Risk Factors Dashboard

Once a year, publicly traded companies issue a comprehensive report of their business, called a 10-K. A component mandated in the 10-K is the ‘Risk Factors’ section, where companies disclose any major potential risks that they may face. This dashboard highlights all major changes and additions in new 10K reports, allowing investors to quickly identify new potential risks and opportunities.

View risk factors by ticker

Search filings by term

Risk Factors - CFFN

-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing

Item 1A. Risk Factors" for a discussion of risks and uncertainties related to our business that could adversely impact our operations and/or financial results. We do not undertake to update any forward-looking statement, whether written or oral, that may be made from time to time by or on behalf of the Company or the Bank.

PART I
As used in this Form 10-K, unless we specify or the context indicates otherwise, "the Company," "we," "us," and "our" refer to Capitol Federal Financial, Inc. a Maryland corporation, and its subsidiaries. "Capitol Federal Savings," and "the Bank," refer to Capitol Federal Savings Bank, a federal savings bank and the wholly-owned subsidiary of Capitol Federal Financial, Inc.

Item 1. Business

General

The Company is a Maryland corporation with its common stock traded on the Global Select tier of the NASDAQ Stock Market. The Bank is a wholly-owned subsidiary of the Company and is a federally chartered and insured savings bank headquartered in Topeka, Kansas. The Bank continues to transition from a retail oriented financial institution to one with an expanded focus on commercial customers by strategically growing all aspects of commercial banking through investment in technology, people, products, and services.

We attract deposits primarily from the general public and from businesses, and invest those funds primarily in commercial loans, either secured by real estate or for commercial and industrial purposes, and in permanent loans secured by first mortgages on owner-occupied, one- to four-family residences. The Bank is active in commercial lending markets even when the lending opportunity is outside of the Bank's local footprint. We also participate with other lenders in commercial loans, and have previously purchased loans from correspondent lenders secured by mortgages on one- to four-family residences but we suspended that line of business in June 2024. The Bank invests in certain investment securities and mortgage-backed securities ("MBS"). The Bank funds our lending and investing activities from deposits and Federal Home Loan Bank of Topeka ("FHLB") borrowings.

We offer a variety of deposit accounts having a wide range of interest rates and terms, which generally include savings accounts, money market accounts, interest-bearing and non-interest-bearing checking accounts, and certificates of deposit with terms ranging from 91 days to 120 months. We also offer a broad range of banking services, including a full suite of treasury management services designed to support commercial customers in managing their financial operations efficiently and securely. By leveraging treasury management services, we help businesses streamline their operations, reduce financial risk, and maximize liquidity while growing the Bank's non-interest-bearing deposit base and diversifying fee-based income. We also offer tailored banking services for our small business customers and are actively expanding our suite of private banking and trust and wealth management products and services.

The Company's results of operations are primarily dependent on net interest income, which is the difference between the interest earned on loans, securities, and cash, and the interest paid on deposits and borrowings. On a weekly basis, management reviews deposit flows, loan demand, cash levels, and changes in several market interest rates to assess all pricing strategies. The Bank's pricing strategy for commercial loans is generally based on competitor pricing and the credit risk of the borrower, with consideration given to the overall relationship of the borrower. Pricing for commercial loans is generally based on competitor pricing and the credit risk of the borrower with consideration given to the overall relationship of the borrower. Pricing for first mortgage loan products includes setting interest rates based on secondary market prices and competitor pricing for our local lending
2

markets. Generally, deposit pricing is based upon a survey of competitors in the Bank's market areas, and the need to attract funding and retain maturing deposits.

The Company is significantly affected by prevailing economic conditions, including federal monetary and fiscal policies and federal regulation of financial institutions. Deposit balances are influenced by a number of factors, including interest rates paid on competing investment products, the level of personal income, and the personal rate of savings within our market areas. Lending activities are influenced by the demand for business and housing activity levels, our loan underwriting guidelines compared to those of our competitors, as well as the interest rate environment and interest rate pricing competition from other lending institutions.

Management Strategy

We seek to offer a comprehensive suite of commercial and consumer banking products and services to our customers. We strive to enhance stockholder value while maintaining a sound asset quality position and strong capital position. We strive to enhance stockholder value while maintaining a strong capital position. To achieve these goals, we focus on the following strategies:

Lending. We offer both commercial and one- to four-family loan products to our customers. We continue to strategically grow our commercial loan portfolio through prospecting for new relationships and maintaining and expanding existing relationships. We maintain strong relationships with local real estate agents to attract one- to four-family loan business. We maintain strong relationships with local real estate agents to attract loan business. We rely on our marketing efforts and customer service reputation to be top of mind for commercial customers and attract business from walk-in customers, customers that apply online, and existing customers. We rely on our marketing efforts and customer service reputation to attract business from walk-in customers, customers that apply online, and existing customers.

We offer several commercial lending options and participate in commercial loans with other lenders, both locally and outside our market areas. We offer both fixed- and adjustable-rate products with various terms to maturity and pricing options. We monitor concentration levels such as collateral type, geographic location, tenant brand name, borrowing relationships, and, in the case of participation loans, lending relationships, among other factors.

We are one of the leading originators of conventional one- to four-family loans in the state of Kansas. We are one of the leading originators of one- to four-family loans in the state of Kansas. We originate these loans primarily for our own portfolio, and we generally service the loans we originate. We originate these loans primarily for our own portfolio, and we service the loans we originate. Historically, we purchased one- to four-family loans from correspondent lenders but suspended that activity during fiscal year 2024. We also originate a variety of consumer loans, the majority of which are home equity loans and lines of credit for which the Bank also has the first mortgage or is in the first lien position.

Deposit Services. We offer a wide array of deposit products and services to our commercial and retail customers. Our deposit product offerings include checking, savings, money market, certificates of deposit, and retirement accounts. These products include checking, savings, money market, certificates of deposit, and retirement accounts. Deposit services are provided through our network of traditional branches and retail in-store locations, our call center (which operates on extended hours), mobile banking, telephone banking, and online banking and bill payment services. Our deposit services are provided through our network of traditional branches and retail in-store locations, our call center (which operates on extended hours), mobile banking, telephone banking, and online banking and bill payment services.

We offer a competitive suite of treasury management services to meet the needs of our commercial customers. Our treasury management solutions include services such as cash flow optimization, fraud prevention tools, and payment services tailored to our commercial customers. Our treasury management solutions include cash flow optimization, fraud prevention tools, and payment services tailored to meet the needs of commercial clients. We listen to the needs of our commercial clients that utilize these services and actively evaluate new technology in order to capture a larger share of their business with additional products and services. We have also deployed a team of business development officers tasked with growing the deposit base within the small business customer segment, focusing on serving small businesses in our market areas with specialized products specifically designed for these customers.

We are preparing to implement a comprehensive suite of private banking products and services in fiscal year 2026 to better serve our customers and grow our non-interest revenue. We believe that our private banking line of business will bridge the gap between high-net-worth depository customers, small business owners or commercial customers, and corporate trustee opportunities for the Bank.

3

Cost Control. We generally are effective at controlling our costs of operations. We believe our investments in developing a full suite of commercial products and services, and our expanded services in private banking and trust and wealth management, are appropriate and that their successful execution can generate revenue in excess of the related costs. We centralize our loan servicing and deposit support functions for efficient processing. We serve a broad range of customers through relatively few branch locations. Our average deposit base per traditional branch at September 30, 2025 was approximately $128.5 million. This large average deposit base per branch helps to control costs. Our prudent underwriting requirements and our effective management of credit risk allow us to service a large portfolio of loans at efficient levels because it costs less to service a portfolio of performing loans. Our one- to four-family lending strategy and our effective management of credit risk allow us to service a large portfolio of loans at efficient levels because it costs less to service a portfolio of performing loans.

Asset Quality. Maintaining strong asset quality has always been a top priority for us, and is even more important now, as we expand our commercial loan portfolio. We utilize underwriting standards for all of our lending products, including the loans we purchase and participate in, that are designed to limit our exposure to credit risk. We require complete documentation for both loans originated by the Bank and for commercial participation loans and make credit decisions based on our assessment of the borrower's ability to repay the loan in accordance with its terms. We require complete documentation for both originated and purchased loans, and make credit decisions based on our assessment of the borrower's ability to repay the loan in accordance with its terms. We monitor concentration levels by collateral type, geographic location, and borrowing relationship. We also monitor the credit quality of existing loans and borrowers, which includes monitoring financial performance at least annually for commercial borrowers with total loans of $2.5 million or more. We strive to work proactively with customers, especially if they face challenging financial conditions.

Capital Position. Our policy has always been to protect the safety and soundness of the Bank through credit and operational risk management, balance sheet strength, and sound operations. The end result of these activities has been capital ratios that meet or exceed the well-capitalized standards set by the Office of the Comptroller of the Currency (the "OCC"). We believe that maintaining a strong capital position safeguards the long-term interests of the Bank, the Company, and our stockholders.

