UMB FINANCIAL CORP (UMBF) Business

ITEM 1. BUSINESS

General

UMB Financial Corporation (together with its consolidated subsidiaries, unless the context requires otherwise, the Company) is a financial holding company that is headquartered in Kansas City, Missouri. The Company provides banking services and asset servicing to its customers in the United States and around the globe.

The Company was organized as a corporation under Missouri law in 1967 and is registered as a bank holding company under the Bank Holding Company Act of 1956, as amended (the BHCA) and a financial holding company under the Gramm-Leach-Bliley Act of 1999, as amended (the GLBA). The Company currently owns all of the outstanding stock of one national bank and several nonbank subsidiaries.

On January 31, 2025, the Company acquired all of the outstanding stock of Heartland Financial USA, Inc., a Delaware corporation (HTLF), in an all-stock transaction, issuing a total of 23.6 million shares of the Company’s common stock and 4.6 million depositary shares, each representing a 1/400th interest in a share of the Company’s 7.00% Fixed-Rate Reset Non-Cumulative Perpetual Preferred Stock, Series A (the Company’s preferred stock). Pursuant to the Agreement and Plan of Merger, dated as of April 28, 2024, (i) HTLF merged with and into the Company, with the Company continuing as the surviving corporation and (ii) one day after the closing date of the acquisition of HTLF by the Company, HTLF’s wholly owned bank subsidiary, a Colorado-chartered non-member bank (HTLF Bank), merged with and into UMB Bank, National Association, the Company’s national bank subsidiary (the Bank), with the Bank continuing as the surviving bank.

On April 29, 2024, the Company also announced that in connection with the execution of the merger agreement, it entered into a forward sale agreement with BofA Securities, Inc. or its affiliate to issue 2.8 million shares of its common stock. The underwriters were granted an option to purchase up to an additional 420 thousand shares of the Company's common stock exercisable within 30 days of April 28, 2024. The underwriters exercised this option in full on April 30, 2024, upon which the Company entered into an additional forward sale agreement relating to the 420 thousand shares of the Company's common stock. The forward sale agreements entered into on April 28, 2024 and April 30, 2024 (collectively, the forward sale agreements) are classified as an equity instrument under ASC 815-40, Contracts in Entity’s Own Equity. The Company settled the forward sale agreement during the first quarter of 2025 for net proceeds of $235.1 million.

The Bank has its principal office in Missouri and provides financial services primarily throughout the Midwestern, Southwestern, and Western regions of the United States. The Bank offers a full complement of banking products and other services to commercial, retail, government, and correspondent-bank customers, including a wide range of asset-management, trust, bankcard, and cash-management services.

The Company also owns UMB Fund Services, Inc. (UMBFS), which is a significant nonbank subsidiary that has offices in Milwaukee, Wisconsin, Chadds Ford, Pennsylvania, and Ogden, Utah. UMBFS provides fund accounting, transfer agency, and other services to mutual fund and alternative-investment groups.

Business Segments

The Company’s products and services are grouped into three segments: Commercial Banking, Institutional Banking, and Personal Banking.

These segments and their financial results are described in detail in (i) the section of Management’s Discussion and Analysis of Financial Condition and Results of Operations entitled Business Segments, which can be found in Part II, Item 7 of this report and (ii) Note 12, “Business Segment Reporting,” in the Notes to the Consolidated Financial Statements, which can be found in Part II, Item 8 of this report.

Competition

The Company faces intense competition in each of its business segments and in all of the markets and geographic regions that the Company serves. Competition comes from both traditional and non-traditional financial-services providers, including banks, savings associations, finance companies, investment advisors, asset managers, mutual funds, private-equity firms, hedge funds, brokerage firms, mortgage-banking companies, credit-card

4

companies, insurance companies, trust companies, securities processing companies, and credit unions. Increasingly, financial-technology (fintech) companies, including those related to digital currencies or cryptocurrencies (including stablecoins), and technology companies, are partnering with financial-services providers to compete with the Company for lending, payments, and other business. Many of the Company’s competitors are not subject to the same kind or degree of supervision and regulation as the Company.

Competition is based on a number of factors. Banking customers are generally influenced by convenience, interest rates and pricing, personal experience, quality and availability of products and other services, lending limits, transaction execution, and reputation. Investment advisory services compete primarily on returns, expenses, third-party ratings, and the reputation and performance of managers. Asset servicing competes primarily on price, quality of services, and reputation. The Company and its competitors are all impacted to varying degrees by the overall economy and health of the financial markets.

The Company’s ability to successfully compete in its chosen markets and regions also depends on its ability to attract, retain, and motivate talented employees, to invest in technology and infrastructure, and to innovate, all while effectively managing its expenses. The Company expects that competition will likely intensify in the future.

