WEBSTER FINANCIAL CORP (WBS) Business

ITEM 1. BUSINESS

General

The Company is a bank holding company that has elected to be treated as a financial holding company under the BHC Act, incorporated under the laws of Delaware in 1986, and headquartered in Stamford, Connecticut. As of December 31, 2025, the Company had $84.1 billion in total consolidated assets.

The Bank is a commercial bank with a national bank charter focused on providing financial products and services to businesses, individuals, and families. While its core footprint spans the Northeast from the New York metropolitan area to Rhode Island and Massachusetts, certain businesses operate in extended geographies. The Bank offers three differentiated lines of business: Commercial Banking, Healthcare Financial Services, and Consumer Banking.

Proposed Transaction with Banco Santander

On February 3, 2026, Webster entered into a Transaction Agreement with Banco Santander and Webster Virginia Corporation, a wholly owned subsidiary of Webster incorporated in the State of Virginia. The Transaction Agreement provides that, upon the terms and subject to the conditions set forth therein, Banco Santander will acquire Webster in two steps. First, Webster will merge with and into Webster Virginia Corporation, with Webster Virginia Corporation continuing as the surviving corporation in such merger. Second, immediately following the completion of such merger, Banco Santander will acquire all outstanding shares of Webster Virginia Corporation through a statutory share exchange. Based on Banco Santander’s closing stock price on February 2, 2026, the Transaction has an aggregate value of approximately $12.3 billion.

Under the terms of the Transaction Agreement, holders of Webster common stock will receive $48.75 in cash and 2.0548 ADSs (or Ordinary Shares in certain circumstances) for each share of Webster common stock that they own. The Transaction Agreement contains customary representations and warranties, covenants, and closing conditions. Completion of the Transaction remains subject to approval by the Federal Reserve and the European Central Bank, approval by the stockholders of each company, and other customary closing conditions. The Transaction is expected to close in the second half of 2026.

Joint Venture with Marathon Asset Management

On July 19, 2024, the Company, through its subsidiary, MW Advisor Holding, LLC, entered into an agreement with Marathon Asset Management and formed a private credit joint venture, which is designed to deliver direct lending solutions for sponsor-backed middle market companies across the country. Information regarding joint venture activities that occurred during the year ended December 31, 2025, can be found within Note 2: Business Developments in the Notes to Consolidated Financial Statements contained in Part II - Item 8. Financial Statements and Supplementary Data.

On January 26, 2026, CVC Capital Partners, a private markets investment firm, announced that it has agreed to acquire 100% of Marathon Asset Management, which will result in a change in control of Marathon Asset Management. Separately, Webster’s Transaction with Banco Santander will result in a change of control of Webster. Pursuant to the operating agreement for Webster’s joint venture with Marathon Asset Management, within 120 days after the consummation of a change in control, the non-affected member may elect to dissolve the joint venture, which would result in the wind-down of MW Advisor, LLC and Marathon Direct Lending SLP, LLC.

Subsidiaries and Reportable Segments

As of December 31, 2025, the Company’s active consolidated subsidiaries included the Bank and MW Advisor Holding, LLC. The Bank’s active consolidated subsidiaries included Webster Licensing, LLC, Webster Wealth Advisors, Inc., Bend Financial, Inc., InterLINK Insured Sweep LLC, Ametros Financial Corporation, Webster Servicing LLC, Webster Public Finance Corporation, Webster Mortgage Investment Corporation, Sterling National Funding Corp., Sterling REIT, Inc., Webster Preferred Capital Corporation, Webster Investment Services, Inc., and Secure Inc.

The Company’s operations are organized into three reportable segments that represent its differentiated lines of business: Commercial Banking, Healthcare Financial Services, and Consumer Banking.

Commercial Banking delivers financial solutions nationally to a wide range of companies, investors, government entities, and other public and private institutions. Commercial Banking helps its clients achieve their business and financial goals with expertise in Commercial Real Estate, Middle Market, Sponsor and Specialty Finance, Verticals and Regional Banking, Asset Based Lending and Commercial Services, and Treasury Management. Commercial Banking’s Private Banking team also pairs holistic wealth solutions, including tailored lending, with commercial banking services.

Healthcare Financial Services includes HSA Bank and Ametros. HSA Bank is one the country’s largest providers of employee benefits solutions, including being one of the leading bank administrators of HSAs, emergency savings accounts, and flexible spending account administration services in 50 states. Ametros, the nation’s largest professional administrator of medical insurance claim settlements, helps individuals manage their ongoing medical care through their CareGuard service and proprietary technology platform.

1

Table of Contents

Consumer Banking delivers customized financial solutions to individuals, families, and small to mid-sized businesses through its experienced relationship managers and wealth advisors across 195 banking centers located throughout the Northeast. Consumer Banking offers a full suite of deposit, lending, treasury management, and wealth management solutions. Consumer Banking also provides a fully digital banking experience through its mobile banking apps and BrioDirect.

Additional information regarding the Company’s reportable segments can be found in Part II under the section captioned “Segment Reporting” contained in Item 7. Management’s Discussion and Analysis of Financial Condition and Results of Operations, and within Note 20: Segment Reporting in the Notes to Consolidated Financial Statements contained in Item 8. Financial Statements and Supplementary Data.

Available Information

The Company files reports with the SEC, and makes available, free of charge, within the investor relations section of its website (http://investors.websterbank.com), its Annual Report on Form 10-K, Quarterly Reports on Form 10-Q, Current Reports on Form 8-K, and amendments to those reports as soon as reasonably practicable after it electronically files such material with, or furnishes it to, the SEC. The SEC website (http://www.sec.gov) makes reports, proxy and information statements, and other information filed electronically with the SEC available to the public free of charge. The Company intends to use its Investor Relations website and its corporate website as a means of disclosing material non-public information and for complying with its disclosure obligations under Regulation FD. Accordingly, investors should monitor these channels in addition to our press releases, SEC filings, and public conference calls and webcasts. Information contained on the Company’s website is not incorporated by reference into this Annual Report on Form 10-K.

Human Capital Resources

As a values-driven organization, our colleagues are the cornerstone of our success. As of December 31, 2025, the Company had 4,498 full-time employees and 103 part-time employees. Our employees are primarily located in our core footprint, which spans the Northeast from the New York metropolitan area to Rhode Island and Massachusetts, including our headquarters in Stamford, Connecticut. The average full-time and part-time employee tenure at the Company is approximately 8.9 years.

Culture and Engagement. We recognize the importance of an engaged workforce, and we support the professional development of our colleagues to help them achieve their career goals. Our 2025 colleague engagement survey results reflected our commitment to establishing a culture of trust and safety by encouraging colleagues to share their opinions and actionable ideas for improvement. Webster provides all colleagues with 24 hours of paid time (pro-rated for new hires and part-time colleagues) to volunteer at the organizations of their choice.

Internal Communication. Our internal communications channels are designed to keep colleagues informed, connected, and aligned with company priorities. We publish Webster Weekly, an all-colleague newsletter that provides regular updates on key initiatives, news, and achievements across the organization. Our intranet, the Vault, serves as a centralized hub for corporate messaging, essential resources and department information, ensuring colleagues have easy access to timely and accurate content. In 2025, we hosted 11 Webster Within webinars, a leadership series featuring members of the executive management committee who share insights on important topics and organizational priorities, supporting transparency, engagement, and ongoing colleague education.

