Risk Factors Dashboard

Once a year, publicly traded companies issue a comprehensive report of their business, called a 10-K. A component mandated in the 10-K is the ‘Risk Factors’ section, where companies disclose any major potential risks that they may face. This dashboard highlights all major changes and additions in new 10K reports, allowing investors to quickly identify new potential risks and opportunities.

View risk factors by ticker

Search filings by term

Risk Factors - HFWA

-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing

Item 1A. Risk Factors—Credit Risks this Form 10-K.

Table of Contents

Supervision and Regulation

General

FDIC-insured banking institutions, like the Bank, their holding companies and affiliates are extensively regulated under federal and state law. As a result, our growth and earnings performance may be affected not only by management decisions and general economic conditions, but also by the requirements of federal and state statutes and by the regulations and policies of various banking agencies, including the DFI, the Federal Reserve, the FDIC and federal and state consumer financial protection agencies. Furthermore, taxation laws administered by the Internal Revenue Service and state taxing authorities, accounting rules developed by the FASB and PCAOB, securities laws administered by the SEC and state securities authorities and anti-money laundering and sanctions laws enforced by the U.S. Department of the Treasury (“Treasury”) have an impact on our business. The effect of these statutes, regulations, regulatory policies and accounting rules are significant to our operations and results.

Federal and state banking laws impose a comprehensive system of supervision, regulation and enforcement on the operations of FDIC-insured institutions, their holding companies and affiliates that is intended primarily for the protection of the FDIC-insured deposits and depositors of banks, rather than shareholders. These laws, and the regulations of the banking agencies issued under them, affect, among other things, the scope of our business, the kinds and amounts of investments that the Company and the Bank may make, required capital levels relative to assets, the nature and amount of collateral for loans, the establishment of branches, the ability of the Company or the Bank to merge, consolidate and acquire, dealings with our insiders and affiliates and the payment of dividends.

In response to the global financial crisis and particularly following the passage of the Dodd-Frank Act, we experienced heightened regulatory requirements and scrutiny. Although the reforms primarily targeted large banking organizations and systemically important financial institutions, their influence filtered down in varying degrees to community banks over time and caused our compliance and risk management processes, and the costs thereof, to increase.

Over the past year, the federal banking agencies have continued efforts to reduce regulatory burden on banking organizations, including community banks, through various supervisory, regulatory and policy initiatives. These efforts have included the rescission or revision of certain rulemakings and proposals, initiatives to streamline examination and application processes and efforts to increase transparency and consistency in supervisory expectations. Congress also has considered additional measures aimed at easing specific compliance obligations for community banks, although no reforms comparable in scope to the Economic Growth Act have been enacted to date. These developments may be favorable to the operations of the Company or the Bank; however, future changes in laws, regulations, or supervisory priorities and their impacts on the Company’s or the Bank’s business, remain uncertain.

The supervisory framework applicable to U.S. banking organizations subjects banks and bank holding companies to regular examination by their respective banking agencies. These examinations result in confidential examination reports and supervisory ratings that may impact an institution’s operations, capital levels, growth and strategic initiatives. Changes in supervisory approach or emphasis may materially affect the operations and financial results of the Company and the Bank, as well as the banking industry in general. In recent supervisory communications, rulemakings and policy statements, federal banking agencies have indicated an increased focus on core, material financial risks (rather than risk management processes), greater transparency in supervisory expectations and efforts to reduce examination burden, particularly for community banks. For example, the FDIC, the Bank’s primary federal regulator, has proposed or implemented initiatives: (i) to clarify standards for unsafe or unsound practices; (ii) to enhance supervisory appeals processes; (iii) to streamline examination procedures; and (iv) to revise standards governing the termination of enforcement actions. These initiatives may enable management to focus more effectively on growth opportunities and the management of material financial risks.

The following is a summary of the material elements of the supervisory and regulatory framework applicable to the Company and the Bank. It does not describe all of the statutes, regulations and regulatory policies that apply, nor does it restate all of the requirements of those that are described. The descriptions are qualified in their entirety by reference to the particular statutory and regulatory provision.

The Role of Capital

Regulatory capital represents the net assets of a banking organization available to absorb losses. FDIC-insured institutions, such as banks, as well as their holding companies (i.e., banking organizations) are required to hold more capital than other businesses, which directly affects our earnings capabilities. Although capital has historically been one of the key measures of the financial health of both bank holding companies and banks, its role became fundamentally more important in the wake of the global financial crisis, as the banking regulators recognized that the amount and quality of capital held by banking organizations prior to that crisis was insufficient to absorb losses during periods of severe stress.

Capital Levels. Banking organizations have been required to hold minimum levels of capital based on guidelines established by the banking agencies since 1983. The minimums have been expressed in terms of ratios of “capital” divided by “total assets.”