Human Capital

The Company is dedicated to creating the Unparalleled Customer Experience, and its associates are critical to achieving this mission. As part of the Company’s efforts to recruit and retain top talent, it strives to offer competitive compensation and benefits programs, while fostering a culture rooted in inclusion of a diverse mix of associates who are empowered to be part of something more. The Company believes its associates, customers, and communities mutually benefit by its focus on providing opportunities for its associates to make an impact at work and in their respective communities. On a full-time equivalent basis on December 31, 2025, the Company and its subsidiaries employed 5,222 associates across the country.

Compensation and Benefits Program. The Company’s compensation program is designed to allow it to attract, reward, and retain talented individuals who contribute significant value to the organization. The Company’s compensation programs reward performance, reserving the highest rewards for the highest performers. The Company’s incentive plans are intended to promote the interests of the Company and its shareholders by providing associates with incentives and rewards to encourage them to continue in service of the Company. The Company provides employees with compensation packages that include base salary, annual short-term incentive bonuses, and long-term equity awards tied to management, growth, and protection of the business of the Company. In addition to cash and equity compensation, the Company offers a robust benefits program that includes medical, dental, and vision insurance, health savings accounts and a variety of insurance options, including pet, life, and long-term care. Additionally, the Company also offers associates benefits including paid time off, paid volunteer time off, paid parental leave, adoption assistance, a 401(k) plan, as well as profit sharing and an employee stock ownership plan. The Company strives to engage and encourage associates to act and take personal responsibility for improving their health and well-being, as well as the health and well-being of their families. To assist associates with their goals, the Company offers wellness resources and incentives to support wellness strategies.

Talent and Experience. The Company believes that an equitable and inclusive environment produces more creative solutions, results in better products and services, and is crucial to its efforts to attract and retain key talent. The Company’s talent acquisition team focuses on building recruitment marketing strategies that are designed to identify and attract candidates with a variety of backgrounds. The Company’s business resource groups (BRGs) also play a vital role in deepening the recruitment pipeline of talent and refer candidates to the Company on a regular basis. BRGs are structured to engage associates who share common interests, including associates from traditionally underrepresented groups. Nearly 20% of the Company’s associates participate in one or more BRGs.

Community Involvement. For more than a century, the Company has maintained a commitment to the prosperity of each community it serves. In addition to providing financial products built for the needs of its customers, the Company builds strong community partnerships through associate volunteerism, associate financial giving, and corporate philanthropy. The Company encourages associates to give back to their local communities through various programs and initiatives, including paid volunteer time off and matching charitable gift programs.

For more information on the Company’s equity and inclusion and community involvement initiatives, please see its Corporate Citizenship Report available at www.umb.com/corporatecitizenship. Information on the

5

Company’s website is not incorporated by reference into this report and should not be considered part of this document.

Government Monetary and Fiscal Policies

In addition to the impact of general economic conditions, the Company’s business, results of operations, financial condition, capital, liquidity, and prospects are significantly affected by government monetary and fiscal policies that are announced or implemented in the United States and abroad.

A sizeable impact is exerted, in particular, by the policies of the Board of Governors of the Federal Reserve System and the Federal Reserve Bank (the FRB), which, through the Federal Open Market Committee, influences monetary and credit conditions in the economy in pursuit of maximum employment and stable prices. Among the FRB’s policy tools are (1) open market operations (that is, purchases or sales of securities in the open market to adjust the supply of reserve balances in order to achieve targeted federal funds rates or to put pressure on longer-term interest rates in order to achieve more desirable levels of economic activity and job creation), (2) the discount rate charged on loans by the Federal Reserve Banks, (3) the level of reserves required to be held by depository institutions against specified deposit liabilities, (4) the interest paid or charged on balances maintained with the Federal Reserve Banks by depository institutions, including balances used to satisfy their reserve requirements, and (5) other deposit and loan facilities.

The FRB and its policies have a substantial impact on the availability and demand for loans and deposits, the rates, and other aspects of pricing for loans and deposits, and the conditions in equity, fixed income, currency, and other markets in which the Company operates. Policies announced or implemented by other central banks around the world have a meaningful effect on our operations as well, whether coordinated with those of the FRB or otherwise.

Tax and other fiscal policies, moreover, impact not only general economic conditions but also give rise to incentives or disincentives that affect how the Company and its customers prioritize objectives, operate businesses, and deploy resources.

Regulation and Supervision

The Company is subject to regulatory frameworks in the United States at federal, State, and local levels. In addition, the Company is subject to direct supervision by various government authorities charged with overseeing the kinds of financial activities conducted by its business segments. The current presidential administration has implemented significantly different policies from the previous presidential administration, including new proposed regulations and rescissions or withdrawals of previous guidance, and sharply reduced the workforce at the federal banking agencies. The cumulative impact of these changes, and whether they will last over time, is unclear.