Inclusion and Belonging. At Webster, we believe that fostering a culture of inclusion and belonging is integral to our long-term success. We are committed to attracting, developing, and retaining a talented workforce with a broad range of perspectives, knowledge, and experience. We are dedicated to providing equal employment opportunities to all individuals in accordance with applicable laws. We believe this approach enhances engagement, supports retention, increases job satisfaction, and contributes to a more engaged and productive workforce. Our Business Resource Groups, open to all colleagues on a voluntary basis, are strategic partners who support programs and initiatives that advance talent acquisition and leadership development, colleague retention and productivity, market development, and customer attraction and retention. They further align with corporate strategy by leveraging and capitalizing on the benefits of an inclusive well-qualified workforce to drive innovation, strengthen problem-solving, deepen market insight and enhance colleague engagement and satisfaction.

Compensation. Our compensation program is designed to attract, retain, and reward performance and align incentives with achievement of our strategic plan, and both short- and long-term operating objectives. Our hiring, promotion, and retention practices are based on merit and qualifications, guided by the principles of fairness. Our pay practices have strong governance processes, including reviewing competitive market data from multiple surveys each year. We also offer competitive benefits packages that reflect the needs of our workforce, which include medical, dental, and vision plans, prescription benefits, life insurance and disability benefits, HSAs, wellness incentives, health coaching, telemedicine, paid parental leave, paid time off and paid holidays, a matching 401(k) retirement savings plan, an employee stock purchase plan, an employee assistance program, a student loan repayment program, backup child and elder care, pet insurance, and wellness programs. We continually review and evolve our benefit plans as necessary to remain competitive and meet the needs of our workforce.

2

Table of Contents

Learning and Talent Management. We are focused on investing in our current and future talent by actively supporting the success, growth, and career progression of our colleagues. Our colleagues have access to our internal learning resources that offer in-person facilitated learning programs, virtual instructor-led training and on-demand programs. We also provide unlimited access to self-directed e-learning courses taught by industry experts with curated learning paths designed for specific professional interests.

Significant investments in formal development programs are made to build our talent pipeline. Our Internship Program and our Rotational Program for early-career college graduates provide rotating assignments throughout the bank. Further, we offer our RISE Emerging Talent Program for high-potential individuals, our flagship management development program, Lead with Impact, and our Advanced Leadership Program targeted to our top leadership talent. Our mentoring program, which partners with our Business Resource Group network, is also an important resource to support colleagues with their professional growth based on their self-identified career development goals.

Competition

The Company is subject to strong competition from other commercial banks, savings banks, credit unions, non-bank health savings account trustees, consumer finance companies, investment companies, insurance companies, online lending and savings institutions, and other non-bank financial services companies. Certain of these competitors are larger financial institutions with substantially greater resources, lending limits, larger branch systems, and a wider array of commercial and consumer banking services than the Company. Many of these competitors lack a physical presence within our geographic footprint, but actively pursue business through digital channels and other remote means. Competition could intensify in the future as a result of industry consolidation, the increasing availability of products and services from non-bank organizations, including financial technology companies, greater technological developments in the industry, and continued bank regulatory changes.

The Company faces substantial competition for deposits and loans throughout its market areas. The primary factors in competing for deposits are interest rates, personalized services, the quality and range of financial services, convenience of office locations and hours, mobile banking, and other automated services. Competition for deposits comes from other commercial banks, savings banks, credit unions, non-bank health savings account trustees, money market mutual funds, financial technology companies, and other non-bank financial services companies. The primary factors in competing for commercial and consumer loans are interest rates, loan origination fees, ease and convenience of loan origination channels, the quality and range of lending services, personalized service, and the ability to close within each customer’s desired time frame. Competition for the origination of loans comes primarily from commercial banks, non-bank lenders, savings institutions, mortgage banking firms, mortgage brokers, online lenders, and insurance companies.

The financial services industry continues to undergo rapid technological change with frequent introductions of new technology-driven products and services, including innovative ways that customers can make payments or manage their accounts, such as through the use of mobile payments, digital wallets, or digital assets. Other factors that affect competition include the general and local economic conditions, current interest rate levels, and volatility in the lending markets.

Supervision and Regulation

The Company and its bank and non-bank subsidiaries are subject to extensive regulation under federal and state laws. The regulatory framework applicable to bank holding companies and their depository institutions is intended to protect depositors, the DIF, consumers, and the U.S. banking system as a whole, not stockholders.

Set forth below is a summary of the significant elements of the laws and regulations applicable to the Company and its bank and non-bank subsidiaries. The description that follows is qualified in its entirety by reference to the full text of the statutes, regulations, and policies that are described. Banking statutes, regulations, and policies are continually under review by Congress, state legislatures, and federal and state regulatory agencies. Changes in the statutes, regulations, or policies applicable to the Company and its bank and non-bank subsidiaries, including how they are implemented or interpreted by regulators or by courts, could have a material effect on the results of the Company.

Regulatory Agencies

The Company is a separate and distinct legal entity from the Bank and its other subsidiaries. As a registered bank holding company that has elected to be treated as a financial holding company, the Company is subject to consolidated regulation, inspection, examination, and supervision under the BHC Act by its primary federal regulator, the Federal Reserve. As a publicly-traded company, the Company is subject to the disclosure and regulatory requirements of the Securities Act of 1933, as amended, and the Securities Exchange Act of 1934, as amended, which are administered by the SEC. As a publicly-traded company with securities listed on the NYSE, the Company is subject to the rules of the NYSE.

The Bank is organized as a national banking association under the National Bank Act, as amended, and is subject to the supervision of and regular examination by the OCC, its primary regulator, and with respect to some matters, by the FDIC, its deposit insurer, and the CFPB. As a national banking association, the Bank derives its lending, investment, and other bank activity powers from the National Bank Act, as amended, and the regulations of the OCC promulgated thereunder.

3

Table of Contents

The Company’s non-bank subsidiaries are also subject to regulation by the Federal Reserve and other applicable federal and state agencies.

Permissible Activities

In general, the BHC Act limits the business of bank holding companies to banking, managing, or controlling banks and other activities that the Federal Reserve has determined to be closely related to banking. Bank holding companies that qualify and elect to become financial holding companies, such as the Company, may engage in any activity, or acquire and retain the shares of a company engaged in any activity, that is either financial in nature or incidental to such financial activity (as determined by the Federal Reserve in consultation with the Secretary of the Treasury), or complementary to a financial activity, and that does not pose a substantial risk to the safety and soundness of depository institutions or the financial system (as solely determined by the Federal Reserve). Activities that are financial in nature include securities underwriting, dealing and market making, sponsoring mutual funds and investment companies, insurance underwriting, and merchant banking. Subject to certain exceptions, the BHC Act generally prohibits us from acquiring direct or indirect ownership or control of voting shares of any company engaged in activities that are not permissible for financial holding companies to engage in.

Maintaining our financial holding company status requires that the Company and the Bank remain “well-capitalized” and “well managed,” as defined by Regulation Y, and that the Bank maintains at least a “satisfactory” rating under the CRA. If the Company or the Bank fail to continue to meet these requirements, we could be subject to restrictions on new activities and acquisitions, and/or be required to cease and possibly divest operations that conduct existing activities that are not permissible for a bank holding company that is not a financial holding company. Additionally, the Federal Reserve could impose corrective capital and managerial requirements and activity restrictions on us if we cease to be “well-capitalized” or “well managed.”

Acquisitions of Ownership

Acquisitions of Webster voting stock above certain thresholds may be subject to prior regulatory notice or approval under applicable federal banking laws. Investors are responsible for ensuring that they do not, directly or indirectly, acquire shares of Webster stock in excess of the amount that can be acquired without regulatory approval or notice under the BHC Act and the Change in Bank Control Act.

