categories of information. In California, the CCPA, the CPRA, and their implementing regulations may be interpreted or applied in a manner inconsistent with our understanding.

State regulators have been increasingly active in implementing privacy and cybersecurity standards and regulations. Recently, several states have adopted regulations requiring certain financial institutions to implement cybersecurity programs and many states, including California, have recently implemented or modified their data breach notification, information security and data privacy requirements. We expect this trend of state-level activity in those areas to continue and are continually monitoring developments in the states in which our customers are located.

Cybersecurity

The federal banking regulators regularly issue new guidance and standards, and update existing guidance and standards, regarding cybersecurity intended to enhance cyber risk management among financial institutions. Financial institutions are expected to comply with

6 TriCo Bancshares 2025 10-K

Table of Contents

such guidance and standards and to accordingly develop appropriate security controls and risk management processes. If we fail to observe such regulatory guidance or standards, we could be subject to various regulatory sanctions, including financial penalties. In 2023, the SEC issued a final rule that requires disclosure of material cybersecurity incidents, as well as cybersecurity risk management, strategy and governance. Under this rule, SEC registrants must generally disclose information about a material cybersecurity incident within four business days of determining it is material with periodic updates as to the status of the incident in subsequent filings, as necessary.

Banking organizations are required to notify their primary banking regulator within 36 hours of determining that a “computer-security incident” has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, the banking organization’s ability to carry out banking operations or deliver banking products and services to a material portion of its customer base, its businesses and operations that would result in material loss, or its operations that would impact the stability of the United States. Banks' service providers are required to notify any affected bank to or on behalf of which the service provider provides services "as soon as possible" after determining that it has experienced an incident that materially disrupts or degrades, or is reasonably likely to materially disrupt or degrade, covered services provided to such bank for as much as four hours.

Recent cyberattacks against banks and other financial institutions that resulted in unauthorized access to confidential customer information have prompted the federal banking regulators to issue guidance on cybersecurity. Among other things, financial institutions are expected to design multiple layers of security controls to establish lines of defense and ensure that their risk management processes address the risks posed by compromised customer credentials, including security measures to authenticate customers accessing internet-based services. A financial institution also should have a robust business continuity program to recover from a cyberattack and procedures for monitoring the security of third-party service providers that may have access to nonpublic data at the institution. Further, our service providers have obligations to safeguard their systems and sensitive information and we may be bound contractually and/or by regulation to comply with the same requirements. If the Company or its service providers fail to comply with applicable regulations and contractual requirements, we could be exposed to lawsuits, governmental proceedings or the imposition of fines, among other consequences.

Risks and exposures related to cybersecurity attacks, including litigation and enforcement risks, are expected to be elevated for the foreseeable future due to the rapidly evolving nature and sophistication of these threats, as well as due to the expanding use of Internet banking, mobile banking and other technology-based products and services by us and our customers.

See "Item 1A. Risk Factors" for a further discussion of risks related to cybersecurity, including the Bank's cybersecurity incident in 2023, and "Item 1C. Cybersecurity" for a further discussion of risk management strategies and governance processes related to cybersecurity.

Regulatory Capital Requirements

The Company and the Bank are subject to the minimum capital requirements of the FRB and FDIC, respectively. Capital requirements may have an effect on the Company’s and the Bank’s profitability and ability to pay dividends. If the Company or the Bank lacks adequate capital to increase its assets without violating the minimum capital requirements or if it is forced to reduce the level of its assets in order to satisfy regulatory capital requirements, its ability to generate earnings would be reduced.

We are subject to the capital framework for U.S. banking organizations known as Basel III. Basel III defines several measures of capital and establishes capital ratios based on a banking organization's levels of capital relative to risk-weighted assets. The risk-weighting of the asset depends on the nature of the asset but generally ranges from 0% for U.S. government and agency securities, to 1,250% for certain trading securitization exposures, resulting in higher risk weights for a variety of asset classes than previous regulations.