Stockholder Value. We strive to provide long-term, sustainable stockholder value while maintaining a strong capital position. We strive to provide stockholder value while maintaining a strong capital position. We continue to generate returns to stockholders through dividend payments and share repurchases. Total dividends declared and paid during fiscal year 2025 were $44.3 million. The Company also repurchased 618,260 shares for $3.9 million during fiscal year 2025, all of which occurred during the fourth quarter of the fiscal year. The Company repurchased 3,280,110 shares for $19.3 million during fiscal year 2024, which all occurred in the first half of the year. The Company's cash dividend payout policy is reviewed quarterly by management and the Board of Directors, and the ability to pay dividends under the policy depends upon a number of factors, including the Company's financial condition and results of operations, regulatory capital requirements, regulatory limitations on the Bank's ability to make capital distributions to the Company, the Bank's current tax earnings and accumulated earnings and profits, and the amount of cash at the holding company level. For fiscal year 2026, it is the intention of the Company's Board of Directors to pay out a regular quarterly cash dividend of $0.085 per share, totaling $0.34 per share for the year, and to seek further opportunities for value-enhancing share repurchases.

Interest Rate Risk Management.3 •Interest Rate Risk Management. Changes in interest rates are our primary market risk as our balance sheet is almost entirely comprised of interest-earning assets and interest-bearing liabilities. Therefore, fluctuations in interest rates have a significant impact not only upon our net income but also upon the cash flows related to those assets and liabilities and the market value of our assets and liabilities. To maintain what we believe to be acceptable levels of net interest income in varying interest rate environments, we actively manage our interest rate risk and assume a moderate amount of interest rate risk consistent with policies approved by the Board of Directors. In order to maintain what we believe to be acceptable levels of net interest income in varying interest rate environments, we actively manage our interest rate risk and assume a moderate amount of interest rate risk consistent with policies approved by the Board of Directors.

Market Area and Competition

Our corporate office is located in Topeka, Kansas. As of September 30, 2025, we had a network of 46 branches (44 traditional branches and two in-store branches) located in nine counties throughout Kansas and three counties in Missouri. As of September 30, 2024, we had a network of 48 branches (44 traditional branches and four in-store branches) located in nine counties throughout Kansas and three counties in Missouri. We primarily serve the metropolitan areas of Topeka, Wichita, Lawrence, Manhattan, Emporia, and Salina, Kansas and a portion of the metropolitan area of greater Kansas City.

We operate in a highly competitive environment for quality commercial banking relationships across the markets we serve. Larger national, regional and local financial institutions, as well as credit unions, farm credit lenders, commercial finance companies, insurance companies, and other non-bank lenders have increased their presence in our market areas thereby increasing competition. Additionally, we face competition from smaller local institutions that often offer aggressive pricing and specialized loan structures and banking services. We compete in a number of ways, including a comprehensive suite of products and services, competitive loan pricing, and a strong reputation in the market areas we serve. We provide competitive interest rates on both deposit and lending products and offer a full suite of treasury management services to
4

commercial customers. Through our treasury management services, we pair our commercial customers with experienced relationship managers who offer a broad range of customized services, digital platforms and sophisticated cash management tools tailored to their business. We offer specialized products and services to our small business customers and have a team of bankers focused on the deposit and loan needs of small businesses in our market areas. We are focused on the financial needs of customers and strategically invest in all aspects of commercial banking by aligning technology, people, products and services to expand the offering of products and services to our customers to remain competitive and grow commercial banking.

Competition in originating one- to four-family and consumer loans and attracting retail deposits primarily comes from local, regional, and national banks, savings institutions, credit unions, mortgage brokerage firms, investment banking and brokerage firms, and online competitors that are not confined to any specific market area. Competition in originating one- to four-family and consumer loans and attracting retail deposits primarily comes from local, regional, and national banks, savings institutions, credit unions, mortgage brokerage firms, investment banking and brokerage firms, and online competitors that are not confined to any specific market area. As noted above, the Bank has consistently been one of the top originators of residential one- to four-family loans in the state of Kansas. The Bank has consistently been one of the top originators of residential one- to four-family loans in the state of Kansas. This has been achieved through strong relationships with real estate agents and marketing which emphasizes the strength of Capitol Federal's brand, competitive pricing, and the Bank's history as a portfolio lender. This has been achieved through strong relationships with real estate agents and targeted marketing campaigns which emphasize the strength of Capitol Federal's brand, competitive pricing, and the Bank's history as a portfolio lender. The Bank offers a diversified retail deposit product line, and we are actively expanding our suite of private banking and trust and wealth management products and services by strategically investing in staff and technology. This description is intended as a brief summary of selected features of such laws and regulations and is qualified in its entirety by reference to the laws and regulations applicable to the Company and the Bank. Management considers our well-established banking network and our reputation for financial strength and customer service to be major factors in our success at attracting and retaining customers in our market areas. The Bank ranked second in deposit market share, at 6.2%, in the state of Kansas as reported in the June 30, 2025 Federal Deposit Insurance Corporation ("FDIC") "Summary of Deposits - Market Share Report. The Bank ranked third in deposit market share, at 6.1%, in the state of Kansas as reported in the June 30, 2024 Federal Deposit Insurance Corporation ("FDIC") "Summary of Deposits - Market Share Report. "

Available Information

Financial and other Company information, including press releases, Annual Reports on Form 10-K, Quarterly Reports on Form 10-Q, Current Reports on Form 8-K, and all amendments to those reports can be obtained free of charge from our investor relations website, https://ir.capfed.com. SEC filings are available on our website immediately after they are electronically filed with or furnished to the SEC, and are also available on the SEC's website at www.sec.gov.


Regulation and Supervision

The Bank is examined and regulated by the OCC, its primary regulator, and its deposits are insured up to applicable limits by the Deposit Insurance Fund ("DIF"), which is administered by the FDIC. The Company, as a savings and loan holding company, is examined and regulated by the FRB.

Set forth below is a description of certain laws and regulations that are applicable to the Company and the Bank. This description is intended as a brief summary of selected features of such laws and regulations and is qualified in its entirety by reference to the laws and regulations applicable to the Company and the Bank.

General.4 General. The Bank, as a federally chartered savings bank, is subject to regulation and oversight by the OCC in all aspects of its operations. This regulation and oversight of the Bank is intended for the protection of depositors and other customers and not for the purpose of protecting the Company's stockholders. The investment and lending authority of the Bank is prescribed by federal laws and regulations and the Bank is prohibited from engaging in any activities not permitted by such laws and regulations. The Bank and Company are required to maintain minimum levels of regulatory capital and the Bank is subject to limitations on making capital distributions to the Company.

The Company is a unitary savings and loan holding company within the meaning of the Home Owners' Loan Act ("HOLA"). As such, the Company is registered with the FRB and subject to FRB regulations, examinations, supervision, and reporting requirements. In addition, the FRB has enforcement authority over the Company. Among other things, this authority permits the FRB to restrict or prohibit activities by the Company that are determined to be a serious risk to the Bank.

The enforcement authority of the OCC and of the FRB includes, among other things, the ability to assess civil monetary penalties, to issue cease-and-desist or removal orders, and to initiate injunctive actions. In general, these enforcement actions may be initiated for violations of laws and regulations and unsafe or unsound practices. Other actions or inactions may provide the basis for enforcement action, including misleading or untimely filed reports. Except under certain circumstances, public disclosure of final enforcement actions by the OCC or the FRB is required by law.
5

As a federally chartered savings bank, the Bank is required to maintain a significant portion of its assets in residential housing-related loans and investments in at least nine months of the most recent 12-month period. An institution that fails to do so is immediately subject to restrictions on its operations, including a prohibition against capital distributions, except with the prior approval of both the OCC and the FRB. Failure to meet this qualification is a statutory violation subject to enforcement action. As of September 30, 2025, the Bank met the qualification.

The Bank's relationship with its depositors and borrowers is regulated to a great extent by federal laws and regulations, especially in such matters as the ownership of savings accounts and the form and content of mortgage requirements. In addition, the branching authority of the Bank is regulated by the OCC. The Bank is generally authorized to branch nationwide.
The Bank is subject to a statutory lending limit on aggregate loans to one person or a group of related persons. The general limit is 15% of the Bank's unimpaired capital and surplus, plus an additional 10% for loans fully secured by readily marketable collateral. At September 30, 2025, the Bank's lending limit under this restriction was $144.7 million. The Bank has no loans or loan relationships in excess of its lending limit. Loan commitments and loans outstanding to the Bank's largest borrowing relationship totaled $103.2 million at September 30, 2025, all of which was current according to its terms. As of September 30, 2025, the lending relationship was composed of several commercial and industrial loans with a combined gross balance of $85.1 million and multiple commercial real estate loans with a combined gross balance of $18.1 million. The borrower is located in Kansas and the properties securing the commercial real estate loans are located in Kansas.

The OCC has adopted guidelines establishing safety and soundness standards on matters such as loan underwriting and documentation, asset quality, earnings standards, internal controls and audit systems, interest rate risk exposure, and compensation and other employee benefits. The Bank is subject to periodic examinations by the OCC regarding these and related matters. During these examinations, the examiners may require the Bank to increase its ACL, change the classification of loans, and/or recognize additional charge-offs based on their judgments, which can impact our capital and earnings. In October 2025, the OCC announced several regulatory changes aimed at reducing burdens and tailoring oversight for community banks. Effective January 1, 2026, the OCC will eliminate certain mandatory, non-statutory examination requirements, allowing examiners to adjust exam scope and frequency based on each bank’s size, complexity, and risk profile. The agency also introduced initiatives to simplify model risk-management expectations for smaller institutions and expand eligibility for streamlined licensing procedures for well-managed community banks. Together, these measures are designed to make supervision more risk-focused and less prescriptive, while maintaining safety and soundness standards.