The proposed Transaction with Banco Santander will be subject to relevant regulatory approvals. Refer to the paragraphs captioned under “Regulatory approvals may not be received, may take longer than expected, or may impose conditions that are not presently anticipated or that could have an adverse effect on the combined company following the Transaction” in Part I - Item 1A. Risk Factors for additional information.

Mergers and Acquisitions

Under the BHC Act, prior approval from the Federal Reserve is required in order for any bank holding company to acquire direct or indirect ownership or control of more than 5% of the voting shares of any bank, acquire all or substantially all of the assets of a bank, or merge or consolidate with any other bank holding company. Generally, the Company is not required to obtain prior approval from the Federal Reserve to acquire a non-bank that engages in activities that are financial in nature or incidental to activities that are financial in nature, as long as the Company continues to meet the capital, managerial, and CRA requirements that enable it to qualify as a financial holding company. However, the Company is required to receive prior approval from the Federal Reserve for an acquisition in which the total consolidated assets to be acquired exceeds $10 billion.

Pursuant to Section 18(c) of the FDIA, more commonly known as the Bank Merger Act, and for national banks relying on certain other sources of merger authority, prior written approval from a bank’s primary federal regulator is required before any insured depository institution may consummate a merger transaction, which includes a merger, consolidation, assumption of deposit liabilities, and certain asset transfers between or among two or more institutions. Prior written approval of a bank’s primary federal regulator is also required for merger transactions between or among affiliated institutions, as well as for merger transactions between or among non-affiliated institutions. Transactions that do not involve a transfer of deposit liabilities typically do not require prior approval under the Bank Merger Act unless the transaction involves the acquisition of all or substantially all of an institution’s assets. When evaluating and acting on proposed merger transactions, regulators consider the extent of existing competition between and among the merging institutions, other depository institutions, and other providers of similar or equivalent services in the relevant product and geographic markets, the convenience and needs of the community to be served, capital adequacy and earnings prospects, and the effectiveness the merger institutions in combating money-laundering activities, among other factors.

Further, the Change in Bank Control Act of 1978 prohibits the Company from acquiring control of a bank regulated by the FDIC without providing at least 60 days prior written notice to the FDIC or upon receipt of written notice that the FDIC does not disapprove of the acquisition.

4

Table of Contents

Capital Adequacy

The Federal Reserve, the OCC, and the FDIC have adopted the regulatory capital standards in accordance with the Basel III Capital Rules, as developed by the Basel Committee on Banking Supervision. The Basel III Capital Rules strengthened international capital adequacy standards by increasing institutions’ minimum capital requirements and holdings of

high-quality liquid assets and decreasing bank leverage.

Under the Basel III Capital Rules, as currently adopted in the U.S., the Company’s and the Bank’s assets, exposures, and certain off-balance sheet commitments and obligations are subject to risk weights used to determine risk-weighted assets. Risk weights can range from 0% for U.S. government securities to 1,250% for certain tranches of complex securitization or equity exposures. Risk-weighted assets serve as the base against which regulatory capital is measured, and are used to calculate capital ratios of CET1 Risk-Based Capital, Tier 1 Risk-Based Capital, Total Risk-Based Capital, and Tier 1 Leverage Ratio, as defined in the applicable regulations, which the Company and the Bank are required to maintain above certain specified minimums. CET1 capital consists of common stockholders’ equity less deductions for goodwill and other intangible assets, and certain deferred tax adjustments. At the time of initial adoption of the Basel III Capital Rules, the Company had elected to opt-out of the requirement to include certain components of AOCI in CET1 capital. Tier 1 capital consists of CET1 capital plus preferred stock. Total capital consists of Tier 1 capital and Tier 2 capital, as defined in the regulations. Tier 2 capital includes qualifying subordinated debt and the permissible portion of the ACL.

In addition, the Basel III Capital Rules mandate that most deductions from or adjustments to regulatory capital be made to CET1 capital, not to the other components. For instance, the deduction of mortgage servicing assets, certain DTAs, and capital investments in unconsolidated financial institutions is required to the extent that any one such category exceeds 10% of CET1 capital or exceeds 15% of CET1 capital in the aggregate.

The Basel III Capital Rules also include a capital conservation buffer comprised entirely of CET1 capital, which is considered in addition to the 4.5% minimum CET1 capital ratio and is equal to 2.5% of risk-weighted assets for both the Company and the Bank. This buffer is designed to absorb losses during periods of economic stress, and is generally required in order to avoid limitations on capital distributions and certain discretionary bonus payments to executive officers.

Our regulatory capital ratios can be found in Part II under the section captioned “Liquidity and Capital Resources” contained in Item 7. Management’s Discussion and Analysis of Financial Condition and Results of Operations, and within Note 13: Regulatory Capital and Restrictions in the Notes to Consolidated Financial Statements contained in Item 8. Financial Statements and Supplementary Data.

Prompt Corrective Action

FDICIA requires the federal bank regulatory agencies to take “prompt corrective action” regarding FDIC-insured depository institutions that do not meet certain capital adequacy standards. A depository institution’s treatment for purposes of the prompt corrective action provisions depends upon its level of capitalization and certain other factors. An institution that fails to remain “well-capitalized” becomes subject to a series of restrictions that increase in severity as its capital condition weakens. Such restrictions may include a prohibition on capital distributions, restrictions on asset growth or restrictions on the ability to receive regulatory approval of applications. FDICIA also provides for enhanced supervisory authority over “under capitalized” institutions, including authority for the appointment of a conservator or receiver for the institution. In certain instances, a bank holding company may be required to guarantee the performance of an “under capitalized” subsidiary bank’s capital restoration plan. As of December 31, 2025, the Bank was categorized as “well-capitalized” under each of its capital ratio categories.

An insured depository institution with a ratio of tangible equity less than or equal to 2% is considered to be critically under capitalized. If an insured depository institution has been determined, after notice and opportunity for a hearing, to be in an unsafe or unsound condition, or if it receives a less-than-satisfactory rating for asset quality, management, earnings, or liquidity in its most recent examination, the appropriate federal banking agency may downgrade a well capitalized, adequately capitalized, or under capitalized insured depository institution to the next lower capital category.

All insured depository institutions, regardless of their capital category, are prohibited from making capital distributions or paying management fees if such distributions or payments would result in the insured depository institution becoming under capitalized, unless it is shown that the capital distribution would improve financial condition, or the management fee is being paid to a person or entity without a controlling interest in the insured depository institution. Restrictions are placed on certain brokered deposit activity and on deposit rates offered as the capital category declines below well capitalized. Further, if an insured depository institution receives notice that it is under capitalized, significantly under capitalized, or critically under capitalized, the insured depository institution generally must file a written capital restoration plan with the appropriate federal banking agency within 45 days of receipt, and the bank holding company must guarantee the performance of that plan.

5

Table of Contents

Enhanced Prudential Standards

The Federal Reserve established enhanced prudential standards for larger bank holding companies based on size and certain risk-based indicators. In 2019, the Federal Reserve, along with other federal bank regulatory agencies, tailored these prudential standards allowing bank holding companies with total consolidated assets of $250 billion or less to be exempt from certain enhanced capital and liquidity prudential standards, including company-run stress testing, capital planning, liquidity coverage ratio, and resolution planning requirements, among others. Although the Company’s total consolidated assets are beneath the $250 billion threshold, the Company performs certain stress tests internally and incorporates the economic models and information developed through its stress testing program into its risk management and capital planning activities, which continue to be subject to the regular supervisory processes of the Federal Reserve System and the OCC.