Under Basel III, the Company (on a consolidated basis) and the Bank are each subject to the following minimum capital ratios: (1) common equity Tier 1 capital or “CET1” to risk‑weighted assets of 4.5%; (2) Tier 1 capital (that is, CET1 plus Additional Tier 1 capital) to risk‑weighted assets of 6.0%; (3) Total capital (that is, Tier 1 capital plus Tier 2 capital) to risk‑weighted assets of 8%; and (4) a leverage ratio (Tier 1 capital to average consolidated assets as reported on regulatory financial statements) of 4.0%. The Basel III capital framework includes a “capital conservation buffer” of 2.5%, composed entirely of CET1, on top of the minimum risk‑weighted asset ratios. Banking institutions that fail to maintain a full capital conservation buffer face constraints on dividends, equity repurchases and discretionary executive compensation based on the amount of the shortfall and the institution’s “eligible retained income” (that is, trailing net income for four quarters, net of distributions and tax effects not reflected in net income). The 2.5% capital conservation buffer effectively results in minimum ratios of (i) CET1 to risk‑weighted assets of at least 7%, (ii) Tier 1 capital to risk‑weighted assets of at least 8.5%, and (iii) total capital to risk‑weighted assets of at least 10.5%.

We believe that we were in compliance with the requirements of the Basel III capital rules applicable to us as of December 31, 2025. For a discussion of the regulatory capital requirements, see “Note 26 – Regulatory Matters” to the consolidated financial statements at Part II, Item 8 of this report.

Prompt Corrective Action

Prompt Corrective Action regulations of the federal bank regulatory agencies establish five capital categories in descending order based on an institution’s regulatory capital ratios: well capitalized, adequately capitalized, undercapitalized, significantly undercapitalized and critically undercapitalized. Under the Prompt Corrective Action framework, insured depository institutions are required to meet the following minimum capital level requirements in order to qualify as “well capitalized:” (i) a common equity Tier 1 capital ratio of 6.5%; (ii) a Tier 1 capital ratio of 8%; (iii) a total capital ratio of 10%; and (iv) a Tier 1 leverage ratio of 5%. An institution may be downgraded to, or deemed to be in, a capital category that is lower than indicated by its capital ratios if it is determined to be in an unsafe or unsound condition or if it receives an unsatisfactory examination rating with respect to certain matters. Institutions classified in one of the three undercapitalized categories are

7 TriCo Bancshares 2025 10-K

Table of Contents

subject to certain mandatory and discretionary supervisory actions, which include increased monitoring and review, implementation of capital restoration plans, asset growth restrictions, limitations upon expansion and new business activities, requirements to augment capital, restrictions upon deposit gathering and interest rates, replacement of senior executive officers and directors, and requiring divestiture or sale of the institution. The Bank’s capital levels have exceeded the minimums necessary to be considered well capitalized under the current regulatory framework for prompt corrective action since adoption.

Deposit Insurance

Deposit accounts in the Bank are insured by the FDIC, generally up to a maximum of $250,000 per separately insured depositor. The Bank pays deposit insurance assessments as determined by the FDIC. The assessment rate for an institution with less than $10.0 billion in assets, such as the Bank, is based on its risk category, with certain adjustments for any unsecured debt or brokered deposits held by the bank. The assessment base against which the assessment rate is applied to determine the total assessment due for a given period is the depository institution’s average total consolidated assets during the assessment period less average tangible equity during that assessment period. Institutions assigned to higher risk categories (that is, institutions that pose a higher risk of loss to the FDIC’s deposit insurance fund (the “DIF”)) pay assessments at higher rates than institutions that pose a lower risk. An institution’s risk classification is assigned based on a combination of its financial ratios and supervisory ratings, reflecting, among other things, its capital levels and the level of supervisory concern that the institution poses to the regulators. Deposit insurance assessments are also affected by the minimum reserve ratio with respect to the DIF. The Dodd-Frank Act increased the DIF’s minimum reserve ratio to 1.35% of the estimated amount of total insured deposits. In addition, the FDIC can impose special assessments in certain instances.