Table of Contents

Beginning in 1989, the capital guidelines for U.S. banking organizations have been based upon international capital accords (known as the “Basel” accords) adopted by the Basel Committee on Banking Supervision, a committee of central banks and bank supervisors that acts as the primary global standard-setter for prudential regulation, as interpreted and implemented by the U.S. federal banking agencies on an interagency basis. These accords recognized that bank assets for the purpose of the capital ratio calculations needed to be risk weighted (the theory being that riskier assets should require more capital) and that off-balance sheet exposures needed to be factored in the calculations. Following the global financial crisis, the Group of Governors and Heads of Supervision, the oversight body of the Basel Committee on Banking Supervision, announced agreement on a strengthened set of capital requirements for banking organizations around the world, known as the Basel III accords, to address deficiencies recognized in connection with the global financial crisis.

The Basel III Rule. The U.S. federal bank regulatory agencies adopted the U.S. Basel III regulatory capital reforms, and, at the same time, effected changes required by the Dodd-Frank Act, in regulations that were effective in 2015 (with certain phase-ins) (the “Basel III Rule”). The Basel III Rule established capital standards for banking organizations that are meaningfully more stringent than those established previously and are still in effect today. The Basel III Rule is applicable to all banking organizations that are subject to minimum capital requirements, including national banks, state banks and savings and loan associations, as well as to most bank and savings and loan holding companies. The Company and the Bank are each subject to the Basel III Rule.

Risk-Weighting Assets. Three of the required capital ratios imposed under the Basel III Rule, as discussed immediately below, are calculated using a denominator of total “risk-weighted” assets. In the calculation of so-called “risk weights,” which was introduced in the Basel I accord, bank assets were divided into four basic risk-weighted categories of 0%, 20%, 50% and 100%. The Basel III accords required a more complex, detailed and calibrated assessment of risk in the calculation of risk weightings. Although it uses the same technique introduced by the Basel I accord in assigning assets to risk-weight categories, it significantly increases the number of categories and adds conditions to the assignment of certain risk weights. Risk weights were established as high as 250% for certain commercial real estate exposures, and higher for certain derivatives.

The assignment of risk weights is likely to continue to be under review by the federal banking agencies as they seek to implement certain remaining elements of the Basel III accords. Previously, in 2023, the federal banking agencies proposed a “Basel III Endgame Rule” to complete this implementation process; however, the proposal was not adopted, in part due to stakeholder concerns regarding potential economic impacts, data transparency and the alignment of certain provisions with statutory tailoring requirements. Based on public statements from federal agency officials, it is anticipated that a revised proposal may be issued in the future. Any re-proposal of the Basel III Endgame Rule is expected to primarily affect large, complex banking organizations.

Minimum Capital Ratios. The Basel III Rule also increased the required quantity and quality of capital. In addition, the Basel III Rule limited the inclusion of minority interests, mortgage-servicing assets and deferred tax assets in regulatory capital and required deductions from CET1 if such assets exceeded prescribed thresholds.

The Basel III Rule requires banking organizations to maintain minimum capital ratios to be deemed “adequately capitalized” as follows:

•A ratio of CET1 equal to 4.5% of risk-weighted assets;

•A ratio of Tier 1 Capital equal to 6% of risk-weighted assets;

•A ratio of Total Capital (Tier 1 plus Tier 2 Capital) equal to 8% of risk-weighted assets; and

•A leverage ratio of Tier 1 Capital to total quarterly average assets equal to 4% of risk-weighted assets in all circumstances.

Well Capitalized Requirements. The ratios described above represent minimum standards for banking organizations to be considered “adequately capitalized.” Banking agencies uniformly encourage banking organizations to maintain capital levels above these minimums and to be classified as “well capitalized.” To that end, federal law and regulations provide various incentives for banking organizations to maintain regulatory capital in excess of minimum regulatory requirements. In addition, the banking agencies may require higher capital levels where warranted by a banking organization’s particular operating circumstances or risk profiles. For example, the Federal Reserve’s capital guidelines contemplate that additional capital may be required to take adequate account of, among other things, interest rate risk, or the risks posed by concentrations of credit, nontraditional activities or securities trading activities. Further, any banking organization experiencing or anticipating significant growth would be expected to maintain capital ratios, including tangible capital positions (i.e., Tier 1 Capital less all intangible assets), well above the minimum regulatory levels.

Table of Contents

Under the capital regulations of the Federal Reserve for the Company and the FDIC for the Bank, in order to be well capitalized, a banking organization, like the Company and the Bank, must maintain:

•A CET1 ratio to risk-weighted assets of 6.5% or more;

•A ratio of Tier 1 Capital to total risk-weighted assets of 8% or more;

•A ratio of Total Capital to total risk-weighted assets of 10% or more; and

•A leverage ratio of Tier 1 Capital to total adjusted average quarterly assets of 5% or greater.

Under the Basel III Rule, a banking organization may be considered “well capitalized,” while not complying with the capital conservation buffer described above.

As of December 31, 2025: (i) the Bank was not subject to a directive from the FDIC or the DFI to increase its capital; and (ii) the Bank was well capitalized, as defined by FDIC regulations. As of December 31, 2025, the Company had regulatory capital in excess of the Federal Reserve’s requirements and met the Basel III Rule requirements to be well capitalized.