The transition to heightened supervision under enhanced prudential standards for large banks (e.g., crossing $100 billion of assets, and thus becoming a Category IV institution under the tailoring framework) is a significant regulatory hurdle and involves additional liquidity risk management requirements, more onerous internal liquidity stress testing and liquidity buffer requirements, supervisory stress testing, the stress capital buffer, additional capital planning requirements, additional reporting to the Federal Reserve and more comprehensive resolution plan filings with the FDIC.

Federal Reserve System

Regulations of the Federal Reserve require a depository institution to maintain reserves against its transaction accounts and non-personal time deposits for the purposes of implementing monetary policy. The reserve requirement must be satisfied in the form of vault cash and, if vault cash is insufficient, by maintaining a balance in an account at a FRB. The FRA authorizes different ranges of reserve requirement ratios depending on the amount of transaction account balances held at a depository institution. Since March 26, 2020, the reserve requirement ratios on all net transaction accounts were reduced to zero percent, thereby eliminating reserve requirements for all depository institutions.

Further, as a national bank and a member of the Federal Reserve System, the Bank is required to subscribe to the capital stock of its district FRB in an amount equal to 6% of its capital and surplus, of which 50% is paid. The remaining 50% is subject to call by the Federal Reserve. At December 31, 2025, the Bank held a stock investment in the FRB of New York of $231.2 million.

Federal Home Loan Bank System

The FHLB System provides a central credit facility for its member institutions. The Bank, as a member of the FHLB of Boston, is required to purchase and hold shares of FHLB capital stock for its membership and other activities in an amount equal to 0.05% of total assets as of the end of the prior calendar year, up to a maximum of $5 million, plus an amount that varies from 3.0% to 4.0% depending on the maturities of its FHLB advances, of which there were $3.0 billion outstanding for the Bank at December 31, 2025. The Bank was in compliance with these requirements at December 31, 2025, and held a FHLB stock investment of $125.2 million.

Source of Strength Doctrine

Bank holding companies are required to serve as a source of financial and managerial strength to their subsidiary banks and could be required to commit resources to support each of their subsidiary banks. This support may be required at times when the Company is not in a financial position to provide such resources without adversely affecting its ability to meet other obligations. The Federal Reserve may require a bank holding company to make capital injections into a troubled subsidiary bank and may charge the bank holding company with engaging in unsafe and unsound practices if it fails to commit resources to such a subsidiary bank when necessary, or if it undertakes actions that the Federal Reserve believes might jeopardize the bank holding company’s ability to commit resources to such subsidiary bank when necessary. Capital loans by a bank holding company to its subsidiary bank would be subordinate in right of payment to deposits and certain other debts of the subsidiary bank. In the event of bankruptcy, a formal commitment by a bank holding company to a federal bank regulatory agency to maintain the capital of a subsidiary bank would be assumed by the bankruptcy trustee and entitled to a priority of payment.

In addition, under the National Bank Act, if the Bank’s capital stock is impaired by losses or otherwise, the OCC is authorized to require payment of the deficiency by assessment upon the Company. If the assessment is not paid within three months after receiving notice thereof, the OCC could order a sale of the Bank stock held to cover any deficiency.

Safety and Soundness Standards

The federal bank regulatory agencies have adopted the rules and regulations under the Interagency Guidelines Establishing Standards for Safety and Soundness, which are applicable to all insured depository institutions. These guidelines prescribe standards relating to internal controls, information systems, internal audit systems, loan documentation, credit underwriting, interest rate exposure, asset growth, compensation, fees, and benefits, asset quality, earnings, and stock valuation, as determined to be appropriate.

6

Table of Contents

The OCC also has established guidelines setting forth heightened risk management and governance standards for large national banks, which currently includes the Bank. A large bank is currently defined as a bank with more than $50 billion in average total consolidated assets from its four most recently filed quarterly Call Reports. Because the Bank is currently a covered bank, it has a risk governance framework designed to meet the OCC heightened standards. In December 2025, the OCC issued a notice of proposed rulemaking that would increase the threshold at which the heightened standards apply from $50 billion to $700 billion in average total consolidated assets, while keeping in place the concept of a risk governance framework for banks with over $50 billion in average total consolidated assets. Additional information regarding our risk governance framework can be found under the section captioned “Risk Governance Framework” contained elsewhere in this Item 1. Business.

If the applicable federal bank regulatory agency determines that an institution fails to meet any of the established standards, the agency may require the institution to submit an acceptable plan to achieve compliance with the standard. In the event that an institution fails to submit an acceptable plan within the time allowed, or fails, in any material respect, to implement an accepted plan, the agency must require the institution to correct the deficiency and may take other supervisory and enforcement actions until the deficiency is corrected.

In more serious instances, enforcement actions may include the issuance of directives to increase capital, the issuance of formal and informal agreements, the imposition of civil monetary penalties, the issuance of a cease and desist order that can be judicially enforced, the issuance of removal and prohibition orders against officers, directors, and other institution affiliated parties, the termination of the insured depository institution’s deposit insurance, the appointment of a conservator or receiver for the insured depository institution, and injunctions or restraining orders based upon a judicial determination that the FDIC, as receiver, would be harmed if such equitable relief was not granted.

Resolution Planning

The FDIC requires certain insured depository institutions with more than $50 billion in total assets to periodically submit resolution plans to provide the FDIC with information about the bank that is essential to effective resolution planning and to support the execution of a resolution, if necessary. In June 2024, the FDIC amended its insured depository institution resolution plan rule, which requires the Bank, as a “Group B” insured depository institution with between $50 billion and $100 billion in total assets, to submit informational filings on a three-year cycle and provide limited interim supplements in each of the off-years. The final rule became effective October 1, 2024. The Bank’s initial information filing submission is due on or before April 1, 2026. In December 2025, the FDIC provided an update on insured depository institution resolution planning for large banks and announced that it expects to propose changes to the Insured Depository Institution Rule and to conduct capabilities testing in 2026 on insured depository institutions’ ability to populate a virtual data room.

Dividends

The Company is dependent upon dividends from the Bank to provide funds for its cash requirements, including the payment of dividends to stockholders. Dividends paid by the Bank are subject to federal regulatory limitations. Express approval by the OCC is required if the effect of dividends declared would cause the regulatory capital of the Bank to fall below specified minimum levels or would exceed the net income for that year combined with the undistributed net income for the preceding two years. During the year ended December 31, 2025, the Bank declared and paid $900.0 million in dividends to the Company and had $634.6 million of undistributed net income available for the declaration and payment of dividends at December 31, 2025.

In addition, federal bank regulatory agencies have the authority to prohibit the Company from engaging in unsafe or unsound practices in conducting its business. The declaration and payment of dividends, depending on the financial condition of the Bank, could be deemed an unsafe or unsound practice, especially if its capital base is depleted to an inadequate level. The ability of the Bank to pay dividends in the future is currently, and could be further, influenced by bank regulatory policies and capital requirements.

Transactions with Affiliates and Insiders

Transactions between insured depository institutions and their affiliates are governed by Sections 23A and 23B of the FRA and Federal Reserve Regulation W. In a bank holding company context, at a minimum, the parent holding company of a national bank, and any companies that are controlled by such parent holding company, are considered affiliates of the bank. Generally, sections 23A and 23B of the FRA are intended to protect insured depository institutions from losses arising from transactions with non-insured affiliates by (i) limiting the extent to which an institution or its subsidiaries may engage in covered transactions with any one affiliate and with all affiliates in the aggregate, and (ii) requiring that all such transactions be on terms substantially the same, or at least favorable, to the institution or subsidiary as those provided to a non-affiliate on market terms. The term covered transaction includes the making of loans, purchase of assets, the issuance of a guarantee, and similar types of transactions. Certain covered transactions must be collateralized according to the FRA and Regulation W.