In November 2023, the FDIC issued a final rule to implement a special assessment to recover losses to the DIF incurred as a result of bank failures earlier that year and the FDIC's use of the systemic risk exception to cover certain deposits that were otherwise uninsured. The special assessment was based on estimated uninsured deposits as of December 31, 2022 (excluding the first $5.0 billion of deposits at an institution) and was assessed at a quarterly rate of 3.36 basis points over eight quarterly assessment periods, beginning in the first quarter of 2024. In December 2025, the FDIC reduced the rate at which the assessment is collected for the eighth quarter of the collection period, with an invoice payment date of March 30, 2026, from 3.36 basis points to 2.97 basis points. The Bank’s uninsured deposits were below the threshold and therefore is not required to pay the special assessment. This updated assessment was made under the FDIC’s final rule whereby the estimated loss pursuant to the systemic risk determination can be periodically adjusted. The FDIC has also retained the ability to cease collection early, extend the special assessment collection period and impose a final shortfall special assessment. The special assessments are tax deductible. The extent to which any such additional future assessments will impact our future deposit insurance expense is currently uncertain.

The Bank is generally unable to control the amount of premiums that it is required to pay for FDIC insurance or the amount of credit, if any, that it may be allowed to offset such assessments. If there are additional bank or financial institution failures or if the FDIC otherwise determines, the Bank may be required to pay even higher FDIC premiums than the recently increased levels. Increases in FDIC insurance premiums may have a material and adverse effect on the Company’s earnings and could have a material adverse effect on the value of, or market for, the Company’s common stock.

The FDIC may terminate a depository institution’s deposit insurance upon a finding that the institution’s financial condition is unsafe or unsound or that the institution has engaged in unsafe or unsound practices that pose a risk to the DIF or that may prejudice the interest of the bank’s depositors. The termination of deposit insurance for the Bank would also result in the revocation of the Bank’s charter by the DFPI.

Depositor Preference

The FDIA provides that, in the event of the "liquidation or other resolution" of an insured depository institution, the claims of depositors of the institution, including the claims of the FDIC as subrogee of insured depositors and certain claims for administrative expenses of the FDIC as a receiver, will have priority over other general unsecured claims against the institution. If an insured depository institution fails, insured and uninsured depositors, along with the FDIC, will have priority in payment ahead of unsecured, non-deposit creditors, including depositors whose deposits are payable only outside of the United States and the parent bank holding company, with respect to any extensions of credit they have made to such insured depository institution.

Commercial Real Estate Concentrations

Under guidance issued by the federal banking regulators, a financial institution is considered to have a significant commercial real estate (“CRE”) concentration risk, and will be subject to enhanced supervisory expectations to manage that risk, if (i) total reported loans for construction, land development and other land (“C&D”) represent 100% or more of the institution’s total capital or (ii) total CRE loans represent 300% or more of the institution’s total capital and the outstanding balance of the institution’s CRE loan portfolio has increased by 50% or more during the prior 36 months.

As of December 31, 2025, our C&D concentration as a percentage of capital totaled 21.5% and our CRE concentration, net of owner-occupied loans, as a percentage of capital totaled 188.6%

Bank Secrecy Act / Anti-Money Laundering

The Bank Secrecy Act of 1970 and the USA Patriot Act of 2001 require financial institutions to develop policies, procedures, and practices to prevent and deter money laundering ("BSA/AML"), and mandate that every bank have a written, board-approved program that is reasonably

8 TriCo Bancshares 2025 10-K

Table of Contents

designed to assure and monitor compliance with the BSA/AML laws. The program must, at a minimum: (1) provide for a system of internal controls to assure ongoing compliance; (2) provide for independent testing for compliance; (3) designate an individual responsible for coordinating and monitoring day-to-day compliance; and (4) provide training for appropriate personnel. In addition, banks are required to adopt a customer identification program, performing ongoing customer due diligence to understand the nature and purpose of customer relationships for the purpose of developing customer risk profiles and filing reports regarding known or suspected violations of federal law or suspicious transactions.