This section summarizes certain provisions of the principal laws and regulations that apply to the Company. The descriptions, however, are not complete and are qualified in their entirety by the full text and judicial or administrative interpretations of those laws and regulations and other laws and regulations that affect the Company.

Overview

The Company is a bank holding company that has elected to also become a financial holding company. As a result, the Company—including all of its businesses and operations—is subject to the regulation, supervision, and examination of the FRB and to restrictions on permissible activities. This framework of regulation, supervision, and examination is intended primarily for the protection and benefit of depositors and other customers of the Bank, the Deposit Insurance Fund (the DIF) of the Federal Deposit Insurance Corporation (the FDIC), the banking and financial systems as a whole, and the broader economy, not for the protection or benefit of the Company’s shareholders or its non-deposit creditors.

Many of the Company’s subsidiaries are also subject to separate or related forms of regulation, supervision, and examination, including: (1) the Bank, by the Office of the Comptroller of the Currency (the OCC), the FDIC, and the Consumer Financial Protection Bureau (the CFPB); (2) UMBFS, UMB Financial Services, Inc., and UMB Asset Management, LLC, by the Securities and Exchange Commission (the SEC) and State regulatory authorities, and UMB Financial Services, Inc., by the Financial Industry Regulatory Authority (FINRA); and (3) UMB Insurance, Inc., by State regulatory authorities. These regulatory schemes, like those overseen by the FRB, are

6

designed to protect public or private interests that often are not aligned with those of the Company’s shareholders or non-deposit creditors.

The FRB possesses extensive authority to regulate and supervise the conduct of the Company’s businesses and operations. If the FRB were to take the position that the Company or any of its subsidiaries have violated any law or commitment or engaged in any unsafe or unsound practice, formal or informal corrective or enforcement actions could be taken by the FRB against the Company, its subsidiaries, and institution-affiliated parties such as directors, officers, and agents. These enforcement actions could include extensive and costly remediation requirements, an imposition of civil monetary penalties and could directly affect not only the Company, its subsidiaries, and institution-affiliated parties but also the Company’s counterparties, shareholders, and creditors and its commitments, arrangements, or other dealings with them. The OCC has similarly expansive authority over the Bank and its subsidiaries, as does the CFPB over matters involving consumer financial laws. The SEC, FINRA, and other domestic or foreign government authorities also have an array of means at their disposal to regulate, supervise, and enforce areas within their jurisdiction that could impact the Company’s businesses and operations.

Restrictions on Permissible Activities and Corporate Matters

Bank holding companies and their subsidiaries are generally limited to the business of banking and to closely related activities that are incidental to banking.

As a bank holding company that has elected to become a financial holding company, the Company is also able—directly or indirectly through its subsidiaries, other than the Bank—to engage in activities that are financial in nature, that are incidental to a financial activity, or that are complementary to a financial activity and do not pose a substantial risk to the safety or soundness of depository institutions or the financial system generally. Activities that are financial in nature include: (1) underwriting, dealing in, or making a market in securities, (2) providing financial, investment, or economic advisory services, (3) underwriting insurance, and (4) merchant banking.

The Company’s ability to, directly or indirectly, engage in these banking and financial activities is subject to conditions and other limits imposed by law or the FRB and, in some cases, requires the approval of the FRB or other government authorities. These conditions or other limits may arise due to the particular type of activity or, in other cases, may apply to the Company’s business more generally. Examples of the former are the substantial restrictions on the timing, amount, form, substance, interconnectedness, and management of the Company’s merchant banking investments. An example of the latter is a condition that, in order for the Company to continue to engage in broader financial activities, its depository institutions must remain “well capitalized” and “well managed” under applicable banking laws and must receive at least a “satisfactory” rating under the Community Reinvestment Act (the CRA). The FRB also has the power to require the Company to divest any depository institution that cannot maintain its “well capitalized” or “well managed” status.

The FRB maintains a targeted policy that requires a bank holding company to consult with the staff sufficiently in advance of (1) declaring and paying a dividend that could raise safety and soundness concerns (for example, a dividend that exceeds earnings in the period for which the dividend is being paid), (2) redeeming or repurchasing regulatory capital instruments when the holding company is experiencing financial weaknesses, or (3) redeeming or repurchasing common stock or perpetual preferred stock that would result in a net reduction as of the end of the quarter in the amount of those equity instruments outstanding compared with the beginning of the quarter in which the redemption or repurchase occurred.

Bank Acquisitions by the Company

The Company may acquire banks outside of its home State of Missouri, subject to limits and may establish new branches in other States to the same extent as banks chartered in those States. The Company must receive the prior approval of the FRB and possibly other government authorities to, directly or indirectly, acquire ownership or control of five percent or more of any class of voting securities of, or substantially all of the assets of, an unaffiliated bank, savings association, or bank holding company. In deciding whether to approve any acquisition or branch, the FRB, the OCC, and other government authorities will consider public or private interests that may not be aligned with those of the Company’s shareholders or non-deposit creditors.