Regulatory Capital Requirements. The Bank and the Company are required to maintain specified levels of regulatory capital under regulations of the OCC and FRB, respectively. See "Part II, Item 8. Financial Statements and Supplementary Data - Notes to Consolidated Financial Statements - Note 13. Regulatory Capital Requirements" for additional regulatory capital information. At September 30, 2025, the Bank was considered well capitalized under OCC regulations.

The OCC can establish individual minimum capital requirements for a particular institution which vary from the capital levels that would otherwise be required under the applicable capital regulations based on such factors as concentrations of credit risk, levels of interest rate risk, the risks of non-traditional activities, and other circumstances. The OCC has not imposed any such requirements on the Bank.

The OCC is authorized and, under certain circumstances, required to take certain actions against federal savings banks that are not adequately capitalized because they fail to meet the minimum requirements associated with their elected capital framework. Any such institution must submit a capital restoration plan for OCC approval and may be restricted in, among other things, increasing its assets, acquiring another institution, establishing a branch or engaging in any new activities, and may not make capital distributions. Any such institution must submit a capital restoration plan for OCC approval and may be restricted in, among 5 other things, increasing its assets, acquiring another institution, establishing a branch or engaging in any new activities, and may not make capital distributions. Institutions that are deemed by the OCC to be "critically undercapitalized" are subject to the appointment of a conservator or receiver. As of September 30, 2025, the Bank and the Company met all capital adequacy requirements to which they are subject.

Limitations on Dividends and Other Capital Distributions. OCC regulations impose restrictions on savings institutions with respect to their ability to make distributions of capital, which include dividends, stock redemptions or repurchases, cash-out mergers and other transactions charged to the capital account. Under FRB and OCC safe harbor regulations, a savings institution generally may make capital distributions during any calendar year equal to net income of the previous two calendar years and current year-to-date net income (to the extent not previously distributed). A savings institution that is a
6

subsidiary of a savings and loan holding company, such as the Company, that proposes to make a capital distribution must submit written notice to the OCC and FRB 30 days prior to such distribution. The OCC and FRB may object to the distribution during that 30-day period based on safety and soundness or other concerns. Savings institutions that desire to make a larger capital distribution, are under special restrictions, or are not, or would not be, sufficiently capitalized following a proposed capital distribution must file an application and obtain regulatory non-objection prior to making such a distribution.

The long-term ability of the Company to pay dividends to its stockholders is based primarily upon the ability of the Bank to make capital distributions to the Company. So long as the Bank remains well capitalized after each capital distribution, and operates in a safe and sound manner, it is management's belief that the OCC and FRB will continue to allow the Bank to distribute its earnings to the Company, although no assurance can be given in this regard.
Insurance of Accounts and Regulation by the FDIC. The Bank also is subject to regulation and examination by the FDIC, which insures the deposits of the Bank to the maximum extent permitted by law. The DIF of the FDIC insures deposit accounts in the Bank up to applicable limits, with a maximum amount of deposit insurance for banks and savings institutions of $250 thousand per separately insured deposit ownership right or category.

The FDIC assesses deposit insurance premiums on all FDIC-insured institutions quarterly based on annualized rates. Under these rules, assessment rates for an institution with total assets of less than $10 billion are determined by CAMELS composite rating (capital adequacy, asset quality, management, earnings, liquidity, and sensitivity to market rates) and certain financial ratios, and range from 2.5 to 32.0 basis points, subject to certain adjustments. Under these rules, assessment rates for an institution with total assets of less than $10 billion are determined by capital adequacy, asset quality, management, earnings, liquidity, and sensitivity (CAMELS) composite ratings and certain financial ratios, and range from 2.5 to 32.0 basis points, subject to certain adjustments. Assessment rates for an institution with $10 billion or more in total assets are assigned an individual rate based on a scorecard that measures the institution's composite rating, ability to withstand asset-related and funding-related stress and the magnitude of potential losses to the FDIC in the event of failure. The current assessment rates were set in October 2022, when the FDIC adopted a final rule that increased the initial base deposit assessment rate schedule uniformly by two basis points, beginning with the first quarterly assessment period of 2023. The increased assessment rate will remain in effect unless and until the reserve ratio meets or exceeds 2%, absent further action by the FDIC's Board of Directors. For the fiscal year ended September 30, 2025, the Bank paid $4.3 million in FDIC premiums. Assessment rates are applied to an institution's assessment base, which is its average consolidated total assets minus its average tangible equity during the assessment period.
The FDIC has authority to increase insurance assessments in the future, and any significant increases could have a material adverse effect on the operating expenses and results of operations of the Company. Management cannot predict what assessment rates will be in the future. In a banking industry emergency, the FDIC may also impose a special assessment.

Insurance of deposits may be terminated by the FDIC upon a finding that an institution has engaged in unsafe or unsound practices, is in an unsafe or unsound condition to continue operations or has violated any applicable law, regulation, rule, order or condition imposed by the FDIC. We do not know of any practice, condition, or violation that may lead to termination of our deposit insurance.

Community Reinvestment and Consumer Protection Laws. In connection with its lending activities, the Bank is subject to a number of federal laws designed to protect borrowers and promote lending to various sectors of the economy and population. These include the Equal Credit Opportunity Act, the Truth-in-Lending Act, the Home Mortgage Disclosure Act, the Real Estate Settlement Procedures Act, the Secure and Fair Enforcement for Mortgage Licensing Act of 2008 ("SAFE Act"), Service Members Civil Relief Act, and the Community Reinvestment Act ("CRA"). With respect to federal consumer protection laws, regulations are generally promulgated by the Consumer Financial Protection Bureau ("CFPB"), but the OCC, rather than the CFPB, currently examines the Bank for compliance with such laws and regulations because the Bank's regulatory assets have yet to exceed $10 billion for four consecutive quarter-ends. With respect to federal consumer protection laws, regulations are generally promulgated by the Consumer Financial Protection Bureau ("CFPB"), but the OCC, rather than the CFPB, currently 6 examines the Bank for compliance with such laws and regulations because the Bank's regulatory assets have yet to exceed $10 billion for four consecutive quarter-ends.

The CRA requires the appropriate federal banking agency, in connection with its examination of an FDIC-insured institution, to assess its record in meeting the credit needs of the communities served by the institution, including low and moderate income neighborhoods. The federal banking regulators take into account the institution's record of performance under the CRA when considering applications for mergers, acquisitions, and branches. Under the CRA, institutions are assigned a rating of outstanding, satisfactory, needs to improve, or substantial non-compliance. The Bank received a satisfactory rating in its most recently completed CRA evaluation.

7

Bank Secrecy Act /Anti-Money Laundering Laws. The Bank is subject to the Bank Secrecy Act and other anti-money laundering laws, including the USA PATRIOT Act of 2001 and regulations thereunder. These laws and regulations require the Bank to implement policies, procedures, and controls to detect, prevent, and report money laundering and terrorist financing, and to verify the identity and source of deposits and wealth of its customers. Violations of these laws and regulations can result in substantial civil and criminal sanctions. In addition, provisions of the USA PATRIOT Act require the federal financial institution regulatory agencies to consider the effectiveness of a financial institution's anti-money laundering activities when reviewing mergers and acquisitions.

Federal Reserve System. In response to the Coronavirus Disease 2019 ("COVID-19") pandemic, the FRB reduced reserve requirement ratios to zero percent effective March 26, 2020, to support lending to households and businesses. At September 30, 2025, the reserve requirement of zero percent was still in place.

The Bank is authorized to borrow from the Federal Reserve Bank "discount window." An eligible institution need not exhaust other sources of funds before going to the discount window, nor are there restrictions on the purposes for which the institution can use primary credit. At September 30, 2025, the Bank had no outstanding borrowings from the discount window.

Federal Home Loan Bank System. The Bank is a member of one of 11 regional Federal Home Loan Banks, each of which serves as a reserve, or central bank, for its members within its assigned region and is funded primarily from proceeds derived from the sale of consolidated obligations of the Federal Home Loan Bank System. The Federal Home Loan Banks make loans, known as advances, to members and provide access to a line of credit in accordance with policies and procedures established by the Board of Directors of FHLB, which are subject to the oversight of the Federal Housing Finance Agency. The Federal Home Loan Banks make loans, called advances, to members and provide access to a line of credit in accordance with policies and procedures established by the Board of Directors of FHLB, which are subject to the oversight of the Federal Housing Finance Agency. At September 30, 2025, the Bank had $1.95 billion of FHLB advances, at par. See "Part II, Item 8. Financial Statements and Supplementary Data – Notes to Financial Statements – Note 8. Deposits and Borrowed Funds" for additional information regarding FHLB advances.