On December 3, 2019, three federal banking agencies and the Financial Crimes Enforcement Network (“FinCEN”) issued a joint statement clarifying the compliance procedures and reporting requirements that banks must file for customers engaged in the growth or cultivation of hemp, including a clear statement that banks need not file a SAR on customers engaged in the growth or cultivation of hemp in accordance with applicable laws and regulations. This statement does not apply to cannabis-related business; thus, the statement only pertains to customers who are lawfully growing or cultivating hemp and are not otherwise engaged in unlawful or suspicious activity. On September 24, 2024, the California Governor announced emergency regulations to protect children and teens from the adverse effects of dangerous intoxicating hemp products are now in effect. Retailers must cease selling any industrial hemp food, beverage or dietary product intended for human consumption if there is any detectable THC or other intoxicating cannabinoids per serving. We are evaluating the impact of these regulations on our compliance operations.

Failure to comply with these requirements could have serious financial, legal and reputational consequences, including causing applicable bank regulatory authorities not to approve merger or acquisition transactions when regulatory approval is required or to prohibit such transactions even if approval is not required.

Office of Foreign Assets Control Regulation

The U.S. Treasury Department’s Office of Foreign Assets Control, or OFAC, administers and enforces economic and trade sanctions against targeted foreign countries and regimes, under authority of various laws, including designated foreign countries, nationals and others. OFAC publishes lists of specially designated targets and countries. We are responsible for, among other things, blocking accounts of, and transactions with, such targets and countries, prohibiting unlicensed trade and financial transactions with them and reporting blocked transactions after their occurrence.

Transactions with Affiliates

Banks are also subject to certain restrictions imposed by the Federal Reserve Act on extensions of credit to executive officers, directors, principal shareholders (including the Company) or any related interest of such persons. Regulation O requires that such extensions of credit must be made on substantially the same terms, including interest rates and collateral as, and follow credit underwriting procedures that are not less stringent than, those prevailing at the time for comparable transactions with persons not affiliated with the bank, and must not involve more than the normal risk of repayment or present other unfavorable features. Banks are also subject to certain lending limits and restrictions on overdrafts to such persons. Regulation W requires that certain transactions between the Bank and its affiliates, including its holding company, be on terms substantially the same, or at least as favorable to the Bank, as those prevailing at the time for comparable transactions with or involving non-affiliated companies or, in the absence of comparable transactions, on terms and under circumstances, including credit standards, that in good faith would be offered to or would apply to non-affiliated companies.

Source of Strength Doctrine

Federal Reserve Board policy and federal law require bank holding companies to act as a source of financial and managerial strength to their subsidiary banks. Under this requirement, the Company is expected to commit resources to support the Bank, including at times when the Company may not be in a financial position to provide such resources. Any capital loans by a bank holding company to any of its subsidiary banks are subordinate in right of payment to depositors and to certain other indebtedness of such subsidiary banks. In the event of a bank holding company's bankruptcy, any commitment by the bank holding company to a federal bank regulatory agency to maintain the capital of a subsidiary bank will be assumed by the bankruptcy trustee and entitled to priority of payment.

Interchange Fees

Under the Durbin Amendment, adopted as part of the Dodd-Frank Act, the FRB adopted rules establishing standards for assessing whether the interchange fees that may be charged with respect to certain electronic debit transactions are “reasonable and proportional” to the costs incurred by issuers for processing such transactions.