The standards by which bank and financial institution acquisitions are evaluated may be subject to change. In September 2024, the OCC adopted a final rule and policy statement regarding its review of Bank Merger Act (BMA) applications for OCC-supervised institutions, including the Bank. In May 2025, the OCC adopted a final

7

rule that restored the ability for BMA applicants to file a streamlined application form for certain types of acquisitions and the expedited review process for BMA applications, which had been removed by the 2024 final rule, and rescinded the 2024 policy statement.

In September 2024, the DOJ withdrew its 1995 Bank Merger Guidelines and issued the 2024 Banking Addendum to 2023 Merger Guidelines (the 2024 Banking Addendum). The DOJ clarified that it will assess competition considerations in connection with bank and bank holding company mergers using its 2023 Merger Guidelines, which is the general merger review framework the DOJ now uses to evaluate transactions in all segments of the economy, and 2024 Banking Addendum. The 2024 Banking Addendum provides guidance on how the DOJ will assess competition in the context of bank and bank holding company mergers. An analysis under the 2023 Merger Guidelines and 2024 Banking Addendum may include consideration of theories of harm and relevant markets not considered under the 1995 Bank Merger Guidelines, which focused primarily on concentrations of deposits and branches.

Acquisitions of Ownership of the Company

Acquisitions of the Company’s voting stock above certain thresholds are subject to prior regulatory notice or approval under federal banking laws, including the BHCA and the Change in Bank Control Act of 1978, as amended (the CIBCA). Under the CIBCA, a person or entity generally obtain non-objection from the FRB before acquiring the power to vote 10% or more of any class of voting stock, including the Company’s common stock. Investors should be aware of these requirements when acquiring shares in the Company’s stock.

Requirements Affecting the Relationships among the Company, Its Subsidiaries, and Other Affiliates

The Company is a legal entity separate and distinct from the Bank, UMBFS, and its other subsidiaries but receives the vast majority of its revenue in the form of dividends from those subsidiaries. Without the approval of the OCC, however, dividends payable by the Bank in any calendar year may not exceed the lesser of (1) the current year’s net income combined with the retained net income of the two preceding years and (2) undivided profits. In addition, under the Basel III capital-adequacy standards described below under the heading “Capital-Adequacy Standards,” the Bank is required to maintain a capital conservation buffer in excess of its minimum risk-based capital ratios and will be restricted in declaring and paying dividends whenever the buffer is breached. The FRB or the OCC could also limit the dividends that the Bank or the Company’s other subsidiaries may pay to the Company to prevent any unsafe and unsound practice.

The Company is required by law to serve as a source of financial strength for its depository-institution subsidiaries and to commit resources to support those subsidiaries in circumstances when the Company might not otherwise elect to do so.

A number of laws also exist to prevent the Company and its nonbank subsidiaries from taking improper advantage of the benefits afforded to the Bank as a depository institution, including its access to federal deposit insurance and the discount window. These laws generally require the Bank and its subsidiaries to deal with the Company and its nonbank subsidiaries only on market terms and, in addition, impose restrictions on the Bank and its subsidiaries in directly or indirectly extending credit to or engaging in other covered transactions, including certain derivatives and securities lending transactions, with the Company or its nonbank subsidiaries.

In addition, under the Volcker Rule, the Company is subject to extensive limits on proprietary trading and on owning or sponsoring hedge funds and private-equity funds. The limits on proprietary trading are largely directed toward purchases or sales of financial instruments by a banking entity as principal primarily for the purpose of short-term resale, a benefit from actual or expected short-term price movements, or the realization of short-term arbitrage profits. The limits on owning or sponsoring hedge funds and private-equity funds are designed to ensure that banking entities generally maintain only small positions in managed or advised funds and are not exposed to significant losses arising directly or indirectly from them. The Volcker Rule also provides for increased capital charges, quantitative limits, rigorous compliance programs, and other restrictions on permitted proprietary trading and fund activities, including a prohibition on transactions with a covered fund that would constitute a covered transaction under Sections 23A and 23B of the Federal Reserve Act.