As a member, the Bank is required to purchase and maintain capital stock in FHLB. The minimum required FHLB stock amount is generally 4.5% of the Bank's FHLB advances and outstanding balance against the FHLB line of credit, and 2% of the outstanding principal balance of loans sold into the Mortgage Partnership Finance Program. At September 30, 2025, the Bank had $90.7 million in FHLB stock, which was in compliance with the FHLB's stock requirement. In past years, the Bank has received dividends on its FHLB stock, although no assurance can be given that these dividends will continue. See "Part II, Item 8. Financial Statements and Supplementary Data – Notes to Financial Statements – Note 1. Summary of Significant Accounting Policies" for additional information regarding FHLB stock.

Federal Savings and Loan Holding Company Regulation. The HOLA prohibits a savings and loan holding company (directly or indirectly, or through one or more subsidiaries) from acquiring another savings association, or holding company thereof, without prior written approval from the FRB; acquiring or retaining, with certain exceptions, more than 5% of a non-subsidiary savings association, a non-subsidiary holding company, or a non-subsidiary company engaged in activities other than those permitted by the HOLA; or acquiring or retaining control of a depository institution that is not federally insured. In evaluating applications by savings and loan holding companies to acquire savings associations, the FRB must consider the financial and managerial resources and future prospects of the company and institution involved, the effect of the acquisition on the risk to the insurance funds, the convenience and needs of the community, competitive factors, and other factors.

The FRB has long set forth in its regulations its "source of strength" policy, which requires bank holding companies to act as a source of strength to their subsidiary depository institutions by providing capital, liquidity and other support in times of financial stress. This policy also applies to savings and loan holding companies. This policy now also applies to savings and loan holding companies.

Transactions with Affiliates. Transactions between the Bank and its affiliates are required to be on terms as favorable to the institution as transactions with non-affiliates. Certain of these transactions are restricted to a percentage of the Bank's capital, and, in the case of loans, require eligible collateral in specified amounts. The Bank may not lend to any affiliate engaged in activities not permissible for a bank holding company or purchase or invest in the securities of affiliates. In addition, transactions with affiliates must be consistent with safe and sound banking practices and not involve the purchase of low-quality assets.


8

Taxation

Federal Taxation. The Company and the Bank are subject to federal income taxation in the same general manner as other corporations. The Company files a consolidated federal income tax return. The Company has not received notification from the Internal Revenue Service of any potential tax liability for any years still subject to audit. For federal income tax purposes, the Bank currently reports its income and expenses on the accrual method of accounting and uses a fiscal year ending on September 30 for filing its federal income tax return. Changes to the corporate federal income tax rate would result in changes to the Company's effective income tax rate and would require the Company to remeasure its deferred tax assets and liabilities based on the tax rate in the years in which those temporary differences are expected to be recovered or settled.

Prior to the enactment of the Small Business Job Protection Act (the "1996 Act"), the Bank was permitted to deduct, up to a specified formula limit, a certain percentage of income as bad debts, for which the Bank was not required to establish a deferred tax liability. The difference between actual bad debts and the formula limit bad debt amount ("excess reserves") was recorded in the Bank's retained earnings. As a result of the 1996 Act, savings institutions, like the Bank, were required to use the specific charge-off method in computing bad debts on their tax returns beginning with their 1996 Federal tax returns. The 1996 Act required the recapture of excess reserves over the base year, which was September 30, 1988 for the Bank. The excess reserves established prior to September 30, 1988 remain in retained earnings ("pre-1988 bad debt reserves") subject to recapture by the Bank on the occurrence of certain distributions in excess of current earnings and profits accumulated in tax years beginning after December 31, 1951 ("accumulated earnings and profits"). The Bank had $75.9 million in pre-1988 bad debt reserves at September 30, 2025, which equates to an unrecorded deferred tax liability of $15.9 million. The Bank had $75.9 million in pre-1988 bad debt reserves at September 30, 2024, which equates to an unrecorded deferred tax liability of $15.9 million. See additional discussion regarding the Bank's pre-1988 bad debt recapture in "Part IA. Risk Factors - Other Risks" and "Part II, Item 8. Financial Statements and Supplementary Data - Notes to Consolidated Financial Statements - Note 9. Income Taxes".

State Taxation. The earnings/losses of Capitol Federal Financial, Inc., Capitol Funds, Inc. and Capital City Investments, Inc. are combined for purposes of filing a consolidated Kansas corporate tax return. The Kansas corporate tax rate is 4.0%, plus a surcharge of 3.0% on earnings greater than $50 thousand.

The Bank files a Kansas privilege tax return. For Kansas privilege tax purposes, the minimum tax rate was 4.18% of earnings during fiscal year 2025, which is calculated based on federal taxable income, subject to certain adjustments. The Bank has not received notification from the state of any potential tax liability for any years still subject to audit.

Additionally, the Bank files state tax returns in 16 other states and two cities where it has significant loan balances. In these states and cities, the Bank has either established a nexus under an economic nexus theory or has exceeded enumerated nexus thresholds based on the amount of interest income derived from loans within the state.


Employees and Human Capital Resources

At September 30, 2025, we had a total of 678 employees, including 74 part-time employees. The full-time equivalent of our total employees at September 30, 2025 was 655, an increase from 636 at September 30, 2024.

Our employees are not represented by any collective bargaining group. Management considers its employee relations to be good. We believe our ability to attract and retain employees is a key to our success. Accordingly, we strive to offer competitive salaries and employee benefits to all employees and monitor salaries in our market areas. Physical well-being is supported by the Company's health, dental, vision, life and various other insurances, and a wellness program that encourages employees to live a healthy and balanced lifestyle. Volunteer opportunities are provided and encouraged for all employees. Capitol Federal employees recorded over 4,976 hours in volunteer time for local organizations and charities during fiscal year 2025.

Our Company seeks to recognize and develop the unique contributions each individual brings to our Company, and we are fully committed to maintaining a culture that supports our corporate values. We strive to maintain a workforce reflective of the communities we serve. In addition, our Board of Directors is comprised of members with varying backgrounds, education and experiences to help us understand and support our customers and stockholders. Since 1977, at least one woman has served as a director of the Bank and, since its inception in 1999, at least one woman has served on the Board of Directors of the Company. In addition, since 2012, at least one underrepresented minority has served as a director of the
9

Company and the Bank. The Board of Directors annually reviews the Company's recruitment efforts and employment statistics. The Board of Directors annually reviews the Company's diversity recruitment efforts and employment statistics.

The Company recruits employees through sources and organizations across a variety of networks and communities. The Company also provides multiple opportunities for professional development and growth, including continuing education when applicable and specialty education within banking. Leadership development is supported through our Leadership Forum services, on a biannual basis, for mid-level leaders within the organization. Education for this program is currently provided by Banktastic. Annual employee educational requirements include respectful treatment of all other employees and customers. Annual employee educational requirements include targeted diversity, equity and inclusion training for all managers. All employees receive annual training on providing fair, high-quality service and understanding the causes of legal ramifications of discrimination.

Our employees, together with the Capitol Federal Foundation, contribute to programs that promote educational opportunities in all communities as well as housing in low-and-moderate income communities.


Item 1A. Risk Factors
There are risks inherent in the Bank's and Company's business. The following is a summary of material risks and uncertainties relating to the operations of the Bank and the Company. Adverse experiences with these could have a material impact on the Company's financial condition and results of operations. Some of these risks and uncertainties are interrelated, and the occurrence of one or more of them may exacerbate the effect of others. These material risks and uncertainties are not necessarily presented in order of significance. In addition to the risks set forth below and the other risks described in this Annual Report, there may be risks and uncertainties that are not currently known to us or that we currently deem to be immaterial that could materially and adversely affect our business, financial condition or operating results.

Risks Related to Macroeconomic Conditions

Changes in interest rates could have an adverse impact on our results of operations and financial condition.
Our results of operations are primarily dependent on net interest income, which is the difference between the interest earned on loans, securities, cash at the FRB and dividends received on FHLB stock, and the interest paid on deposits and borrowings.Our results of operations are primarily dependent on net interest income, which is the difference between the interest earned on loans, securities, cash at the Federal Reserve Bank and dividends received on FHLB stock, and the interest paid on deposits and borrowings. Changes in interest rates could have an adverse impact on our results of operations and financial condition because the majority of our interest-earning assets are long-term, fixed-rate loans, while the majority of our interest-bearing liabilities are shorter term, and therefore subject to a greater degree of interest rate fluctuations. This type of risk is known as interest rate risk and is affected by prevailing economic and competitive conditions that are beyond the Company's control, including general economic conditions, inflationary trends and/or monetary policies of the FRB and fiscal policies of the United States federal government. This type of risk is known as interest rate risk and is affected by prevailing economic and competitive conditions that are beyond the 9 Company's control, including general economic conditions, inflationary trends and/or monetary policies of the FRB and fiscal policies of the United States federal government.

The impact of changes in interest rates is generally observed on the income statement. The magnitude of the impact will be determined by the difference between the amount of interest-earning assets and interest-bearing liabilities, both of which either reprice or mature within a given period of time, in addition to the yields earned on interest-earning assets and rates paid on interest-bearing liabilities. This difference provides an indication of the extent to which our net interest rate spread will be impacted by changes in interest rates. In addition, changes in interest rates will impact the expected level of repricing of the Bank's mortgage-related assets and callable debt securities. Generally, as interest rates decline, the amount of interest-earning assets expected to reprice will increase as borrowers have an economic incentive to reduce the cost of their mortgage or debt, which would negatively impact the Bank's interest income to the extent deposits are not repriced lower at a faster pace. Conversely, as interest rates rise, the amount of interest-earning assets expected to reprice will decline as the economic incentive to refinance the mortgage or debt is diminished. As this occurs, the amount of interest-earning assets repricing could diminish to the point where interest-bearing liabilities reprice to a higher interest rate at a faster pace than interest-earning assets, thus negatively impacting the Bank's net interest income. For additional information about the interest-rate risk we face, see "Part II, Item 7A. Quantitative and Qualitative Disclosures about Market Risk."