Interchange fees, or “swipe” fees, are charges that merchants pay to us and other card-issuing banks for processing electronic payment transactions. FRB rules applicable to financial institutions that have assets of $10 billion or more provide that the maximum permissible interchange fee for an electronic debit transaction is the sum of 21 cents per transaction and 5 basis points multiplied by the value of the transaction. An upward adjustment of no more than 1 cent to an issuer's debit card interchange fee is allowed if the card issuer develops and implements policies and procedures reasonably designed to achieve certain fraud-prevention standards. In October 2023, the Federal Reserve issued a proposed rule under which the maximum permissible interchange fee for an electronic debit transaction would be the sum of 14.4 cents per transaction and 4 basis points multiplied by the value of the transaction. Furthermore, the fraud-prevention adjustment would increase from a maximum of 1 cent to 1.3 cents per debit card transaction. The proposal would adopt an approach for future adjustments to the interchange fee cap, which would occur every other year based on issuer cost data gathered by the FRB from large debit card issuers. The Bank is currently not subject to these restrictions or those proposed, however if our assets exceed $10 billion or more at December 31, 2026, these rules, if adopted, would be applicable to the Bank in July 2027. The extent to which any such proposed changes in permissible interchange fees will impact our future revenues is currently uncertain.

9 TriCo Bancshares 2025 10-K

Table of Contents

Effective July 1, 2023, debit card issuers are required to enable all debit card transactions, including card-not-present transactions such as online payments, to be processed on at least two unaffiliated payment card networks.

Incentive Compensation Policies and Restrictions

In July 2010, the federal banking agencies issued guidance on sound incentive compensation policies that applies to all banking organizations supervised by the agencies (thereby including both the Company and the Bank). Pursuant to the guidance, to be consistent with safety and soundness principles, a banking organization’s incentive compensation arrangements should: (1) provide employees with incentives that appropriately balance risk and reward; (2) be compatible with effective controls and risk management; and (3) be supported by strong corporate governance including active and effective oversight by the banking organization’s board of directors. Monitoring methods and processes used by a banking organization should be commensurate with the size and complexity of the organization and its use of incentive compensation.

The Dodd-Frank Act requires the federal banking agencies and the SEC to establish joint regulations or guidelines for specified regulated entities having at least $1 billion in total assets, such as us, to prohibit incentive-based payment arrangements that encourage inappropriate risk taking by providing an executive officer, employee, director or principal shareholder with excessive compensation, fees, or benefits or that could lead to material financial loss to the entity. In addition, these regulators must establish regulations or guidelines requiring enhanced disclosure to regulators of incentive-based compensation arrangements. The agencies have not yet finalized these rules and the current administration has indicated its intention to abandon any reproposal.

Pursuant to the Dodd-Frank Act, in 2023, effective October 2, 2023, the Nasdaq Stock Market adopted a rule requiring listed companies to adopt policies to recover or "clawback" excess incentive-based compensation earned by a current or former executive officer during the three fiscal years preceding the date the listed company is required to prepare an accounting restatement, including to correct an error that would result in a material misstatement if the error were corrected in the current period or left uncorrected in the current period. We adopted a compensation clawback policy pursuant to the listing standards that is included as Exhibit 97.1 to this report.

The scope and content of the U.S. banking regulators’ policies on executive compensation may continue to evolve in the near future. It cannot be determined at this time whether compliance with such policies will adversely affect the Company’s ability to hire, retain and motivate its key employees.

Climate-Related and Other ESG Developments

In recent years, federal, state and international lawmakers and regulators have increased their focus on financial institutions' and other companies' risk oversight, disclosures and practices in connection with climate change and other environmental, social and governance ("ESG") matters. In addition, several states, including California, have enacted or proposed statutes or regulations addressing climate change and other ESG issues, while other states have enacted or proposed “anti-ESG” statutes or regulations. Conversely, President Trump has issued a number of executive orders in 2025 that specifically target federal climate and ESG initiatives and the federal executive branch's retreat from ESG regulatory expectations. It is uncertain how these conflicting positions will impact our business.

On March 6, 2024, the SEC adopted rules creating a detailed and extensive special disclosure regime about climate risks for issuing and reporting companies. Various states and private parties have challenged the rules.The litigation was consolidated in the U.S. Eighth Circuit Court of Appeals, and the SEC previously stayed effectiveness of the rules pending completion of that litigation. Furthermore, the SEC notified the court that the SEC would cease its involvement in the defense of the rule, leaving it uncertain as to whether it will become effective.