Prompt Corrective Action. The concept of a banking organization being “adequately capitalized” or “well capitalized” is part of a regulatory enforcement regime that provides the federal banking agencies with broad power to take “prompt corrective action” to resolve the problems of depository institutions based on the capital level of each particular institution. The extent of the banking agencies’ powers depends on whether the institution in question is “adequately capitalized,” “undercapitalized,” “significantly undercapitalized” or “critically undercapitalized,” in each case as defined by regulation. Depending upon the capital category to which a banking organization is assigned, the banking agencies’ corrective powers include: (i) requiring the institution to submit a capital restoration plan; (ii) limiting the institution’s asset growth and restricting its activities; (iii) requiring the institution to issue additional capital stock (including additional voting stock) or to sell itself; (iv) restricting transactions between the institution and its affiliates; (v) restricting the interest rate that the institution may pay on deposits; (vi) ordering a new election of directors of the institution; (vii) requiring that senior executive officers or directors be dismissed; (viii) prohibiting the institution from accepting deposits from correspondent banks; (ix) requiring the institution to divest certain subsidiaries; (x) prohibiting the payment of principal or interest on subordinated debt; and (xi) ultimately, appointing a receiver for the institution.

Community Bank Capital Simplification. Community banking organizations have long raised concerns with federal banking agencies about the regulatory burden, complexity and costs associated with certain provisions of the Basel III Rule. Section 201 of the Economic Growth Act specifically instructed the federal banking regulators to establish a single “Community Bank Leverage Ratio” (“CBLR”) of between 8% and 10%. In late 2025, the federal banking agencies proposed changes to the CBLR framework intended to encourage broader adoption, including reducing the required leverage ratio from 9.0% to 8.0%; however, the proposal has not yet been finalized. We may elect the CBLR framework at any time, but have not elected to use the CBLR framework as of December 31, 2025.

Supervision and Regulation of the Company

General. The Company, as the sole shareholder of the Bank, is a bank holding company. As a bank holding company, we are registered with, and subject to regulation, supervision and enforcement by, the Federal Reserve under the BHCA. We are legally obligated to act as a source of financial and managerial strength to the Bank and to commit resources to support the Bank in circumstances where we might not otherwise do so. Under the BHCA, we are subject to periodic examination by the Federal Reserve and are required to file with the Federal Reserve periodic reports of our operations and such additional information regarding us and the Bank as the Federal Reserve may require.

Acquisitions and Activities. The primary purpose of a bank holding company is to control and manage banks. The BHCA generally requires the prior approval of the Federal Reserve for any merger involving a bank holding company or any acquisition by a bank holding company of another bank or bank holding company. Pursuant to the BHCA and the Dodd-Frank Act, the Federal Reserve may permit a well capitalized and well managed bank holding company to acquire banks located in any U.S. state, subject to federal deposit concentration limits, applicable nondiscriminatory state deposit-cap laws and state minimum existence requirements for target banks (not exceeding five years).

This general prohibition is subject to a number of exceptions. The principal exception allows bank holding companies to engage in, and to own shares of companies engaged in, certain businesses found by the Federal Reserve prior to November 11, 1999 to be “so closely related to banking... as to be a proper incident thereto.

Financial Holding Company Election. Bank holding companies that meet certain eligibility requirements and elect to operate as financial holding companies may engage in, or own shares in companies engaged in, a wider range of nonbanking activities, including securities and insurance underwriting and sales, merchant banking and any other activity that: (i) the Federal Reserve, in consultation with the Secretary of the Treasury, determines by regulation or order is financial in nature or incidental to any such

Table of Contents

financial activity; or (ii) the Federal Reserve determines by order to be complementary to any such financial activity, as long as the activity does not pose a substantial risk to the safety or soundness of FDIC-insured institutions or the financial system generally. We have not currently elected to operate as a financial holding company.

Change in Control. Federal law prohibits any person or company from acquiring “control” of an FDIC-insured depository institution or its holding company without prior notice to the appropriate federal bank agencies.

Capital Requirements. We are required to maintain consolidated capital in accordance with Federal Reserve capital adequacy requirements. For a discussion of capital requirements, see “–The Role of Capital” above.

Dividend Payments. Our ability to pay dividends to our shareholders may be affected by both general corporate law considerations and policies of the Federal Reserve applicable to bank holding companies. As a Washington corporation, we are subject to the limitations of the Washington Business Corporation Act, which generally prohibits the payment of dividends or other distributions if, after giving effect to the distribution, (i) the Company would not be able to pay its debts as they become due in the usual course of business, or (ii) the Company’s total assets would be less than the sum of its total liabilities plus any amounts needed to satisfy preferential rights upon dissolution.