Changes in interest rates can also have an adverse effect on our financial condition, as available-for-sale ("AFS") securities are reported at estimated fair value. Stockholders' equity, specifically, accumulated other comprehensive income (loss) ("AOCI"), is increased or decreased by the amount of change in the estimated fair value of our AFS securities, net of deferred income taxes. Stockholders' equity, specifically accumulated other comprehensive income (loss) ("AOCI"), is increased or decreased by the amount of change in the estimated fair value of our AFS securities, net of deferred income taxes. Increases in interest rates generally decrease the fair value of AFS securities, which adversely impacts
10

stockholders' equity. For additional information, see "Part II, Item 8. Financial Statements and Supplementary Data – Notes to Consolidated Financial Statements – Note 15. Accumulated Other Comprehensive Income."

Changes in interest rates, as they relate to customers, can also have an adverse impact on our financial condition and results of operations. In times of rising interest rates, default risk may increase among borrowers with adjustable-rate loans as the rates on their loans adjust upward and their payments increase. Fluctuations in interest rates also affect customer demand for loan and deposit products. Competition from financial institutions and others could affect our ability to attract and retain deposits and could result in the Bank paying more for deposits.

In addition to general changes in interest rates, changes that affect the shape of the yield curve could negatively impact the Bank. The Bank's interest-bearing liabilities are generally priced based on short-term interest rates while the majority of the Bank's interest-earning assets are priced based on long-term interest rates. Income for the Bank is primarily driven by the spread between these rates. As a result, a steeper yield curve, meaning long-term interest rates are higher than short-term interest rates, would provide the Bank with a better opportunity to increase net interest income. As a result, a steeper yield curve, meaning long-term interest rates are significantly higher than short-term interest rates, would provide the Bank with a better opportunity to increase net interest income. When the yield curve is flat, meaning long-term interest rates and short-term interest rates are essentially the same, or when the yield curve is inverted, meaning long-term interest rates are lower than short-term interest rates, the net yield between interest-earning assets and interest-bearing liabilities that reprice is compressed or diminished and would likely negatively impact the Bank's net interest income. See "Part II, Item 7A. Quantitative and Qualitative Disclosures About Market Risk" for additional information about the Bank's interest rate risk management.

An economic downturn, including a decline in real estate values, especially affecting our geographic market areas and certain regions of the country where we have commercial real estate loans or purchased loans secured by one- to four-family properties, could have an adverse impact on our business and financial results.
As we strategically grow our commercial real estate lending portfolio, we have continued to prospect for new relationships and maintain existing relationships not only in our local markets but in geographically diverse markets. As a result, we are particularly exposed to downturns in regional housing and commercial real estate markets and, to a lesser extent, housing and commercial real estate markets nationwide, along with changes in the levels of unemployment or underemployment. We monitor the current status and trends of local and national employment levels and trends and current conditions in the real estate and housing markets, as well as commercial real estate markets, in our local market areas and certain areas where we have commercial real estate loans and purchased one- to four-family loans. Decreases in real estate values could adversely affect the value of the property used as collateral for our commercial real estate and one- to four-family loans, which could cause us to realize a loss in the event of a foreclosure. Decreases in local real estate values could adversely affect the value of the property used as collateral for our loans, which could cause us to realize a loss in the event of a foreclosure. Additionally, if insurance obtained by our borrowers is insufficient to cover any losses sustained to the collateral, the decreases in the value of collateral securing our loans as a result of natural disasters or other related events could adversely impact our financial condition and results of operations. Additionally, if insurance obtained by our 10 borrowers is insufficient to cover any losses sustained to the collateral, the decreases in the value of collateral securing our loans as a result of natural disasters or other related events could adversely impact our financial condition and results of operations. If insurance coverage is unavailable to our borrowers due to the reluctance of insurance companies to renew policies covering the collateral or due to other factors, the resulting increase in cost of home ownership could affect the ability of borrowers to repay loans. Adverse conditions in our local economies and in certain areas where we have commercial real estate loans and purchased one-to four-family loans, such as inflation, unemployment, supply chain disruptions, recession, natural disasters or pandemics, or other factors beyond our control, could adversely impact the ability of our borrowers to repay their loans. Adverse conditions in our local economies and in certain areas where we have commercial real estate loans and correspondent loans, such as inflation, unemployment, supply chain disruptions, recession, natural disasters or pandemics, or other factors beyond our control, could adversely impact the ability of our borrowers to repay their loans. Declines in collateral values and adverse economic conditions could result in increased delinquencies, non-performing assets, loan losses, and future loan loss provisions.

Risks Related to Lending Activities

The increase in commercial loans in our loan portfolio exposes us to increased lending and credit risks, which could adversely impact our financial condition and results of operations.
As part of the Company's strategic initiatives to develop a full-service commercial banking business, we are growing our commercial loan portfolio. Maintaining strong asset quality in association with the commercial loan growth is a top priority for the Bank. We are applying disciplined underwriting and ongoing credit and performance monitoring and we monitor concentration levels by collateral type, geographic location and borrowing relationship. However, there are still lending and credit risks that could adversely impact our financial condition and results of operations as commercial loans are generally considered to have different and greater credit risks than one- to four-family residential real estate loans.

Commercial loans typically have larger loan balances than one- to four-family residential loans and may involve multiple loans to groups of related borrowers. Repayment of commercial loans often depends on the successful operation of a
11

business or of the underlying property which may be affected by factors outside the borrower's control, such as adverse conditions in the real estate market, the economy, the implementation of tariffs, environmental factors, natural disasters or pandemics, and/or changes in government regulation. Also, there are risks inherent in commercial real estate construction lending as the value of the project is uncertain prior to the completion of construction and subsequent lease-up. A sudden downturn in the economy, labor and/or supply chain issues, or other unforeseen events could result in stalled projects or collateral shortfalls, thus exposing us to increased credit risk. Additionally, if we foreclose on these loans, our holding period for the collateral may be longer than for a one- to-four family residential property as there are generally fewer potential purchasers of this type of collateral.

Commercial and industrial loans are primarily made based on the identified cash flow of the borrower and secondarily on the collateral underlying the loans. Commercial and industrial loans are primarily made based on the identified cash flow of the borrower and secondarily on the collateral underlying the loans. A borrower's cash flow may prove to be unpredictable, and collateral securing these loans may fluctuate in value. The borrowers' cash flow may prove to be unpredictable, and collateral securing these loans may fluctuate in value. Most often, this collateral consists of accounts receivable, inventory and equipment. Significant adverse changes in a borrower's industries and businesses could cause rapid declines in values of, and collectability associated with, those business assets, which could result in inadequate collateral coverage for our commercial and industrial loans and expose us to future losses. In the case of loans secured by accounts receivable, the availability of funds for the repayment of these loans may be substantially dependent on the ability of the borrower to collect amounts due from its clients. Inventory and equipment may depreciate over time, may be difficult to appraise, may be illiquid and may fluctuate in value based on the success of the business. If the cash flow from business operations is reduced, the borrower's ability to repay the loan may be impaired.

The deterioration of one commercial loan or a commercial borrowing relationship could cause a significant increase in the dollar amount of delinquencies, non-performing assets, net charge-offs, and future loan loss provisions. An increase in valuation allowances and charge-offs related to our commercial loan portfolio could have an adverse effect on our business, financial condition, results of operations and future prospects. An increase in valuation allowances and charge-offs related to our commercial and industrial loan portfolio could have an adverse effect on our business, financial condition, results of operations and future prospects.

Risks Related to Cybersecurity, Third Parties, and Technology.

The occurrence of any information system failure or interruption, breach of security or cyberattack, at the Company, at its third-party service providers or counterparties may have an adverse effect on our business, reputation, financial condition and results of operations.
Information systems are essential to the conduct of our business, as we use such systems to manage our customer relationships, our general ledger, our deposits and our loans. In the normal course of our business, we collect, process, retain and transmit (by email and other electronic means) sensitive and confidential information regarding our customers, employees and others. We also outsource certain aspects of our data processing, data processing operations, remote network monitoring, engineering and managed security services to third-party service providers. In addition to confidential information regarding our customers, employees and others, we, and in some cases a third party, compile, process, transmit and store proprietary, non-public information concerning our business, operations, plans and strategies.

Information security risks for financial institutions continue to increase in part because of evolving technologies, the use of the internet and telecommunications technologies (including mobile devices) to conduct financial and other business transactions and the increased sophistication and activities of organized crime, perpetrators of fraud, hackers, terrorists and others. Cyber criminals use a variety of tactics, such as ransomware, denial of service, and theft of sensitive business and customer information to extort payment or other concessions from victims. In some cases, these attacks have caused significant impacts on other businesses' access to data and ability to provide services. We are not able to anticipate or implement effective preventive measures against all incidents of these types, especially because the techniques used change frequently and because attacks can originate from a wide variety of sources, including attacks on third-party vendors and their applications and products used by the Bank.