7

Table of Contents

In addition, Section 22(h) of the FRA and Federal Reserve Regulation O restricts extensions of credit to directors, executive officers, and principal stockholders or insiders of the Bank. Pursuant to Section 22(h), extensions of credit to directors, executive officers, and principal stockholders of the Bank or its affiliates must be made on terms substantially the same as offered in comparable transactions to other persons, except that such insiders may receive preferential extensions of credit made under a benefit or compensation program that is widely available to the institution’s employees and does not give preference to the insider over the employees. Further, extensions of credit to insiders and their related interests may not exceed, together with all other outstanding extensions of credit to such persons and affiliated entities, the percentage of the institution’s total unimpaired capital and unimpaired surplus set forth in Regulation O. Extensions of credit to insiders above specified amounts must receive prior approval from the Bank’s Board of Directors. Section 22(g) of the FRA and Regulation O places additional limitations on extensions of credit to executive officers.

Consumer Protection and Consumer Financial Protection Bureau Supervision

As an insured depository institution with more than $10 billion in total assets, the Bank is subject to supervision by the CFPB. The CFPB has been responsible for implementing, enforcing, and examining compliance with federal consumer financial protection laws. In early February 2025, employees of the CFPB were instructed to cease all supervision, investigations, enforcement, rulemaking, and stakeholder activities. It is unclear how long these instructions — which are the subject of ongoing litigation — will stay in force, either fully or partially. There are also a number of federal laws, which the Bank has been subject to, that are designed to protect borrowers and promote lending, including, but not limited to, the Equal Credit Opportunity Act, the Fair Credit Reporting Act, the Fair Debt Collection Procedures Act, the Truth in Lending Act, the Home Mortgage Disclosure Act, the Real Estate Settlement Practices Act, the Consumer Financial Protection Act of 2010, and the Gramm Leach Bliley Act regarding Privacy of Consumer Financial Information.

In October 2023, the Federal Reserve proposed amendments to its rules on interchange fees. Interchange fees, or “swipe” fees, are charges that merchants pay to card-issuing banks for processing electronic payment transactions. The current interchange fee limitations establish a maximum possible fee for many types of debit interchange transactions that is equal to no more than 21 cents per transaction plus five basis points multiplied by the value of the transaction. The proposed changes would establish a maximum permissible interchange fee of no more than 14.4 cents per transaction plus four basis points multiplied by the value of the transaction. The current rules allow a debit card issuer to recover one cent per transaction for fraud prevention purposes if the issuer complies with certain fraud-related requirements. Under the proposed changes, the fraud prevention adjustment would be increased to 1.3 cents per transaction. The proposed rule would also establish an automatic update of the interchange fee cap every other year based on a survey of debit card issuers. However, the Federal Reserve’s existing interchange fee rule is subject to ongoing litigation and therefore the Federal Reserve has indicated that it does not intend to finalize a new rule until there is legal certainty regarding interpretation of the regulation.

State authorities have increased their focus on and enforcement of consumer protection rules. Consumer protection laws apply to a broad range of our activities and to various aspects of our business and include laws relating to interest rates, fair lending, disclosures of credit terms and estimated transaction costs to consumer borrowers, debt collection practices, the use of and the provision of information to consumer reporting agencies, and the prohibition of unfair, deceptive, or abusive acts or practices in connection with the offer, sale, or provision of consumer financial products and services. The extent to which the Bank as a national bank is also subject to certain state consumer protection laws is also subject to ongoing litigation and uncertainty.

Identity Theft

Certain regulated entities are required to establish programs to address risks of identity theft. In accordance with these rules, financial institutions and creditors are required to develop and implement a written identity theft prevention program designed to detect, prevent, and mitigate identity theft in connection with certain existing accounts or the opening of new accounts. The Company has an Identity Theft Prevention Program in place satisfying its compliance with these requirements.

Financial Privacy and Data Security

The Company is subject to federal and certain state laws and regulations containing consumer privacy and data protection provisions addressing the treatment of nonpublic personal information about consumers by financial institutions. Subject to certain exceptions, financial institutions are prohibited from disclosing nonpublic personal information about a consumer to nonaffiliated third parties, unless the institution satisfies various notice and opt-out requirements, and the consumer has not elected to opt out of the disclosure. Regardless as to whether a financial institution shares nonpublic personal information, the institution must provide notice of its privacy policies and practices to its consumers, and must follow redisclosure and reuse limitations on any nonpublic personal information it receives from a nonaffiliated financial institution.

The federal bank regulatory agencies have adopted guidelines for establishing information security standards and programs to protect such information, with an increased focus on risk management and processes related to information technology, and the use of third parties. The expectation from the federal bank regulatory agencies is that financial institutions have established lines of defense to ensure that their risk management processes address the risks posed by compromised customer credentials, and that the financial institution has sufficient business continuity planning processes to ensure rapid recovery, resumption, and maintenance of operations after a cyber-attack.

8

Table of Contents

Financial institutions are required to notify customers of security breaches that result in unauthorized access to their nonpublic personal information and its primary regulator of certain types of computer security incidents that result in harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits, as soon as possible and no later than 36 hours after the banking organization determines that a notification incident has occurred.

Community Reinvestment Act and Fair Lending Laws

The Bank has a responsibility under the CRA to help meet the credit needs of its communities, including low and moderate-income neighborhoods. The CRA does not establish specific lending requirements or programs for financial institutions, nor does it limit an institution’s discretion to develop the types of products or services that it believes are best suited to its particular community. In connection with its examination, the OCC assesses the Bank’s record of compliance with the CRA. In addition, the Equal Credit Opportunity Act and the Fair Housing Act prohibit discrimination in lending practices on the basis of characteristics specified in those statutes. The Bank’s failure to comply with the provisions of the CRA could, at a minimum, result in regulatory restrictions on its activities, as well as the activities of the Company. Further, the Bank’s failure to comply with the Equal Credit Opportunity Act and the Fair Housing Act could result in enforcement actions against it by the OCC, as well as other federal regulatory agencies, including the CFPB and the Department of Justice. The Bank received a CRA rating of Outstanding in its most recent examination.

Federal Deposit Insurance

The standard deposit insurance coverage limit is $250,000 per depositor, per FDIC-insured bank, for each account ownership category, although the FDIC may guarantee uninsured deposits above the $250,000 limit under the statutory systemic risk exception, as was done with the Silicon Valley Bank and Signature Bank failures in March 2023. The DIF is funded mainly through quarterly assessments on insured depository institutions, such as the Bank, and provides insurance coverage for certain deposits up to this maximum amount.

The Bank’s assessment is determined each quarter in accordance with the FDIC’s standardized risk-based methodology by multiplying its assessment rate by its assessment base. The assessment base equals the Bank’s average consolidated total assets less average tangible equity during the assessment period. As a large bank, or generally one with $10 billion or more in assets, the Bank is assigned an individual rate based on a scorecard, which combines CAMELS (capital adequacy, asset quality, management, earnings, liquidity, and sensitivity) component ratings, financial measures used to measure a bank’s ability to withstand asset-related and funding-related stress, and a measure of loss severity that estimates the relative magnitude of potential losses to the FDIC in the event of the bank’s failure, to produce a score that is then converted to an assessment rate.