As a general matter, the Federal Reserve has indicated that the board of directors of a bank holding company should eliminate, defer or significantly reduce dividends to shareholders if: (i) the company’s net income available to shareholders for the past four quarters, net of dividends previously paid during that period, is not sufficient to fully fund the dividends; (ii) the prospective rate of earnings retention is inconsistent with the company’s capital needs and overall current and prospective financial condition; or (iii) the company will not meet, or is in danger of not meeting, its minimum regulatory capital adequacy ratios. The Federal Reserve also possesses enforcement powers over bank holding companies and their nonbank subsidiaries to prevent or remedy actions that represent unsafe or unsound practices or violations of applicable statutes and regulations. Among these powers is the ability to proscribe the payment of dividends by banks and bank holding companies. Finally, the Basel III Rule imposes consolidated capital requirements on banking organizations. As a result, banking organizations must hold a capital conservation buffer of 2.5% of risk-weighted assets in CET1 above the minimum risk-based capital requirements to avoid regulatory limits on dividends and other capital distributions. See “–The Role of Capital” above.

Monetary Policy. The monetary policy of the Federal Reserve has a significant effect on the operating results of bank holding companies and their subsidiaries. Among the tools available to the Federal Reserve to affect the money supply are open market transactions in U.S. government securities and changes in the discount rate on bank borrowings. These means are used in varying combinations to influence overall growth and distribution of bank loans, investments and deposits, and their use may affect interest rates charged on loans or paid on deposits, which may impact our business and the operations of the Company and the Bank.

Federal Securities Regulation. Our common stock is registered with the SEC under the Securities Act of 1933, as amended, and the Exchange Act. Consequently, we are subject to the information, proxy solicitation, insider trading and other restrictions and requirements of the SEC under the Exchange Act.

The Dodd-Frank Act addressed many investor protection, corporate governance and executive compensation matters that affect most U.S. publicly traded companies. It increased shareholder influence over boards of directors by requiring companies to give shareholders a nonbinding vote on executive compensation and so-called “golden parachute” payments, and authorizing the SEC to promulgate rules that would allow shareholders to nominate and solicit voters for their own candidates using a company’s proxy materials.

The Dodd-Frank Act also directed the Federal Reserve, in coordination with other federal banking and financial services agencies, to promulgate rules prohibiting excessive incentive-based compensation paid to executives of bank holding companies, regardless of whether such companies are publicly traded. Although several agencies have made repeated efforts to implement rules under this provision of the Dodd-Frank Act—including a proposal issued most recently in May 2024, which was subsequently withdrawn—no final rule has been adopted at this time. Nevertheless, the federal banking agencies have issued interagency guidance on sound incentive compensation practices for banking organizations, reflecting the agencies’ recognition that incentive compensation practices in the financial industry were among the factors contributing to the global financial crisis. Although much of the guidance is directed at large banking organizations that are expected to maintain systematic and formalized policies and procedures, smaller banking organizations like us are expected to implement less extensive and less formalized systems pursuant to the guidance.

Supervision and Regulation of the Bank

General. The Bank is a Washington state-chartered, nonmember bank. The deposit accounts of the Bank are insured by the FDIC’s Deposit Insurance Fund (“DIF”) to the maximum extent provided under federal law and FDIC regulations, currently $250,000 per insured depositor, per ownership category. Ongoing policy discussions at the federal level have focused on potential changes to deposit insurance coverage, including possible adjustments to coverage limits, although no changes have been enacted.

Table of Contents

Deposit Insurance Assessments. As an FDIC-insured institution, the Bank is required to pay deposit insurance premium assessments to the FDIC. The FDIC has adopted a risk-based assessment system whereby FDIC-insured institutions pay insurance premiums at rates based on their risk classification. For institutions like the Bank that are not considered large and highly complex banking organizations, the risk-based assessment is based on examination ratings and financial ratios. However, the maximum rate is 18 basis points for FDIC-insured institutions in the top two categories of examination composite ratings.

At least semi-annually, the FDIC updates its loss and income projections for the DIF and, if needed, increases or decreases the assessment rates, following notice and comment on proposed rulemaking. For this purpose, the reserve ratio is the DIF balance divided by estimated insured deposits. In response to the global financial crisis, the Dodd-Frank Act increased the minimum reserve ratio from 1.15% to 1.35% of the estimated amount of total insured deposits.

In addition, because the cost of the failures of Silicon Valley Bank and Signature Bank to the DIF attributable to the systemic risk exception was approximately $16.7 billion, the FDIC adopted a special assessment for banking organizations with assets of $5 billion or more. The FDIC has been collecting the special assessment over eight quarters, at a quarterly rate of 3.36 basis points for the initial seven quarters of the collection period (ending on December 30, 2025) and at a quarterly rate of 2.97 basis points for the eighth and final collection period. The quarterly special assessment rate is applied to the special assessment base equal to an FDIC-insured institution’s estimated uninsured deposits reported for the December 31, 2022 reporting period, adjusted to exclude the first $5 billion in estimated uninsured deposits of the institution. Although the Company and the Bank are subject to the FDIC’s special assessment as a banking organization with assets of $5 billion or more, the Company does not have to pay the special assessment based on its amount of uninsured deposits.

Supervisory Assessments. All Washington banks are required to pay supervisory assessments to the DFI to fund the operations of that agency as well as other examination fees. The amount of the assessment is calculated on the basis of the Bank’s total assets. During the year ended December 31, 2025, the Bank paid supervisory assessments to the DFI totaling approximately $235,000.