Stress Testing and Enhanced Prudential Standards

Under the Economic Growth, Regulatory Relief, and Consumer Protection Act (EGRRCPA), bank holding companies with assets of less than $100 billion, including the Company, are no longer subject to the requirement to

8

conduct forward-looking, company-run stress testing, including publishing a summary of results. The Company continues to run internal stress tests as a component of its comprehensive risk management and capital planning process. In addition, EGRRCPA increased the statutory asset threshold above which the FRB is required to apply enhanced prudential standards from $50 billion to $250 billion subject to certain discretion by the FRB to apply any enhanced prudential standard requirement to any bank holding company with between $100 billion and $250 billion in total consolidated assets that would otherwise be exempt under EGRRCPA. The Company remains exempt from the FRB’s enhanced prudential standards but the Bank is subject to the OCC’s heightened standards, which set expectations for the governance and risk management practices of large depository institutions subject to its supervision with more than $50 billion in assets. The guidelines require such institutions to establish and adhere to a written governance framework in order to manage and control their risk-taking activities and to incorporate their risk appetite statement and concentration risk limits into capital and liquidity stress testing and planning processes. On December 23, 2025, the OCC issued a notice of proposed rulemaking that would increase the threshold at which the heightened standards apply from $50 billion to $700 billion in total assets. If the rule is adopted as proposed, the Bank would no longer be subject to the OCC's heightened standards. See “Regulation and Supervision—Safety and Soundness Guidelines” in Part I, Item 1 of this report for additional information regarding federal guidelines prescribing safety and soundness standards.

Capital-Adequacy Standards

The FRB and the OCC have adopted risk-based capital and leverage regulations that require the capital-to-assets ratios of bank holding companies and national banks to meet specified minimum standards.

The risk-based capital ratios are based on a banking organization’s risk-weighted asset amounts (RWAs), which are generally determined under the standardized approach applicable to the Company and the Bank by (1) assigning on-balance-sheet exposures to broad risk-weight categories according to the counterparty or, if relevant, the guarantor or collateral (with higher risk weights assigned to categories of exposures perceived as representing greater risk) and (2) multiplying off-balance-sheet exposures by specified credit conversion factors to calculate credit equivalent amounts and assigning those credit equivalent amounts to the relevant risk-weight categories. The leverage ratio, in contrast, is based on an institution’s average on-balance-sheet exposures alone.

The capital ratios for the Company and the Bank as of December 31, 2025, are set forth below:

These capital-to-assets ratios also play a central role in prompt corrective action (PCA), which is an enforcement framework used by the federal banking agencies to constrain the activities of banking organizations based on their levels of regulatory capital. Five categories have been established using thresholds for the total risk-based capital ratio, the tier 1 risk-based capital ratio, the common-equity tier 1 risk-based capital ratio, and the leverage ratio: (1) well capitalized, (2) adequately capitalized, (3) undercapitalized, (4) significantly undercapitalized, and (5) critically undercapitalized. While bank holding companies are not subject to the PCA framework, the FRB is empowered to compel a holding company to take measures—such as the execution of financial or performance guarantees—when PCA is required in connection with one of its depository-institution subsidiaries. Failure to be well-capitalized or to meet minimum capital requirements could result in certain

9

mandatory and possible additional discretionary actions by regulators that, if undertaken, could have an adverse material effect on the Company’s operations or financial condition. For example, “brokered deposits,” as defined by FDIC regulations, may only be accepted by well capitalized depository institutions without prior regulatory approval or, with a waiver from the FDIC, by adequately capitalized depository institutions. At December 31, 2025, the Bank was categorized as well capitalized under the PCA framework.

Basel III, including revisions to the global Basel III capital framework (commonly known as the Basel III endgame), includes a number of more rigorous provisions applicable only to banking organizations that are larger or more internationally active than the Company and the Bank. These include, for example, a supplementary leverage ratio incorporating off-balance-sheet exposures, a liquidity coverage ratio, and a net stable funding ratio. These standards may be informally applied or considered by the FRB and the OCC in their regulation, supervision, and examination of the Company and the Bank. In July 2023, the federal banking agencies released a proposed rule to implement the Basel III endgame. If enacted as proposed, the proposal would significantly increase capital requirements for banking organizations with $100 billion or more in assets, which could indirectly impact smaller institutions, such as the Company and the Bank. It is uncertain if and when a final rule will be adopted, and if so, whether and to what extent it will differ from the Basel III Finalization Proposal. As a result, the timing and content of any final rule, and the potential effects of any final rule on the Company and the Bank, remain uncertain.

Deposit Insurance and Related Matters

The deposits of the Bank are insured by the FDIC in the standard insurance amount of $250 thousand per depositor for each account ownership category. This insurance is funded through assessments on the Bank and other insured depository institutions. Each institution’s assessment base is determined based on its average consolidated total assets less average tangible equity, and there is a scorecard method for calculating assessments that combines CAMELS (an acronym that refers to the five components of a bank’s condition that are addressed: capital adequacy, asset quality, management, earnings, and liquidity) ratings and specified forward-looking financial measures to determine each institution’s risk to the DIF.