Assessment rates are subject to adjustment by the FDIC. For instance, assessment rates could (i) decrease for the issuance of long-term unsecured debt, including senior unsecured debt and subordinated debt, (ii) increase for holdings of long-term unsecured or subordinated debt issued by other banks, or (iii) increase for significant holdings of brokered deposits for large banks that are not well rated or not well capitalized. In 2022, the FDIC increased the initial deposit base deposit insurance assessment rate schedules uniformly by 2 basis points for all insured depository institutions, beginning in the first quarterly assessment period of 2023. The increase in assessment rate schedules is intended to increase the likelihood that the reserve ratio of the DIF reaches the statutory minimum of 1.35% by the statutory deadline of September 30, 2028.

In November 2023, the FDIC published a final rule implementing a special assessment for certain banks to recover losses incurred by protecting uninsured depositors of Silicon Valley Bank and Signature Bank upon their failure in March 2023. The special assessment is to be collected for an anticipated total of eight quarterly assessment periods, which began with the second quarter of 2024. In December 2025, the FDIC issued an interim final rule outlining a process for a potential offset to regular quarterly deposit insurance assessments for banks subject to the special assessment if the special assessment amount collected ultimately exceeds losses to the DIF. At December 31, 2025, the Company’s remaining accrual for its estimated special assessment charge was $5.9 million. The FDIC retains the right to cease collection early, extend the special assessment collection period, and impose a final shortfall special assessment if actual losses exceed the amounts collected. Additional information regarding this FDIC special assessment and the Company’s related FDIC special assessment liability can be found within Note 22: Commitments and Contingencies in the Notes to Consolidated Financial Statements contained in Part II - Item 8. Financial Statements and Supplementary Data.

The FDIC may terminate a depository institution’s deposit insurance upon finding that the institution’s financial condition is unsafe or unsound, or that the institution has engaged in unsafe and unsound practices, or has violated any applicable law, regulation, rule, order, or condition imposed by the FDIC. The Company’s management is not aware of any practice, violation, or condition that might lead to the termination of its deposit insurance.

9

Table of Contents

Depositor Preference

In the event of the liquidation or other resolution of an insured depository institution, including the Bank, the claims of depositors of the institution (including any claims of the FDIC as subrogee of depositors) and certain claims for administrative expenses of the FDIC as a receiver will have priority over other general unsecured claims against the institution. If an insured depository institution fails, claims of insured and uninsured depositors, along with claims of the FDIC, would have priority in payment ahead of unsecured, non-deposit creditors, including the Company, with respect to any extensions of credit they have made to such insured depository institution.

Anti Money Laundering

A major focus of U.S. federal governmental policy as it relates to financial institutions is aimed at combating money laundering and terrorist financing. The failure of a financial institution to maintain and implement adequate programs to combat money laundering and terrorist financing, or to comply with the relevant laws and regulations, could have serious legal and reputational consequences for the financial institution, including causing the applicable bank regulatory authorities to not approve merger or acquisition transactions or to prohibit such transactions even if prior approval is not required.

Financial institutions are required to take certain measures to identify their customers, prevent money laundering, monitor customer transactions, and report suspicious activity to U.S. law enforcement agencies. Financial institutions also are required to respond to requests for information from federal bank regulatory agencies and law enforcement agencies. Information sharing among financial institutions for the above purposes is encouraged by an exemption granted to complying financial institutions from the privacy provisions of federal privacy laws. Financial institutions that hold correspondent accounts for foreign banks or provide private banking services to foreign individuals are required to take measures to avoid dealing with certain foreign individuals or entities, including foreign banks with profiles that raise money laundering concerns, and are prohibited from dealing with foreign shell banks and persons from jurisdictions of particular concern.

Financial institutions also are required to establish internal anti money laundering programs. The effectiveness of a financial institution in combating money laundering activities is a factor to be considered in any application submitted under the Bank Merger Act. The Company has in place a Bank Secrecy Act and USA PATRIOT Act compliance program and engages in very few transactions of any kind with foreign financial institutions or foreign persons. The Company also complies with the sanctions administered by the OFAC of the U.S. Department of the Treasury, which is responsible for administering economic sanctions that affect transactions with designated foreign countries, nations, and others. The OFAC publishes lists of persons, organizations, and countries suspected of aiding, harboring, or engaging in terrorist acts, known as Specially Designated Nationals and Block Persons. Blocked assets (i.e., property and bank deposits) cannot be paid out, withdrawn, set off, or transferred in any manner without a license from the OFAC. Failure to comply with these sanctions could have serious legal and reputational consequences.

Debit Card Interchange Fees

The Federal Reserve requires that the amount of any interchange transaction fee that a debit card issuer may receive or charge with respect to an electronic debit transaction shall be reasonable and proportional to the cost incurred by the debit card issuer with respect to the transaction, and imposes requirements regarding routing and exclusivity of electronic debit transactions and the usability of debit cards across networks. Interchange fees for certain electronic debit transactions are capped at 21 cents plus 0.05% of the transaction value for issuers with over $10 billion in consolidated assets, such as the Bank. The regulation also allows covered debit card issuers to receive 1 cent per transaction for fraud-prevention costs, provided that the debit card issuer meets the fraud-prevention standards established by the Federal Reserve. For information regarding the Federal Reserve’s proposed amendments to its rules on interchange fees, refer to the paragraphs captioned under “Consumer Protection and Consumer Financial Protection Bureau Supervision” earlier in this section. Interchange fees impact revenues of the Consumer Banking and HSA Bank operating segments, however, HSA Bank’s interchange revenue is not subject to these rules. The regulations that govern interchange fees remains subject to ongoing litigation.

Incentive Compensation

The federal bank regulatory agencies have issued joint guidance on incentive compensation designed to ensure that the incentive compensation policies of banking organizations do not encourage imprudent risk taking and are consistent with the safety and soundness of the organization. We take this guidance into account as part of our compensation practices and enterprise risk management. Additionally, in accordance with federal securities laws and regulations and the continued listed standards for the NYSE, we adopted our Policy for Recoupment of Incentive Compensation for our executive officers as of October 17, 2023, which has been included as Exhibit 97 to this Annual Report on Form 10-K. Dodd-Frank requires the Federal Reserve, the OCC, the FDIC, the SEC, and two other regulatory agencies to adopt regulations governing incentive compensation provided by regulated financial services companies to their executives and other employees. Although regulations to implement these requirements has been proposed multiple times, final regulations have not been adopted.

10

Table of Contents

Fair Access to Financial Services

In recent years, certain states have enacted, or have proposed to enact, statutes, regulations, or policies that prohibit financial institutions from denying or canceling products or services to a person or business, or otherwise discriminating against a person or business in making available products or services, on the basis of certain social or political factors or other activities. In August 2025, Executive Order 14331, “Guaranteeing Fair Banking Access for All Americans,” was signed, which states that it is the policy of the U.S. that no American should be denied access to financial services because of their constitutionally or statutorily protected beliefs, affiliations, or political views. The Executive Order directs the U.S. Treasury Secretary and the federal bank regulatory agencies to address politicized or unlawful debanking activities.

Climate-Related Developments

Climate change and the risks it may pose to financial institutions has, in the recent past, been an area of focus by the federal and state legislative bodies and regulators, including the federal bank regulatory agencies. In the future, new regulations or guidance may be issued, or other regulatory or supervisory actions may be taken, in this area by the federal bank regulatory agencies or other regulatory agencies. In addition, many states have adopted, or are considering adopting, laws that address climate-related and other issues that might arise. These laws may increase our compliance costs and may include provisions that conflict with other state and federal regulations. The Company will continue monitoring legislative and regulatory activity that may implicate potential new legal or regulatory obligations on our part and evaluating their potential impact to Webster.