Capital Requirements. Banks are generally required to maintain capital levels in excess of other businesses. For a discussion of capital requirements, see “–The Role of Capital” above.

Liquidity Requirements. Liquidity is a measure of the ability and ease with which bank assets may be converted to meet financial obligations, such as deposits or other funding sources. Banks are required to implement liquidity risk management frameworks that ensure they maintain sufficient liquidity, including a cushion of unencumbered, high-quality liquid assets, to withstand a range of stress events. The level and speed of deposit outflows contributing to the failures of Silicon Valley Bank, Signature Bank and First Republic Bank in 2023 was unprecedented, and contributed to acute liquidity and funding strain, underscoring the importance of liquidity risk management and contingency funding planning by insured depository institutions like the Bank, as highlighted in a 2023 addendum to existing interagency guidance on funding and liquidity risk management.

The primary role of liquidity risk management is to: (i) prospectively assess the need for funds to meet obligations; and (ii) ensure the availability of cash or collateral to fulfill those needs at the appropriate time by coordinating the various sources of funds available to the institution under normal and stressed conditions. The Basel III Rule includes a liquidity framework that requires the largest insured institutions to measure their liquidity against specific liquidity tests. One test, referred to as the Liquidity Coverage Ratio, is designed to ensure that the banking organization has an adequate stock of unencumbered high-quality liquid assets that can be converted easily and immediately in private markets into cash to meet liquidity needs for a 30-calendar day liquidity stress scenario. The other test, known as the Net Stable Funding Ratio, is designed to promote more medium- and long-term funding of the assets and activities of FDIC-insured institutions over a one-year horizon. These tests provide an incentive for banks and holding companies to increase their holdings in Treasury securities and other sovereign debt as a component of assets, increase the use of long-term debt as a funding source and rely on stable funding like core deposits (in lieu of brokered deposits).

Although these tests do not apply to the Bank, we continue to review our liquidity risk management policies in light of regulatory requirements and industry developments.

Dividend Payments. The Bank pays dividends to the Company. Under the Washington Commercial Bank Act, Washington state-chartered banks may not declare or pay any dividend in an amount greater than its retained earnings, without approval from the DFI. Under the prompt corrective action requirements, the payment of dividends by any FDIC-insured institution is affected by the requirement to maintain adequate capital pursuant to applicable capital adequacy guidelines and regulations, and an FDIC-insured institution generally is prohibited from paying any dividends if, following payment thereof, the institution would be undercapitalized. As described above, the Bank exceeded its capital requirements under applicable guidelines as of December 31, 2025. Notwithstanding the availability of funds for dividends, however, the FDIC and the DFI may prohibit the payment of dividends by the Bank if either agency determines that such payment would constitute an unsafe or unsound practice. See “–The Role of Capital” above.

State Bank Investments, Activities and Acquisitions. The Bank is permitted to make investments and engage in activities directly or through subsidiaries as authorized under Washington law. However, under federal law and FDIC regulations, FDIC-insured state banks are prohibited, subject to certain exceptions, from making or retaining equity investments that are not permissible for a national bank. Federal law and FDIC regulations also prohibit FDIC-insured state banks and their subsidiaries from engaging

Table of Contents

as principal in any activity that is not permitted for a national bank unless they meet, and continue to meet, minimum regulatory capital requirements and the FDIC determines that the activity would not pose a significant risk to the DIF. These restrictions have not had, and are not currently expected to have, a material impact on the operations of the Bank.

In 2025, the federal banking agencies rescinded certain prior administrative actions regarding the review and approval of mergers and acquisitions, with the intent of streamlining and expediting the regulatory review of certain merger and acquisition applications.

Branching Authority. Washington state-chartered banks, such as the Bank, have the authority under the Washington Commercial Bank Act to establish branches anywhere in the State of Washington, subject to receipt of approval from the DFI and FDIC, as applicable.

Affiliate and Insider Transactions. The Bank is subject to certain restrictions imposed by federal law on “covered transactions” between the Bank and its “affiliates.” The Company is an affiliate of the Bank for purposes of these restrictions. Covered transactions subject to these restrictions include extensions of credit to the Company, investments in the stock or other securities of the Company and the acceptance of the stock or other securities of the Company as collateral for loans made by the Bank. The Dodd-Frank Act enhanced these requirements by expanding the definition of “covered transactions” and extending the period for which collateral requirements for such transactions must be maintained.

Safety and Soundness Standards/Risk Management. The federal banking agencies have adopted operational and managerial standards to promote the safety and soundness of FDIC-insured institutions. The standards apply to internal controls, information systems, internal audit systems, loan documentation, credit underwriting, interest rate exposure, asset growth, compensation, fees and benefits, asset quality and earnings.