We use a variety of physical, procedural and technological safeguards to prevent or limit the impact of system failures, interruptions and security breaches and to protect confidential information from mishandling, misuse or loss, including detection and response mechanisms designed to contain and mitigate security incidents. However, there can be no assurance that such events will not occur or that they will be promptly detected and adequately addressed if they do, and early detection of security breaches may be thwarted by sophisticated attacks and malware designed to avoid detection. If there is a failure in or breach of our information systems, or those of a third-party service provider, the confidential and other information
12

processed and stored in, and transmitted through, such information systems could be jeopardized, or could otherwise cause interruptions or malfunctions in our operations or the operations of our customers, employees, or others.

Our business and operations depend on the secure processing, storage and transmission of confidential and other information in our information systems and those of our third-party service providers. Although we devote significant resources and management focus to ensuring the integrity of our information systems through information security measures, risk management practices, relationships with threat intelligence providers and business continuity planning, our facilities, computer systems, software and networks, and those of our third-party service providers, may be vulnerable to external or internal security breaches, acts of vandalism, unauthorized access, misuse, computer viruses or other malicious code and cyberattacks that could have a security impact. In addition, breaches of security may occur through intentional or unintentional acts by those having authorized or unauthorized access to our confidential or other information or the confidential or other information of our customers, employees or others. While we regularly conduct security and risk assessments on our systems and those of our third-party service providers, there can be no assurance that their information security protocols are sufficient to withstand a cyberattack or other security breach. Across our industry, the cost of minimizing these risks and investigating incidents has continued to increase with the frequency and sophistication of these threats.

The occurrence of any of the foregoing could subject us to litigation or regulatory scrutiny, cause us significant reputational damage or erode confidence in the security of our information systems, products and services, cause us to lose customers or have greater difficulty in attracting new customers, have an adverse effect on the value of our common stock or subject us to financial losses that may not be covered by insurance, any of which could have an adverse effect on our business, financial condition and results of operations. As information security risks and cyber threats continue to evolve, we may be required to expend significant additional resources to further enhance or modify our information security measures and/or to investigate and remediate any information security vulnerabilities or other exposures arising from operational and security risks.

New or revised laws and regulations may significantly impact our current and planned privacy, data protection and information security-related practices, the collection, use, sharing, retention and safeguarding of consumer and employee information, and current or planned business activities. Compliance with current or future privacy, data protection and information security laws could result in higher compliance and technology costs and could restrict our ability to provide certain products and services, which could have an adverse effect on our business, financial condition and results of operations.

Our customers are also targets of cyberattacks and identity theft. There continues to be instances involving financial services and consumer-based companies reporting the unauthorized disclosure of client or customer information or the destruction or theft of corporate data. Large scale identity theft could result in customers' accounts being compromised and fraudulent activities being performed in their names. We have implemented certain safeguards against these types of activities, but they may not fully protect us from financial losses. The occurrence of a security breach involving our customers' information, regardless of its origin, could damage our reputation and result in a loss of customers and business, subject us to additional regulatory scrutiny, and expose us to litigation and possible financial liability. Any of these events could have an adverse effect on our business, financial condition and results of operations. See "Part I, Item 1C. Cybersecurity" for additional discussion related to cybersecurity.

Third-party vendors subject the Bank and the Company to potential business, reputation and financial risks.
Third-party vendors are sources of operational and information security risk to the Bank and the Company, including risks associated with operation errors, information system interruptions or breaches, and unauthorized disclosures of sensitive or confidential customer information. The Bank and the Company require third-party vendors to maintain certain levels of information security; however, vendors may remain vulnerable to breaches, unauthorized access, misuse, computer viruses, and/or other malicious attacks that could ultimately compromise sensitive information. The Company requires third-party vendors to maintain certain levels of information security; however, vendors may remain vulnerable to breaches, unauthorized access, misuse, computer viruses, and/or other malicious attacks that could ultimately compromise sensitive information. We have developed procedures and processes for selecting and monitoring third-party vendors, but ultimately are dependent on these third-party vendors to secure their information. If these vendors encounter any of these types of issues, or if we have difficulty communicating with them, we could be exposed to disruption of operations, loss of service or connectivity to customers, reputational damage, and litigation risk that could have an adverse effect on our business, financial condition and results of operations.

The failure of an external vendor to perform in accordance with the contracted arrangements under service level agreements, because of changes in the vendor's organizational structure, financial condition, support for existing products and services or
13

strategic focus or for any other reason, could be disruptive to our operations, which could have an adverse effect on our business and, in turn, our financial condition and results of operations. Additionally, replacing certain third-party vendors could also entail significant delay and expense.

We are heavily reliant on technology, and a failure to effectively implement technology initiatives or anticipate future technology needs or demands could adversely affect our business or performance.
Like most financial institutions, the Bank significantly depends on technology to deliver its products and services and to otherwise conduct business. The Bank continues to invest in new technological solutions, system upgrades, and other technology initiatives, which allows us to offer new and competitive products and services to our customers. Many of these solutions and initiatives have a significant duration, are tied to critical information systems, and require substantial resources. Although the Bank takes steps to mitigate the risks and uncertainties associated with these solutions and initiatives, there is no guarantee that they will be implemented on time, within budget, or without negative operational or customer impact. The Company and its third-party vendors may develop or incorporate artificial intelligence technology into certain business processes, services or products. The use of artificial intelligence presents several risks, including an uncertain and evolving legal and regulatory environment, along with the reliability of information generated and the complexity and rapid pace of change in artificial intelligence models. The Bank also may not succeed in anticipating its future technology needs, the technology demands of its customers, or the competitive landscape for technology. If the Bank were to falter in any of these areas, it could have an adverse effect on our business, financial condition and results of operations.

Risks Related to Competition

Strong competition may limit our growth and profitability.
The Company operates in a highly competitive environment for quality commercial banking relationships, one-to four-family lending relationships and attracting and growing deposits. Our competition includes larger national, regional and local financial institutions, savings institutions, credit unions, investment banking and mortgage brokerage firms, farm credit lenders, commercial finance companies, insurance companies, online competitors that are not confined to any specific market area, and non-bank lenders and smaller local institutions that offer aggressive pricing and specialized loan structures and banking services. We compete by offering a comprehensive suite of products and services, competitive loan pricing, and we have a strong reputation in the market areas we serve.

Our competitors may offer products and services that we do not or cannot provide if the offerings fall outside our accepted level of risk. Additionally, they may offer deposit and loan rates that we cannot offer as it may adversely impact our net interest income. The Bank cannot grow profitably without growing our deposit portfolio as those funds are generally used to fund loan growth. Our profitability depends upon our ability to compete with other entities for the same customer base. Our profitability depends upon our ability to compete in our local market areas.

Risks Related to Regulation

We operate in a highly regulated environment, which limits the manner and scope of our business activities, and we may be adversely affected by new and/or changes in laws and regulations or interpretation of existing laws and regulations.
We are subject to extensive regulation, supervision, and examination by the OCC, the FRB, and the FDIC. These regulatory authorities exercise broad discretion in connection with their supervisory and enforcement activities, including the ability to impose restrictions on a bank's operations, reclassify assets, determine the adequacy of a bank's ACL, and determine the level of deposit insurance premiums assessed. These regulatory authorities exercise broad discretion in connection with their supervisory and enforcement activities, including the ability to 13 impose restrictions on a bank's operations, reclassify assets, determine the adequacy of a bank's ACL, and determine the level of deposit insurance premiums assessed. The CFPB has broad powers to supervise and enforce consumer protection laws, including a wide range of consumer protection laws that apply to all banks and savings institutions, like the authority to prohibit unfair, deceptive or abusive acts and practices. The CFPB also has examination and enforcement authority over all banks with regulatory assets exceeding $10 billion at four consecutive quarter-ends. There are increased direct costs, additional regulatory burdens with indirect costs, and lost revenue, mainly related to interchange fees, associated with the Bank being over $10 billion in regulatory assets at certain points in time and for four consecutive quarter-ends. As long as the Bank does not exceed $10 billion in regulatory assets for four consecutive quarter ends, it will continue to be examined for compliance with consumer protection laws and the regulations of the CFPB by the Bank's primary bank regulator, the OCC. The Dodd-Frank Act also weakens the federal preemption rules that have been applicable for national banks and federal savings associations and gives state attorneys general the ability to enforce federal consumer protection laws.

14

Any change in such regulation and oversight, whether in the form of regulatory policy, regulations, legislation, interpretation or application, could have an adverse impact on our operations. Bank regulatory agencies, such as the OCC, the FRB and the FDIC, govern the activities in which we may engage, primarily for the protection of depositors' funds, the DIF and the safety and soundness of the banking system as a whole, and not for the protection or benefit of investors. The CFPB enforces consumer protection laws and regulations for the benefit of consumers and not the protection or benefit of investors. In addition, changes in laws and regulations, or the application of these laws and regulations, may continue to impact our costs of regulatory compliance and of doing business, and otherwise affect our operations. In addition, new laws and regulations, including those related to environmental, social, and governance initiatives, may continue to increase our costs of regulatory compliance and of doing business, and otherwise affect our operations. New Presidential Executive Orders, laws and regulations may significantly affect the markets in which we do business, the markets for and value of our loans and securities, the products we offer, the fees we can charge and our ongoing operations, costs, and profitability. New laws and regulations may significantly affect the markets in which we do business, the markets for and value of our loans and securities, the products we offer, the fees we can charge and our ongoing operations, costs, and profitability.