Risk Governance Framework

Under federal banking laws, the Bank is required to maintain a risk governance framework that ensures the Bank’s risk profile is easily distinguished and separate from that of its parent bank holding company for risk management purposes, and a risk committee, led by an independent director, with at least one risk management expert, that is responsible for the oversight of its enterprise risk management framework and that meets other statutory and regulatory requirements set by the OCC. Under the OCC’s guidelines, the Bank may use the risk governance framework of its parent company if it meets the minimum standards, and the risk profiles of the parent company and the covered bank are substantially the same, along with certain other conditions. The Bank has elected to use the Company’s risk governance framework. The Bank maintains a standing Risk Committee of the Board that meets the OCC’s regulatory requirements to oversee its enterprise risk management framework. In addition, the Enterprise Risk Management Committee, which is the highest management-level risk committee, provides oversight of the risks inherent in Webster’s business and serves as an escalation point for risk topics and issues raised by its seven sub-committees.

At Webster, risk is defined as the potential that events, expected or unexpected, may have an adverse effect on the Company’s earnings, capital, and/or enterprise value. Webster’s risk governance framework, which is aligned with the OCC’s Heightened Standards and the Handbook on Large Bank Supervision, reflects a structured and systematic approach to managing risks and controlling risk-taking activities across the organization.

Risk identification is a continuous process and occurs at various levels throughout the organization. The approaches used to identify risk include process and data analysis, risk metrics, and risk assessments. Risks are categorized using a risk taxonomy and are assessed across all applicable risk categories. This includes an assessment of inherent risk and residual risk after considering the effectiveness of the control environment.

During the year ended December 31, 2025, the Company revised its risk taxonomy to better align with regulatory expectations and industry practices. Specifically, Information Risk was consolidated into Operational Risk, Financial Risk was realigned into Liquidity Risk and Market/Price Risk, and Reputation Risk was consolidated into Strategic Risk. These revisions were primarily administrative in nature, and do not represent a material change in the Company’s underlying risk profile.

Impacts of risk can be both quantitative and qualitative. Risks are mitigated through the establishment of robust controls, and documented policies and related procedures. A control is a specific activity, procedure, tool, or technical standard designed to satisfy the control objective and implemented within a business process to mitigate the impact and likelihood of associated inherent risk. For risks that cannot be controlled, First Line of Defense management may decide to accept the risks with agreement from relevant Second Line of Defense management, reduce the level of business activity, share or transfer the risks, or withdraw from the activity altogether.

Webster maintains a Risk Appetite Statement, which is a key component of its risk governance framework as it links the monitoring and reporting of risks, at the enterprise level, with Webster’s business strategy and financial objectives by providing the organization with expectations of the type and level of risk it is willing to accept in pursuit of its objectives. The Risk Appetite Statement establishes a risk appetite across Operational, Credit, Compliance, Liquidity, Market/Price, and Strategic as Level 1 risk categories, which represent the top risks that drive Webster’s risk profile, and uses a 5-point rating scale (minimal to critical). Further delineation and detail is provided at Level 2 and Level 3 to enable more precise risk identification, assessment, and response. The Risk Appetite Statement includes a set of qualitative risk statements and quantitative Board-level metrics along with Board-level tolerances, which are approved by the Board annually. Breaches of approved tolerances are required to be escalated and addressed in a timely manner.

11

Table of Contents

The Chief Executive Officer is ultimately responsible for all of Webster’s risk-taking activities and for supporting an effective enterprise risk management framework that is adopted, operationalized, and executed. The Chief Executive Officer sets the tone at the top and reinforces a strong risk culture that values risk self-identification and for holding executives accountable for their adherence to the enterprise risk management framework, appropriately assessing and effectively managing all of the risks associated with their activities and operating within the established risk appetite.

The Company has adopted the Three Lines of Defense Model. Under this model, the First Line manages risks, verifies compliance, performs control activities, and works in coordination with the Second Line. The Second Line provides expertise, support, and tools, and challenges the First Line to enhance efficiency and effectiveness of the control environment. The Third Line provides independent and objective assurance to management and the Board, assessing whether the First and Second Line functions are operating effectively. Detailed roles and responsibilities for each line are as follows:

*First Line of Defense: Front-Line Units represent process owners that engage in activities designed to generate revenue and reduce expenses, provide operational and technology services, and provide operational support and servicing in the delivery of products or services. Since Front-Line Unit activities inherently create risk, the Front-Line Units are responsible for assessing and managing that risk.

*Second Line of Defense: Independent Risk Management is responsible for identifying, measuring, monitoring, or controlling risks independently from the Front-Line Units and providing effective challenge to the Front-Line Units. Independent Risk Management includes Enterprise Risk, Operational Risk, Corporate Compliance, Enterprise Financial Crime, and Credit Risk Review, which report to the Chief Risk Officer, and Credit Risk Management, which reports to the Chief Credit Officer. The Chief Risk Officer and the Chief Credit Officer are Webster’s Chief Risk Executives.

*Third Line of Defense: Internal Audit independently assesses Webster’s risk management processes and controls using methodology developed from professional auditing standards and regulatory guidance. Internal Audit undertakes these responsibilities through periodic reviews of Webster’s business activities, operations, and systems, and through special or retrospective reviews that may be specifically requested by the Audit Committee or management. The Chief Audit Executive leads Internal Audit.

In December 2025, the OCC issued a notice of proposed rulemaking that would increase the threshold at which the heightened standards apply from $50 billion to $700 billion in average total consolidated assets, while keeping in place the concept of a risk governance framework for banks with over $50 billion in average total consolidated assets.

Credit Risk

Credit risk is the risk of loss that arises when a client or counterparty fails to honor its financial or contractual obligations to Webster and/or the underlying collateral is insufficient to satisfy the obligation. Credit risk arises in Webster’s lending operations, and in its funding and investment activities where counterparties have repayment or other obligations to Webster. Credit risk can also arise from deposit overdrafts and other solutions or services that involve customer obligations for the transfer of funds.

The overall focus of credit risk management is to identify, measure, monitor, and control credit risk at the portfolio and enterprise level. Webster maintains underwriting standards consistent with its desired risk profile and robust credit processes. Webster’s loan portfolio is balanced to include both commercial and consumer lending activity while closely managing concentrations in borrowers, counterparties, industries, geographies, and collateral asset classes to avoid excessive correlated risk. Diversification of the loan portfolio across commercial and industrial, commercial real estate, and consumer is important in managing credit risk. Accordingly, management aims to actively measure and manage concentrations by portfolio, industry sector, and specific sub-sectors, geography, affiliated obligors, and other common characteristics. Webster is primarily a relationship lender. In addition, Webster will only assume credit risk when it can be effectively managed from an infrastructure or operational perspective, and it has industry, product, and market expertise.

Credit Risk at Webster includes:

–Credit Concentration Risk – The risk of financial loss due to overly concentrated exposure to borrowers and/or counterparties that have common characteristics, such as industry, geography, or collateral asset class.

–Credit Quality Risk – The risk of financial loss due to a decline in a borrower or counterparties creditworthiness, default due to lack of willingness or ability to meet financial obligations, or asset quality deterioration.

The Chief Credit Officer is responsible for credit risk oversight. The Credit Risk Management Committee is also responsible for providing oversight and governance of credit risk for the Bank.

12

Table of Contents

Liquidity Risk

Liquidity Risk is the potential inability to meet contractual or contingent obligations as they arise without incurring significant losses. Liquidity Risk at Webster includes:

–Capital Adequacy Risk – The risk that the bank does not have enough capital to absorb losses and support its operations, putting its solvency, stability, and regulatory compliance at risk.