Although regulatory standards do not have the force of law, if an institution operates in an unsafe and unsound manner, its primary federal regulator may require the submission of a plan to achieve and maintain compliance. Failure to submit an acceptable compliance plan, or to implement an approved plan in any material respect may result in formal agency orders directing the institution to cure the deficiencies. Until such deficiencies are resolved, the agency may restrict the institution’s rate of growth, require additional capital, limit deposit rates, or take other corrective action as deemed appropriate.

The federal banking agencies have emphasized the importance of sound risk management processes and strong internal controls when evaluating the activities of the FDIC-insured institutions. In 2025, however, the agencies signaled a shift toward focusing on the identification and management of material financial risks, rather than primarily on adherence to prescriptive operational processes. Despite this potential shift in focus, the agencies continue to evaluate a broad spectrum of risks—including credit, market, liquidity, operational, and legal risks—emphasizing their potential impact on safety and soundness. Notably, the federal banking agencies have indicated that they intend to remove reputation risk from consideration, citing concerns about its use in restricting banking services to certain industries or groups.

The federal banking agencies also have released specific risk management guidance on certain topics, including third-party relationships, in response to the proliferation of relationships between banking organizations and financial technology companies (although the guidance applies more broadly).

Privacy and Cybersecurity. The Bank is subject to numerous U.S. federal and state laws and regulations aimed at protecting non-public, confidential information of its customers. In addition, the Bank is required to implement a comprehensive information security program that includes administrative, technical, and physical safeguards to ensure the security and confidentiality of customer records and information.

The Bank and the Company also are subject to a number of federal and state laws and regulations requiring notifications and disclosures regarding certain cybersecurity incidents. In addition, the Bank must consider and address cybersecurity risks as part

Table of Contents

of its risk management processes, including implementing and maintaining appropriate safeguards, monitoring and testing systems, and overseeing the cybersecurity practices of its service providers. Regulatory guidance emphasizes that cybersecurity should be integrated into overall enterprise risk management and business continuity planning.

Federal Home Loan Bank System. The Bank is a member of an FHLB, which serves as a central credit facility for its members. The FHLB is funded primarily from proceeds from the sale of obligations of the FHLB system. It makes loans to member banks in the form of FHLB advances. All advances from the FHLB are required to be fully collateralized, as determined by the FHLB.

Community Reinvestment Act Requirements. The CRA imposes on the Bank a continuing and affirmative obligation, consistent with safe and sound operations, to help meet the credit needs of the entire community, including low- and moderate-income neighborhoods. The Bank’s CRA ratings derived from these examinations can have significant impacts on the activities in which the Bank and the Company may engage. For example, a low CRA rating may impact the review of applications for acquisitions by the Bank.

In 2023, the federal banking agencies issued a final rule intended to strengthen and modernize the CRA regulations (the “CRA Rule”). The CRA Rule was subsequently challenged in court, which prevented it from taking effect. In 2025, the federal banking agencies issued a proposed rule to rescind the CRA Rule and reinstate the prior CRA regulatory framework adopted in 1995. Additionally, the FDIC is lengthening the period between CRA examinations for certain banks with less than $3 billion in assets; however, this change is not expected to impact the Bank, which has more than $3 billion in total assets.

Washington has a state law analogous to the federal CRA, which imposes an affirmative obligation on Washington state‑chartered banks, including the Bank, to help meet the credit, lending, and investment needs of their local communities. The law is enforced by the DFI, which evaluates banks’ performance in meeting community needs, often considering federal data and materials provided in connection with federal CRA examinations, while also applying state‑specific criteria.

Anti-Money Laundering/Countering the Financing of Terrorism/Sanctions. The Bank Secrecy Act (“BSA”) is a U.S. federal statutory framework, as amended and supplemented by subsequent laws and implemented through regulations, which is designed to combat money laundering, the financing of terrorism and other illicit financial activity. The BSA and related anti-money laundering/countering the financing of terrorism (“AML/CFT”) laws and regulations are intended to prevent terrorists and criminals from accessing the U.S. financial system and have significant implications for FDIC-insured institutions and other businesses involved in the transmission of funds. Together, this regulatory framework provides a foundation to promote financial transparency and deter and detect efforts to misuse the U.S. financial system to launder criminal proceeds, finance terrorist acts, or facilitate other illicit conduct. The BSA and related regulations require financial institutions to establish and maintain policies and procedures for addressing: (i) customer identification and due diligence; (ii) the prevention and detection of money laundering and terrorist financing; (iii) the identification and reporting of suspicious activities and certain currency transactions; (iv) compliance with laws relating to currency crimes; and (v) cooperation with law enforcement authorities. The Bank also must comply with stringent economic and trade sanctions regimes administered and enforced by the Office of Foreign Assets Control.

Although core AML/CFT statutory requirements and expectations remain unchanged, certain of the federal banking agencies and the Financial Crimes Enforcement Network (FinCEN) have recently pursued or considered efforts to modernize and streamline AML/CFT compliance through a more risk-based approach, including targeted regulatory relief, revised examination expectations and efforts to reduce certain compliance burden, particularly for lower-risk and community banking organizations.

These indicators include: (i) total CRE loans exceeding 300% of capital and increasing 50% or more in the preceding three years; or (ii) construction and land development loans exceeding 100% of capital.