In California, the Climate Corporate Data and Accountability Act (“CCDAA”) requires both public and private U.S. businesses with revenues greater than $1 billion doing business in California to report their greenhouse gas emissions including scopes 1, 2, and 3 beginning in 2026 (for 2025 data) and also requires reporting companies to get third-party assurance of their reports. The Climate-Related Financial Risk Act (SB 261) mandates U.S. businesses with annual revenues over $500 million doing business in California to bi-annually disclose climate-related financial risks and their mitigation strategies beginning January 1, 2026. However, on November 18, 2025, the United States Court of Appeals for the Ninth Circuit granted an injunction halting enforcement of SB 261, pending resolution of a constitutional challenge. On January 9, 2026, a three-judge panel for the Ninth Circuit heard oral arguments relating to the challenges of SB 253 and SB 261. As of the date of this document, the panel did not issue a decision during the hearing. If the injunction is lifted, the Company could be subject to compliance with SB 261.

Disclosure requirements imposed by different regulators may not always be uniform, which may result in increased complexity, and cost, for compliance. Additionally, many of our suppliers and business partners may be subject to similar requirements, which may augment or create additional risks, including risks that may not be known to us.

As the Company continues to grow and expand the scope of our operations, our regulators generally will expect us to enhance our internal control programs and processes, including with respect to risk management and stress testing under a variety of adverse scenarios and related capital planning. In the event the federal banking agencies were to expand the scope of coverage of the new climate risk guidelines to institutions of our size or promulgate new regulations or supervisory guidance applicable to the Company, we would expect to experience increased compliance costs and other compliance-related risks.

10 TriCo Bancshares 2025 10-K

Table of Contents

Impact of Monetary Policies

Banking is a business that depends on interest rate differentials. In general, the difference between the interest paid by a bank on its deposits and other borrowings, and the interest rate earned by banks on loans, securities and other interest-earning assets, comprises the major source of banks’ earnings. Thus, the earnings and growth of banks are subject to the influence of economic conditions generally, both domestic and foreign, and also to the monetary and fiscal policies of the United States and its agencies, particularly the FRB. The FRB implements national monetary policy, such as seeking to curb inflation and combat recession, by its open-market dealings in United States government securities, by adjusting the required level of reserves for financial institutions subject to reserve requirements and through adjustments to the discount rate applicable to borrowings by banks which are members of the FRB. The actions of the FRB in these areas influence the growth of bank loans, investments and deposits, and also affect interest rates. The nature and timing of any future changes in such policies and their impact on the Company cannot be predicted. In addition, adverse economic conditions could make a higher provision for loan losses a prudent course and could cause higher loan loss charge-offs, thus adversely affecting the Company’s net earnings.

Future Legislation and Regulation

Congress may enact legislation from time to time that affects the regulation of the financial services industry, and state legislatures may enact legislation from time to time affecting the regulation of financial institutions chartered by or operating in those states. Federal and state regulatory agencies also periodically propose and adopt changes to their regulations or change the way existing regulations are applied. The substance or impact of pending or future legislation or regulation, or the application thereof, cannot be predicted, although any change could impact the regulatory structure under which we or our competitors operate and may significantly increase costs, impede the efficiency of internal business processes, require an increase in regulatory capital, require modifications to our business strategy, and limit our ability to pursue business opportunities in an efficient manner. It could also affect our competitors differently than us, including in a manner that would make them more competitive. A change in statutes, regulations or regulatory policies applicable to us could have a material, adverse effect on our business, financial condition and results of operations.

President Trump has issued many executive orders that could impact our operations. For example, in August 2025, President Trump signed Executive Order 14331, “Guaranteeing Fair Banking Access for All Americans,” which states that it is the policy of the United States that no American should be denied access to financial services because of their constitutionally or statutorily protected beliefs, affiliations, or political views. The Executive Order directs the Treasury Secretary and federal banking regulators to address politicized or unlawful debanking activities. We are evaluating this order and others to determine if any would have material impact on our financial condition or results of operations.