–Funding Risk – The risk that the Bank will be unable to issue new debt to meet funding needs or repay existing debt as it comes due.

–Structural Mismatch Risk – The risk of misalignment of cash flow timing between assets and liabilities, potentially leading to operational difficulties and financial losses.

Liquidity is monitored by considering the adequacy of liquidity sources and by considering present and future needs under various operating conditions, including extreme stress. Additionally, Webster aims to maintain capital levels that are consistent with supervisory expectations and commensurate with the risk profiles of our portfolios for a range of stress scenarios.

Market/Price Risk

Market/Price Risk is the risk of loss arising from changes in external market variables such as interest rates, foreign exchange rates, equity prices, asset values, and collateral values. Market/Price Risk at Webster includes:

–Investment Risk – The risk of significant changes in interest rates leading to fluctuations in the market value or prices of investments, potentially resulting in financial losses or capital deterioration.

–Interest Rate Risk – The risk arising from significant changes in interest rates that could have a material adverse impact on the Company’s earnings or equity.

Interest rate exposure is actively monitored by measuring sensitivity of earnings and equity to changing interest rates and managed using investment portfolio positioning, wholesale funding mix, and interest rate contracts to ensure stable earnings and capital in changing interest rate environments.

The Chief Financial Officer, along with ALCO, are responsible for providing oversight and governance of both liquidity risk and market/price risk.

Operational Risk

Operational risk is the risk of loss resulting from inadequate or failed internal processes, people, and systems, or from external events. Operational risk at Webster includes:

–Business Disruption Risk – The risk of disruption to business activities that prevents the execution of critical operations required to service clients, support products, and satisfy other external obligations.

–Corporate Practices Risk – The risk that arises from failing to adhere to expected regulatory and financial market practices, including accurate and timely reporting, corporate tax filing, document retention/destruction, and effective risk management practices.

–Data Risk – The risk arising from inappropriate or inadequate collection, storage, processing, use, sharing, or disposal of information and data, including availability of data to support business processes.

–External Fraud Risk – The risk of loss due to acts intended to defraud, misappropriate property, or circumvent regulations, laws, or company policies by an external party.

–Human Capital Risk – The risk of loss of key personnel, skills shortages, and knowledge management which could potentially impact Webster’s ability to execute on its key strategic initiatives, facilitate a desired risk culture, competitive position in the marketplace, and business operations.

–Information Security Risk – The risk of unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording, or destruction of electronic or physical data.

–Information Technology Risk – The risk that systems handling information and process flow may not meet quality, availability, and efficiency standards in line with industry, client, and regulatory expectations, or may fail causing outages, or that new systems may not be implemented timely.

–Internal Fraud Risk – The risk of loss due to acts intended to defraud, misappropriate property, or circumvent regulations, laws, or company policies which involve at least one internal party (e.g., colleague, former colleague, contractor).

–Model Risk – The risk that arises from errors within a model and/or incorrect use of a model, while considering the degree of reliance on model output in decision making.

–Physical Security Risk – The risk that arises from the inability to protect Webster’s assets, including infrastructure and people, from criminal injury or natural and/or manmade disasters that would impair its ability to operate.

13

Table of Contents

–Processing Risk – The risk of failing to appropriately and timely process transactions on behalf of clients, colleagues, or the company, service client accounts, or manage technology and non-technology related change initiatives.

–Third-Party Risk – The risk of failing to manage third-party relationships resulting in an incident or vulnerability with a service being provided by or on behalf of a third-party provider.

Webster mitigates operational risk through an operational risk management framework, which provides a set of tools to identify, assess, monitor, control, and report on operational risk. The operational risk management framework enables the lines of business and corporate functions to establish accountability for the timely and effective management of identified risks, control failures, or other related gaps/deficiencies. Webster seeks to control operational risk within an acceptable range, determined by the types of businesses in which it engages. Control of operational losses depends on identifying the types of transactions and operational risks faced at the enterprise and business level, and ensuring effective internal control processes are in place to mitigate these risks.

The Head of Operational Risk is responsible for operational risk oversight. Additionally, the Operational Risk Management Committee is responsible for providing oversight and governance of Operational risk. Further, the Information Risk Committee is specifically responsible for providing oversight and governance of information security and information technology risks.

Compliance Risk

Compliance risk is the risk arising from non-adherence to applicable laws, rules, regulations, and other supervisory guidance. It risk exposes Webster to fines, civil monetary penalties, payment of damages, and the voiding of contracts. Compliance Risk at Webster includes:

–Conduct Risk – The risk associated with the conduct and behavior of individuals and organizations.

–Consumer Compliance Risk – The risk associated with failing to comply with regulations and laws that protect consumers.

–Fiduciary Compliance Risk – The risk associated with failing to uphold fiduciary duties when managing client investments and trust accounts.

–Financial Crimes Risk – The risk associated with illicit activities and criminal behaviors within the financial industry.

–Legal Risk – The risk arising from potential legal action due to colleague or corporate actions, improperly licensed legal entities, failure to meet Board’s requirements, and non-compliance with laws or regulations.

–Prudential Regulatory Risk – The risk associated with failing to comply with prudential regulatory requirements, potentially undermining confidence in the company.

Corporate Compliance manages compliance risk through the execution of a comprehensive Compliance Management Program, which is designed to identify and evaluate risks of non-compliance, assess, test, and monitor the effectiveness of internal controls, and report and escalate significant regulatory compliance risks and issues.

The Chief Compliance Officer is responsible for compliance risk oversight. The Regulatory Compliance Committee is responsible for providing oversight and governance of compliance risk.

Strategic Risk

Strategic risk is the risk associated with the Company’s mission and future business plans and includes the current or prospective risk to capital and earnings arising from changes in the business environment and from adverse business decisions, improper implementation of decisions, or lack of responsiveness to changes in the business environment. Strategic Risk at Webster includes:

–Strategy Consistency & Effectiveness Risk – The risk associated with the potential for the strategic plan or approach to be inconsistent or ineffective in achieving desired outcomes or business objectives. The chosen strategy may not be well-aligned with the Company’s goals, competitive landscape, or changing market conditions, leading to suboptimal results.

–Reputational Risk – The risk arising from negative perception of the company among clients, colleagues, investors, governments, regulators, and other external parties.

Webster manages strategic risk through a disciplined process led by Webster’s Chief Strategy Officer. This process ensures that strategic choices and initiatives align with Webster’s strategic risk management framework and overarching goal of allocating capital and resources to support strategies that create value for customers and sustainably grow economic profit over time. Management decisions include selecting strategic priorities, applying planning assumptions, assessing internal capabilities and external conditions, and dedicating resources to execution. Changes and updates to strategic choices and supporting initiatives are reviewed by the Board along with the Company’s priorities. The impact of strategies on Webster’s risk appetite and risk profile is evaluated in collaboration with independent risk management functions as part of the strategic planning process.

14

Table of Contents

The Chief Corporate Responsibility Officer is responsible for implementing programs to manage reputational risk. Reputational risk is managed through strong corporate governance, risk culture, and adherence to the Code of Business Conduct and Ethics.

Enterprise Risk Management is responsible for second line oversight of strategic risks. Additionally, the Enterprise Risk Management Committee is the management-level oversight committee responsible for providing direct oversight and governance of strategic risks.

Additional information regarding risks and uncertainties, and relevant risk factors that could impact the Company’s business, results of operations, or financial condition can be found in Part I - Item 1A. Risk Factors and throughout Part II of this report.