In response to the bank failures in early 2023, the FDIC implemented a special assessment to recover the losses to the DIF at an annual rate of approximately 13.4 basis points over eight quarterly collection periods, which began in 2024, and currently projects that the eighth quarter of the special assessment will be collected at a reduced rate. The base for the special assessment is equal to an insured depository institution’s estimated uninsured deposits reported as of December 31, 2022, adjusted to exclude the first $5 billion. Under the FDIC's interim final rule on December 16, 2025, upon termination of the FDIC's receivership of Silicon Valley Bank and Signature Bank, the FDIC will either provide an offset to insured depository institutions, if the special assessment amount then-collected exceeds losses, or collect from insured depository institutions a one-time final shortfall special assessment, if losses exceed the special assessment amount then-collected. In addition, the FDIC will provide an offset to regular quarterly deposit insurance assessments for banks subject to the special assessment if, following the final resolution of litigation between the FDIC and SVB Financial Trust, the total amount collected through the special assessment exceeds the loss estimate at that time.

Resolution and Related Matters

If an insured depository institution such as the Bank were to become insolvent or if other specified events were to occur relating to its financial condition or the propriety of its actions, the FDIC may be appointed as conservator or receiver for the institution. In that capacity, the FDIC would have the power to (1) transfer assets and liabilities of the institution to another person or entity without the approval of the institution’s creditors, (2) require that its claims process be followed and to enforce statutory or other limits on damages claimed by the institution’s creditors, (3) enforce the institution’s contracts or leases according to their terms, (4) repudiate or disaffirm the institution’s contracts or leases, (5) seek to reclaim, recover, or recharacterize transfers of the institution’s assets or to exercise control over assets in which the institution may claim an interest, (6) enforce statutory or other injunctions, and (7) exercise a wide range of other rights, powers, and authorities, including those that could impair the rights and interests of all or some of the institution’s creditors. In addition, the administrative expenses of the conservator or receiver could be afforded priority over all or some of the claims of the institution’s creditors, and under the Federal Deposit Insurance Act (the FDIA), the claims of depositors (including the FDIC as subrogee of depositors) would enjoy priority over the claims of the institution’s unsecured creditors.

The FDIA also provides that an insured depository institution can be held liable for any loss incurred or expected to be incurred by the FDIC in connection with another commonly controlled insured depository institution

10

that is in default or in danger of default. This cross-guarantee liability is generally superior in right of payment to claims of the institution’s holding company and its affiliates.

In June 2024, the FDIC released a final rule amending its requirements for insured depository institutions with more than $50 billion in assets to develop and submit plans demonstrating how they could be resolved in an orderly and timely manner in the event of receivership. Under the rule, banks with at least $50 billion but less than $100 billion in total assets, including the Bank, are required to submit to the FDIC more limited informational filings triennially and interim supplemental information regarding their resolution planning in off-cycle years. On December 31, 2025, the FDIC provided an update that it intends to propose changes to the final rule in 2026. As a result, the Bank is not required to submit its first informational filing until after the final rule is issued.

Safety and Soundness Guidelines

The federal banking agencies have adopted guidelines prescribing safety and soundness standards relating to internal controls, risk management, information systems, internal audit systems, loan documentation, credit underwriting, interest rate exposure, asset growth and compensation, fees and benefits. These guidelines in general require appropriate systems and practices to identify and manage specified risks and exposures. The guidelines prohibit excessive compensation as an unsafe and unsound practice and characterize compensation as excessive when the amounts paid are unreasonable or disproportionate to the services performed by an executive officer or employee, director or principal shareholder. In addition, the federal banking agencies have adopted regulations that authorize but do not require an agency to order an institution that has been given notice by the agency that it is not in compliance with any of the safety and soundness standards to submit a compliance plan. If after being so notified, an institution fails to submit an acceptable compliance plan, the agency must issue an order directing action to correct the deficiency and may issue an order directing other actions of the types, including those that may limit growth or capital distributions.

Anti-Money Laundering Rules

The Bank Secrecy Act, as amended by the USA PATRIOT Act of 2001, (together, the BSA) and its implementing regulations require financial institutions, including banks and broker dealers, to, among other duties, implement and maintain an effective anti-money laundering (AML) compliance program and file suspicious activity and currency transaction reports when appropriate.

The Anti-Money Laundering Act of 2020, enacted on January 1, 2021 (AMLA), amends the BSA but does not directly impose new requirements on banks. AMLA requires the U.S. Treasury Department to, among other things, issue National Anti-Money Laundering and Countering the Financing of Terrorism Priorities and implementing regulations, and conduct studies and issue regulations that may, over the next few years, significantly alter certain due diligence, recordkeeping and reporting requirements that the BSA and its implementing regulations impose on banks. AMLA also contains provisions that increase penalties for violations of the BSA and includes whistleblower incentives, both of which could increase regulatory enforcement against banks. Implementation of AMLA is ongoing and is anticipated to impact the Bank’s AML compliance program.