The Company is also directly subject to the requirements of entities that set and interpret accounting standards such as the Financial Accounting Standards Board, and indirectly subject to the actions and interpretations of the Public Company Accounting Oversight Board, which establishes auditing and related professional practice standards for registered public accounting firms and inspects registered firms to assess their compliance with certain laws, rules, and professional standards in public company audits. These regulations, along with existing tax, accounting, securities, and monetary laws, regulations, rules, standards, policies and interpretations, control the methods by which financial institutions and their holding companies conduct business, engage in strategic and tax planning, implement strategic initiatives, and govern financial reporting.

The Company's failure to comply with laws, regulations or policies, including Presidential Executive Orders, could result in civil or criminal sanctions and money penalties by state and federal agencies, and/or reputational damage, which could have an adverse effect on the Company's business, financial condition and results of operations. See "Part I, Item 1. Business - Regulation and Supervision" for more information about the regulations to which the Company is subject.

Other Risks

The Company's ability to pay dividends and repurchase shares is subject to the ability of the Bank to make capital distributions to the Company.
The long-term ability of the Company to pay dividends to its stockholders and repurchase shares is based primarily upon the ability of the Bank to generate sufficient earnings to make capital distributions to the Company and on the availability of cash at the holding company level in the event the Bank's earnings are not sufficient to make capital distributions to the Company. Under certain circumstances, capital distributions from the Bank to the Company may be subject to regulatory approvals. See "Item 1. Business – Regulation and Supervision" for additional information.

The Company values constructive input from stockholders, and our Board of Directors and management team are committed to acting in the best interests of all stockholders. All publicly traded companies face the risk that stockholders may disagree with the composition of the Board of Directors, the Company's strategic direction, or the way the Company is managed and may seek to effect change through various strategies that range from private engagement to public filings, proxy contests, efforts to force transactions not supported by the Board of Directors, and litigation. Responding to these actions may be costly and time-consuming, disrupt the Company's operations and/or divert the attention of the Board of Directors and executive management. Such activities could interfere with the Company's ability to execute its strategic plan and to attract and retain qualified executive leadership, as well as create perceived uncertainty as to the Company's future direction, which could also affect the market price and volatility of the Company's common stock.

The Bank's bad debt recapture amount may impact the amount and timing of capital distributions to the Company.
The Bank reported a net loss on its fiscal year 2024 federal tax return due to the sale of securities in October 2023 associated with the securities strategy which resulted in negative current and accumulated earnings and profits for fiscal year 2024. As a result of the negative current and accumulated earnings and profits, capital distributions from the Bank to the holding company during fiscal year 2024 were deemed to be drawn out of the Bank's pre-1988 bad debt reserves and resulted in the recognition of income tax expense based on the amount of the capital distribution multiplied by the then-current Bank income tax rate.The Bank will report a net loss for tax purposes for fiscal year 2024 due to the sale of securities in October 2023 associated with the securities strategy and will therefore have negative current and accumulated earnings and profits for fiscal year 2024. As a result of the negative current and accumulated earnings and profits, capital distributions from the Bank to the holding company during fiscal year 2024 were deemed to be drawn out of the Bank's pre-1988 bad debt reserves and resulted in the recognition of income tax expense based on the amount of the capital distribution multiplied by the then-current Bank income tax rate. This additional tax expense reduced the amount of Bank earnings available to be distributed to the holding company during fiscal year 2024. During the fourth quarter of fiscal year 2025, the Bank reached a point where there was sufficient taxable income to replenish the Bank's tax accumulated earnings and profits to a positive level, allowing the Bank to make distributions to the holding company and not have that distribution subject to the pre-1988 bad debt recapture tax. Due to the Bank's expected continuing positive tax accumulated and earnings profit balance, it is anticipated that the Bank will be in a position to distribute earnings to the holding company during fiscal year 2026. Earnings distributions from the Bank to the
15

holding company will be limited to the extent necessary to prevent the Bank from re-entering a negative accumulated earnings and profit position which would require the payment of the pre-1988 bad debt recapture tax on earnings moved from the Bank to the holding company. See additional discussion regarding the Bank's pre-1988 bad debt recapture in "Part I, Item 1. Business - Taxation" and "Part II, Item 8. Financial Statements and Supplementary Data - Notes to Consolidated Financial Statements - Note 9. Income Taxes".

Our risk management and compliance programs and functions may not be effective in mitigating risk and loss.
We maintain an enterprise risk management program that is designed to identify, quantify, monitor, report, and control the risks that we face. These risks include: interest-rate, credit, liquidity, operations, compliance and litigation. These risks include: interest-rate, credit, liquidity, operations, reputation, compliance and litigation. We also maintain a compliance program to identify, measure, assess, and report on our adherence to applicable laws, policies and procedures. While we assess and improve these programs on an ongoing basis, there can be no assurance that our risk management or compliance programs, along with other related controls, will effectively mitigate all risk and limit losses in our business. If conditions or circumstances arise that expose flaws or gaps in our risk management or compliance programs, or if our controls do not function as designed, the performance and value of our business could be adversely affected.

The Company may not be able to attract and retain skilled employees.
The Company's success depends, in large part, on its ability to attract and retain key people. Competition for the best people can be intense, and the Company spends considerable time and resources attracting and hiring qualified people for its operations. The unexpected loss of the services of one or more of the Company's key personnel could have an adverse impact on the Company's business because of their skills, knowledge of the Company's market, and years of industry experience, as well as the difficulty of promptly finding qualified replacement personnel.

The Bank and the Company may be adversely affected by an increasing prevalence of fraud and other financial crimes.The Company may be adversely affected by an increasing prevalence of fraud and other financial crimes.
Reported instances of fraud and related financial crimes are rising nationwide. Like all financial institutions, the Bank and the Company are vulnerable to increasing fraud losses as fraud schemes perpetrated against the Bank, the Company, and our customers continue to evolve and become more sophisticated. Like all financial institutions, the Company is vulnerable to increasing fraud losses as fraud schemes perpetrated against the Company and its customers continue to evolve and become more sophisticated. While the Bank and the Company have procedures and systems in place to detect, prevent, and mitigate fraud losses, fraud losses may still occur and could be material to the Bank and the Company's results of operations. While the Company has procedures and systems in place to detect, prevent, and mitigate fraud losses, fraud losses may still occur and could be material to the Company's results of operations.


Item 1B. Unresolved Staff Comments
None.

Item 1C. Cybersecurity
Risk Management and Strategy

Information security and privacy are an important part of our culture and are foundational to our goal of delivering safe, secure and quality products and services. This philosophy is emphasized throughout the Bank by its Board of Directors, senior leaders, officers, managers and other employees to promote a Bank-wide culture of cybersecurity risk management.

As a financial institution we collect, store, and transmit sensitive, confidential, and proprietary data and other information, including intellectual property, business information, funds-transfer instructions, payment card data, and personally identifiable information of our customers and employees. This information can be of significant value to criminal actors, and, as described in "Item 1A. Risk Factors - Risks Related to Cybersecurity, Third Parties, and Technology", cybersecurity incidents and other security breaches involving this information at the Bank, at our service providers or counterparties, may negatively impact our business or performance. Unauthorized access to our customers' confidential or proprietary information as a result of a cybersecurity incident or otherwise could expose us to reputational harm and litigation and adversely affect our ability to attract and retain customers.

We have implemented a strategy to address threats to Bank assets and confidential information.15 We have implemented a strategy to address threats to Bank assets and confidential information. Our information security program, under the responsibility of the Chief Information Officer and the Chief Compliance & Risk Management Officer, balances security risks with business goals and provides appropriate protections for the confidentiality, integrity and
16

availability of Bank and customer information. We annually benchmark our information security program to assess its strength as measured against recommended industry security best practices.

Due to our heavy reliance on the strength and capability of our technology systems, which we use both to interface with our customers and to manage our internal financial reporting and other systems, we utilize a layered cybersecurity model designed to protect our systems and sensitive data. This model is composed of a variety of different components including administrative controls, technical controls and other safeguards. These components are centrally managed and monitored, creating a multi-layered and interlocking cybersecurity defense system. These various components are centrally managed and monitored, creating a multi-layered and interlocking cybersecurity defense system.

We maintain programs and policies to support the management of cybersecurity risk with a focus on prevention, detection and recovery processes. These programs and policies leverage frameworks and controls from the National Institute of Standards and Technology ("NIST") Cybersecurity Framework, Federal Financial Institutions Examination Council ("FFIEC") cybersecurity guidance, Center for Internet Security ("CIS") Benchmarks, Cyber Risk Institute Profile, as well as various other regulatory requirements and industry-specific standards. The Bank also participates in the federally recognized Financial Services Information Sharing and Analysis Center and requires its employees and contractors to complete various education and training programs related to information security.