The CRE Guidance does not establish binding limits on CRE lending activities, but rather is intended to inform supervisory assessments of whether an institution’s risk profile, earnings capacity and capital levels are commensurate with its CRE exposure. In recent years, the federal banking agencies have issued statements to reinforce prudent risk-management practices related to CRE lending, in response to observed growth in many CRE markets, increased competitive pressures, rising CRE concentrations, and an easing of CRE underwriting standards. In other statements, the agencies reminded FDIC-insured institutions to maintain underwriting discipline and to identify, measure, monitor and manage the risks arising from CRE lending, including by holding capital commensurate with those risks. As of December 31, 2025, the Bank did not exceed these guidelines.

Consumer Financial Services. The historical structure of federal consumer protection regulation applicable to all providers of consumer financial products and services changed significantly on July 21, 2011, when the CFPB commenced operations to supervise and enforce consumer protection laws. The CFPB has broad rulemaking authority for a wide range of consumer protection laws that apply to all providers of consumer products and services, including the Bank, as well as the authority to prohibit “unfair, deceptive or abusive” acts and practices. The CFPB has examination and enforcement authority over providers with more than $10 billion in assets. FDIC-insured institutions with $10 billion or less in assets, like the Bank, continue to be examined by their applicable bank regulators.

In response to mortgage-related abuses that contributed to the global financial crisis, the Dodd-Frank Act and CFPB rulemaking significantly expanded underwriting, disclosure and anti-predatory lending requirements for residential mortgage loans, including by imposing ability-to-repay standards and establishing a presumption of compliance for certain “qualified mortgages.” The CFPB

Table of Contents

has continued to refine these requirements through additional rulemaking addressing qualified mortgages ability-to-repay standards.

Over the last several years, the CFPB has taken an aggressive approach to the regulation (and supervision, where applicable) of providers of consumer financial products and services. However, more recently, changes in leadership and policy direction have led to: (i) shifts in regulatory priorities, including the rescission or reconsideration of certain CFPB guidance and rules; (ii) a reduction in CFPB enforcement activity; and (iii) constraints on the CFPB’s budget and resources, although the CFPB continues to retain statutory authority to administer, supervise and enforce federal consumer financial protection laws.

The Bank also must comply with certain state consumer protection laws and requirements in the states in which it operates.

Website Access to Company Reports

We post reports required to be filed with the SEC on our website, www.hf-wa.com, as soon as reasonably practicable after filing them. Copies of the required reports are available free of charge through our website.

Code of Ethics

We have adopted a Code of Ethics that applies to our directors, officers and employees, as well as those engaged by the Company, but who are not employees, such as contractors and those engaged through external agencies. We have posted a copy of our Code of Ethics at www.hf-wa. In accordance with SEC rules, significant changes or waivers of the Code of Ethics will be posted on our website at www.hf-wa.com in the section titled Overview: Governance Documents.

Competition

We compete for loans and deposits with other commercial banks, credit unions and other providers of financial services, including finance companies, online-only banks, mutual funds, insurance companies, and with Fintech companies that rely on technology to provide financial services. Many of our competitors have substantially greater resources than we do. Particularly in times of high or rising interest rates, we also face significant competition for investors’ funds from short-term money market securities and other corporate and government securities.

We compete for loans principally through the range and quality of the services we provide, interest rates and loan fees, and robust delivery channels for our products and services. We actively solicit deposit-related customers and compete for deposits by offering depositors high touch service on a variety of savings and checking accounts and cash management and other services.

Human Capital

Our Culture and Our People

The Company's success depends on the success of its people, and we are dedicated to fostering employee empowerment through robust human capital and talent management. Our strong culture, built upon a clear mission and values, unites employees at all levels of the Company towards a common goal, enabling them to reach their full potential.

The Company also had five employees who were working remotely in other states. No employees are represented by a collective bargaining agreement. During 2025, we hired 130 regular full-time and part-time employees.

Inclusive Workplace

We recognize and appreciate the importance of creating an environment where all employees feel valued, included, and empowered to do their best work. Recognizing the unique perspectives each employee brings, we value their contributions to making us the leading commercial community bank in the Pacific Northwest.

During November 2025, the Council was temporarily placed on pause due to merger related projects. Both our Chief Executive Officer and Chief Human Resources Officer serve as executive sponsors to this council.

The Company recruits from a broad and diverse labor pool and utilizes structured and consistent hiring practices. Hiring Managers complete required training on lawful interviewing and selection techniques using objective, job-related criteria and removing unconscious bias from the selection process.

Table of Contents

The objectives of the Company's DEI plan include:

•Workforce Diversity: Recruit from a diverse, qualified group of potential applicants to secure a high-performing workforce drawn from all segments of the communities we serve.

•Workplace Inclusion: Promote a culture and develop long-term strategies that encourage collaboration, inclusion, flexibility and fairness to enable individuals to contribute to their full potential.

Our senior recruiting team members have achieved certification as “Diversity and Inclusion Recruiters” after completing the Advanced Internet Recruitment Strategies program.