Violations of the BSA and its implementing regulations can result in substantial civil and criminal penalties, and the federal banking agencies are required to consider the effectiveness of a financial institution’s AML compliance program when reviewing bank mergers and bank holding company acquisitions. In addition to the federal banking agencies, the Financial Crimes Enforcement Network is authorized to impose significant civil monetary penalties for violations of the BSA and its implementing regulations and has recently engaged in coordinated enforcement actions with state and federal law enforcement agencies and banking regulators.

OFAC Regulation

The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) is responsible for administering U.S. economic sanctions, which can prohibit certain transactions with designated foreign jurisdictions, governments, entities and individuals. OFAC-administered sanctions take on many different forms. For example, sanctions may include: (1) restrictions on trade with or investment in a sanctioned jurisdiction, including prohibitions against direct or indirect imports from and exports to a sanctioned jurisdiction and prohibitions on U.S. persons engaging in financial transactions relating to, making investments in, or providing investment-related advice or assistance to, a sanctioned jurisdiction; and (2) blocking assets in which certain sanctioned foreign governments, entities or individuals have an interest, by prohibiting transfers of property subject to U.S. jurisdiction, including property in

11

the possession or control of U.S. persons. OFAC also maintains lists of designated persons, groups or entities that are the target of sanctions, including the “Specially Designated Nationals and Blocked Persons List.” The assets of designated persons, groups or entities are blocked and U.S. persons are generally prohibited from dealing with any such persons. Moreover, blocked assets, for example property and bank deposits, cannot be paid out, withdrawn, set off or transferred in any manner without a license from OFAC. If the Company finds a name on any transaction, account or wire transfer associated with a sanctioned person, the Company must freeze or block such account or transaction, file a blocked property report with OFAC and notify the appropriate authorities. Failure to comply with U.S. economic sanctions could have serious legal and reputational consequences.

Data Privacy and Cybersecurity

Various federal, state and local laws, rules, regulations and standards contain extensive data privacy and cybersecurity provisions, and the legal and regulatory framework for data privacy and cybersecurity is in considerable flux and rapidly evolving. For example, current federal laws, rules, regulations and standards, including the Gramm-Leach-Bliley Act (the “GLBA”), require financial institutions to, among other things, periodically disclose their privacy policies and practices relating to sharing personal information and enable retail customers to opt out of the Company’s ability to share such personal information with unaffiliated third parties under certain circumstances. Such laws and regulations also require financial institutions to implement a comprehensive cybersecurity program that includes administrative, technical and physical safeguards to ensure the security and confidentiality of customer records and information. An amendment to Regulation S-P, an implementing regulation promulgated under the GLBA, was adopted by the SEC on May 16, 2024 and requires broker dealers and registered investment advisers to, among other things, adopt and implement an incident response program as part of their formal cybersecurity policies and procedures and report data breaches to affected individuals whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization within 30 days of becoming aware of such data breach. Other federal and state laws, rules, regulations and standards impact the Company’s ability to share certain information with affiliates and non-affiliates for marketing and/or non-marketing purposes, or to contact customers with marketing offers. Federal law also makes it a criminal offense, except in limited circumstances, to obtain or attempt to obtain customer information of a financial nature by fraudulent or deceptive means. The Company and its nonbanking subsidiaries are also subject to rules and regulations issued by the Federal Trade Commission, which regulates unfair or deceptive acts or practices, including with respect to data privacy and cybersecurity. Additionally, like other lenders, the Bank uses credit bureau data in its underwriting activities. Use of such data is regulated under the Fair Credit Reporting Act, which also regulates reporting information to credit bureaus, prescreening individuals for credit offers, sharing of information between affiliates, and using affiliate data for marketing purposes. Similar state laws may impose additional requirements on the Company and its subsidiaries. The United States Congress has considered, and will likely in the future consider, additional data privacy and cybersecurity legislation, to which the Company may become subject if passed.

The enactment of the Cyber Incident Reporting for Critical Infrastructure Act (the “CIRCIA”) in 2022, once rulemaking is complete, will require, among other things, certain companies to report significant cyber incidents to the Cybersecurity and Infrastructure Agency (the “CISA”) within 72 hours from the time the company reasonably believes the incident occurred (and within 24 hours of making a ransom payment as a result of a ransomware attack). On April 4, 2024, the CISA proposed a rule under the CIRCIA that would clarify the scope of cyber incidents to be reported and would further define covered entities subject to the CIRCIA to expressly include companies in the financial services industry that are required to report cyber incidents to their primary federal regulators. Although the CIRCIA originally required the CISA to finalize its regulations by October 4, 2025, the CISA has extended such deadline to May 2026.