The Bank's Information Technology ("IT") and Compliance and Risk Management ("C&RM") teams have the primary responsibility for establishing appropriate policies and procedures that are responsive to cybersecurity threats and other information security risks. Members of these teams have a wide variety of relevant certifications, such as Certified Information Systems Security Professional, Certified Information Security Manager, Certification in Risk Management Assurance and Certified in Risk and Information Systems Control. Our C&RM team provides risk management oversight to the IT team. The Bank's Internal Audit function, using internal and outside expertise, independently oversees, reviews and validates the IT and C&RM activities and reports to the Board of Directors' Audit Committee on the effectiveness of governance, risk management and internal controls.

We have established an Enterprise Risk Management program. As part of this program, the C&RM team reviews our IT risk management practices, which are designed to identify, assess, manage, monitor, and report cybersecurity risks. The IT team is responsible for implementing risk management practices set forth in the IT risk management program.

As one of the critical elements of the Bank's overall risk management approach, our cybersecurity risk management program and strategy is focused on the following key areas:

Incident Response and Recovery Planning: The Bank has implemented a comprehensive, cross-functional approach to identifying, preventing and mitigating cybersecurity threats and incidents, while also implementing controls and procedures that provide for the prompt escalation of certain cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by management in a timely manner.
Technical Safeguards: The Bank deploys technical safeguards that are designed to protect the sensitive information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality and multifactor authentication and other access controls, which are evaluated and improved through vulnerability assessments and cybersecurity threat intelligence.
Outside Experts: The Bank routinely works with outside experts, consultants, auditors and other third parties in connection with managing its cybersecurity risks and for advice regarding best practices and technical expertise.
Education and Awareness: The Bank provides regular, mandatory training for personnel regarding cybersecurity threats on matters such as phishing and email security best practices to equip our personnel with effective tools to address cybersecurity threats, and to communicate the Bank's evolving information security policies, standards, processes and practices.

While processes are in place to minimize the chance of a successful cyberattack, the Bank has established incident response procedures to address a cyberattack that may occur despite these safeguards.16 While processes are in place to minimize the chance of a successful cyberattack, the Bank has established incident response procedures to address a cyberattack that may occur despite these safeguards. The response procedures are designed to identify, analyze, contain and remediate any such cyber incident that occurs.

The Bank engages in the periodic assessment and testing of our policies, standards, processes and practices that are designed to address cybersecurity threats and incidents. These efforts include a wide range of activities, including audits, assessments, tabletop exercises, threat modeling, vulnerability testing and other exercises focused on evaluating the effectiveness of our
17

cybersecurity measures and planning. We regularly engage third parties to perform assessments on our cybersecurity measures, including information security maturity assessments, audits, penetration tests and independent reviews of our information security control environment and operating effectiveness. The results of such assessments, audits and reviews are analyzed by the cybersecurity team and the Information Technology Oversight Committee ("ITOC") and provided to the Bank's Board of Directors. We adjust our cybersecurity policies, standards, processes and practices as necessary based on the information provided by these assessments, audits and reviews.

We have implemented a third-party risk program to oversee and manage information security and privacy risks associated with third-party relationships. The program includes the assessment of third parties that provide key services or will access, store, process, or transmit sensitive information during initial onboarding and throughout the lifecycle of the relationship, and management of applicable contractual requirements relating to confidentiality, integrity, availability and privacy obligations, including timely notification of incidents. Third-party services related to advice, assessments, auditing, testing and support related to cybersecurity and information technology processes and services, where appropriate, are also subject to the third-party risk program.

Like other financial institutions, the Bank is targeted with malicious cyber activity on an ongoing basis directed at its websites, computer systems, software, networks and users.Like other financial institutions, the Bank experiences malicious cyber activity on an ongoing basis directed at its websites, computer systems, software, networks and users. This malicious activity includes attempts at unauthorized access and implantation of computer viruses or malware. The Bank is also targeted with large volumes of phishing and other forms of social engineering attempted for the purpose of perpetuating fraud. The Bank also experiences large volumes of phishing and other forms of social engineering attempted for the purpose of perpetuating fraud. Notwithstanding the breadth of our information security and privacy program, it may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse impact. Unauthorized access to our computer systems or stored data could result in theft, including cyber theft, or improper disclosure of confidential information, and the deletion or modification of records could cause interruptions in our operations. The impact of a material information technology event could have a materially adverse effect on our competitive position, reputation, results of operations, financial condition or cash flows.

Board Governance

The members of the Boards of Directors of the Company and the Bank are identical. The Bank's Board of Directors oversees cybersecurity risk management and strategy for both entities through management updates regarding the policies, practices and security results related to the Gramm-Leach-Bliley Act, IT risk management, IT security metrics, penetration testing, tabletop exercises, IT risk assessments, disaster recovery testing, and security awareness testing and training. Management is responsible for designing and implementing policies, processes and procedures, and deploying physical and virtual technology and safeguards to measure, monitor, and control cybersecurity risk. The Bank's Chief Information Officer provides an annual comprehensive update to the Board of Directors on the status of IT, and the plans for the future as well as quarterly updates which include any cyber incidents. The Bank's Chief Information Officer or delegate provides annual training on cyber security topics and reports to the Board of Directors on the Bank's cyber incidents, if any. The Bank's Chief Technology Officer provides annual training on cyber security topics and reports to the Board of Directors on the Bank's cyber incidents, if any. Cyber incidents with (i) the potential of materiality, pursuant to SEC cybersecurity disclosure rules; (ii) anticipated publicity; or (iii) anticipated written notices to a significant number of customers; have been promptly reported to the Board with ongoing updates during regular Board meetings. Cyber incidents with (i) the potential of materiality; (ii) anticipated publicity; or (iii) anticipated written notices to a significant number of customers; have been promptly reported to the Board with ongoing updates during regular Board meetings. The Bank's Chief Information Officer presents updates on new security measures, programs and services to ITOC. The minutes and materials from the ITOC meetings are available to the Board of Directors on the Directors' Board Portal. The Bank's Information Security Officer provides the Board of Directors with an annual report on all aspects of Information Security, including steps taken to minimize the risk of cyber incidents through training and testing employees on phishing, social engineering, etc. The Bank's Information Security Officer provides the Board of Directors an annual report on all aspects of Information Security, including steps taken to minimize the risk of cyber incidents through training and testing employees on phishing, social engineering, etc. This annual report also includes an independent third-party assessment of the Bank's information security systems together with information on steps taken to address any identified weaknesses. The Board of Directors also participates in an annual evaluation of enterprise risk and is presented with management's assessment of the top risks, which generally include several cybersecurity components. The Board of Directors also participates in an annual evaluation of risk and is presented with management's assessment of the top risks, which generally includes several cybersecurity components.

Material Cybersecurity Incidents

As of September 30, 2025, we were not aware of any cybersecurity incidents that have materially affected or are reasonably likely to materially affect the Bank, including its business strategies, results of operations or financial condition. For more information on our cybersecurity-related risks, see "Item 1A. Risk Factors – Risks Related to Cybersecurity, Third Parties, and Technology". Risk Factors – Risks Related to Cybersecurity, Third Parties, and Technology”.


18

Recently Filed
Click on a ticker to see risk factors
Ticker * File Date
SNEX 6 hours ago
TMRC 6 hours ago
ALTX 7 hours ago
DBMM 7 hours ago
LEDS 14 hours ago
LEXX 2 days, 3 hours ago
JJSF 2 days, 7 hours ago
UTI 2 days, 8 hours ago
IMKTA 2 days, 8 hours ago
MOG-A 2 days, 11 hours ago
LEE 2 days, 12 hours ago
CFFN 2 days, 13 hours ago
CENT 2 days, 13 hours ago
SPH 2 days, 14 hours ago
CASH 3 days, 6 hours ago
TFSL 3 days, 6 hours ago
CLFD 3 days, 6 hours ago
HZEN 3 days, 7 hours ago
GXLM 3 days, 7 hours ago
SMG 3 days, 7 hours ago
CLSK 3 days, 7 hours ago
PHCI 3 days, 7 hours ago
RJF 3 days, 7 hours ago
AVXL 3 days, 7 hours ago
MAGN 3 days, 7 hours ago
AMTM 3 days, 7 hours ago
BDX 3 days, 7 hours ago
ARMK 3 days, 7 hours ago
ARWR 3 days, 7 hours ago
EMBC 3 days, 8 hours ago
FLNC 3 days, 8 hours ago
ADI 3 days, 8 hours ago
GLDM 3 days, 8 hours ago
GLD 3 days, 8 hours ago
COR 3 days, 9 hours ago
WWD 3 days, 10 hours ago
FFIV 3 days, 11 hours ago
ROAD 4 days, 6 hours ago
BLBD 4 days, 7 hours ago
ALCO 4 days, 7 hours ago
PNNT 4 days, 7 hours ago
SYM 4 days, 8 hours ago
PFLT 4 days, 8 hours ago
OYCG 4 days, 8 hours ago
CBT 4 days, 13 hours ago
DSNY 4 days, 17 hours ago
GEOS 1 week ago
IIIV 1 week ago
HP 1 week ago
PTC 1 week ago

OTHER DATASETS

House Trading

Dashboard

Corporate Flights

Dashboard

App Ratings

Dashboard