The Bank is also subject to federal regulations that, among other things, require a banking organization to notify its primary federal banking agencies as soon as possible and within 36 hours after identifying a “computer-security incident” that has materially disrupted or degraded, or the banking organization believes in good faith is reasonably likely to materially disrupt or degrade, its business or operations in a manner that would, among other things, jeopardize the viability of its operations, result in customers being unable to access their deposit and other accounts, result in a material loss of revenue, profit or franchise value, or pose a threat to the financial stability of the United States financial sector. Additionally, the federal banking agencies, as well as the SEC and related self-regulatory organizations, regularly issue guidance regarding cybersecurity that is intended to enhance cyber risk management among financial institutions.

Data privacy and cybersecurity are also areas of increasing state legislative focus. For example, the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, the

12

“CCPA”), among other things, broadly defines personal information and gives California residents the right to request access to or correct personal information collected about them, and whether that personal information has been sold or shared with others, the right to request deletion of personal information (subject to certain exceptions), the right to opt out of certain sharing and sales of their personal information, and the right not to be discriminated against for exercising these rights. The CCPA contains several exemptions, including that many, but not all, requirements of the CCPA are inapplicable to personal information that is collected, sold, disclosed or processed subject to certain federal laws, including the GLBA. The CCPA contemplates civil penalties of up to $2,500 for each violation and up to $7,500 for each intentional violation and includes a private right of action (permitting lawsuits to be brought by private individuals instead of the state Attorney General or other government actor for certain violations). Similar laws have been or may be adopted by other states where the Company does business or collects personal information. In addition, laws in all 50 U.S. states generally require businesses to provide notice under certain circumstances to individuals whose personal information has been disclosed as a result of a data breach.

Broker Dealer and Investment Adviser Regulations

The Company’s broker dealer and investment adviser subsidiaries are subject to regulation by the SEC. FINRA is the primary self-regulatory organization for the Company’s registered broker dealer subsidiaries. The broker dealer and investment adviser subsidiaries also are subject to additional regulation by states or local jurisdictions. The SEC and FINRA have active enforcement functions that oversee broker dealers and investment advisers and can bring actions that result in fines, restitution, a limitation on permitted activities, disqualification to continue to conduct certain activities and an inability to rely on certain favorable exemptions. Certain types of infractions and violations also can affect the Company’s ability to issue new securities expeditiously. In addition, certain changes in the activities of a broker dealer require approval from FINRA, and FINRA takes into account a variety of considerations in acting upon applications for such approval, including internal controls, capital levels, management experience and quality, prior enforcement and disciplinary history, and supervisory concerns.

Other Regulatory and Supervisory Matters

As a public company, the Company is subject to the Securities Act of 1933, as amended (the Securities Act), the Securities Exchange Act of 1934, as amended (the Exchange Act), the Sarbanes-Oxley Act of 2002, and other federal and State securities laws. In addition, because the Company’s common stock is listed with The NASDAQ Stock Market LLC (NASDAQ), the Company is subject to the listing rules of that exchange.

Under the CRA, the Bank has a continuing and affirmative obligation to help meet the credit needs of its local communities—including low- and moderate-income neighborhoods—consistent with safe and sound banking practices. The CRA does not create specific lending programs but does establish the framework and criteria by which the OCC regularly assesses the Bank’s record in meeting these credit needs. The Bank’s ratings under the CRA are taken into account by the FRB and the OCC when considering merger or other specified applications that the Company or the Bank may submit from time to time. Under the CRA, institutions are assigned a rating of “outstanding,” “satisfactory,” “needs to improve,” or “unsatisfactory.” The Bank received a “satisfactory” rating at its most recent CRA evaluation.

The Bank is subject as well to a vast array of consumer-protection laws, such as qualified-mortgage and other mortgage-related rules under the jurisdiction of the CFPB. For example, the FRB has proposed, but not yet finalized, amendments to Regulation II that would lower the cap on debit interchange fees and institute a process for automatically recalculating the debit interchange fee cap every two years based upon a biennial survey of large debit card issuers. Lending limits, restrictions on tying arrangements, limits on permissible interest-rate charges, and other laws governing the conduct of banking or fiduciary activities are also applicable to the Bank.

13

Executive Officers of the Registrant. The following are the executive officers of the Company, each of whom is appointed annually, and there are no arrangements or understandings between any of the executive officers and any other person pursuant to which such person was elected as an executive officer.

14

The Company makes available free of charge on its website at www.umb.com/investor, its annual report on Form 10-K, quarterly reports on Form 10-Q, proxy statements, current reports on Form 8-K and amendments to such reports, as soon as reasonably practicable after it electronically files or furnishes such material with or to the SEC. Information on the Company’s website is not incorporated by reference into this report and should not be considered part of this document. These reports can also be found on the SEC website at www.sec.gov.