Communication and Listening

The Company strives to maintain an environment of open communication, facilitating access to senior management through initiatives like quarterly virtual “All Banker Calls,” monthly updates for Company leaders and orientation sessions led by the Chief Executive Officer and the Chief Human Resources Officer for new hires. To further enhance our “listening culture,” we utilize a survey platform to allow employees to share feedback directly with leadership, including an annual employee engagement survey and periodic pulse surveys. Survey results, shared with employees, executive leadership and the Board, guide actions at both the corporate and departmental levels. In recognition of our commitment to employee engagement, the Company earned a spot among the top 100 Best Places to Work in Washington and Oregon by the Puget Sound and Portland Business Journals based on the 2025 employee engagement survey. The company received similar recognitions in both 2023 and 2024.

Our commitment to open communication extends to providing employees with avenues for confidential and anonymous reporting. We offer a whistleblower hotline/website, enabling employees to report financial and workplace concerns to key leadership, including the Board Chair, Audit Committee Chair, Chief Executive Officer, Chief Risk Officer, Chief Human Resources Officer and Director of Internal Audit. Additionally, our Company intranet hosts an "Idea Bank," allowing employees to submit new ideas or recommendations directly to executive management.

Talent Development and Succession

Developing employees for future growth and professional development is a vital corporate activity crucial to our long-term success. The Company views its employees as our most important assets, which makes training and professional development a worthy investment. We offer an array of learning opportunities through virtual and in-house courses via “Heritage Bank University.” Additionally, we sponsor courses from external providers such as Blanchard, Risk Management Association, Archbright, Jennifer Brown Consulting, Washington Bankers Association, Oregon Bankers Association and the Pacific Coast Banking School.

We offer situational leadership training for leaders that focuses on communication and employee engagement and endorse coaching using the tools from this program. All employees are required to complete an extensive series of quarterly digital training courses focused on bank regulatory compliance, ethics, workplace safety, security, fraud awareness and prevention and other interpersonal or leadership topics. An interactive leadership roadmap is available to assist future leaders in their career development. For the past 10 years, Heritage Bank University has been recognized as a “Champion of Learning” by The Association for Talent Development for its commitment to employee learning.

In 2024, we launched two new Leadership Certificate Programs: The Leadership Essentials Certificate is designed for employees interested in developing their leadership skills and preparing for leadership and management in the future, while the Leadership in Action Certificate is for current supervisors and managers interested in deepening their applied leadership skills. During 2025, 37 Heritage Bankers received their Leadership Certification through one of these programs.

The Company leverages an online succession planning tool to further identify next-generation leaders and establish development plans for these individuals. Over time, we expect this process to increase generational representation across all levels, including leadership positions. As of December 31, 2025, the Company’s generational representation consisted of 16% Baby Boomers (born 1945 to 1964), 37% Gen X-ers (born 1965 to 1980), 34% Millennials (born 1981 to 1996), and 12% Gen Z-ers (born 1997 to 2010). Management and the Board review leadership succession annually.

Recognition and appreciation

We host “Celebrate Great,” an active internal peer recognition platform enabling managers and employees to express appreciation and recognize their co-workers and teams. Throughout 2025, more than 3,290 e-cards were posted on Celebrate Great, with 32 individuals or teams receiving “Bravo” awards and 31 employees receiving “Standing Ovation” awards for their exceptional work. The Company celebrates employees achieving milestone anniversaries or upon retirement with a personalized yearbook and special gift.

Compensation, Benefits and Pay Equity

Offering competitive compensation and benefit programs is critical to attracting and retaining top talent in our highly competitive market areas. Employees are generally eligible for a base pay review at least once per year, as well as upon promotion or transfer. Our hiring practices prioritize pay transparency, with job postings disclosing the pay range minimum and maximum, as well as the applicable benefits package, and we do not request salary history from job applicants. We collaborate with a third party consultant periodically to evaluate hiring, promotion and other pay practices to ensure continued equity and fairness.

Further alignment is achieved by having similar corporate performance metrics cascade through most executive, management, and employee annual incentive plans.

Table of Contents

Employees working a minimum of 20 hours per week are eligible for most benefit plans, including a 401(k) Plan with an employer matching contribution, medical, dental and vision insurance, life and long-term disability insurance, public transit passes, paid parking and paid time off. Further, full-time employees enjoy up to 11 paid holidays each year and receive an annual floating holiday to be used at their discretion. Employees also accrue up to 12 days of paid sick time per year for personal use or to care for a family member. Both full-time and part-time employees accrue vacation time ranging from two and five weeks, depending on factors such as position and tenure.

Employee Wellness and Wellbeing

Our corporate culture places a strong emphasis on the wellbeing of our employees, recognizing its pivotal role in cultivating a vibrant and productive workforce. To support holistic wellbeing, we offer a range of resources.

Through our Employee Assistance Program, employees receive counseling and referral services to address challenges both at work and at home. This includes mental health counseling, financial planning, basic legal advice and dependent/elder care referrals, all at no cost to them or their household members. Additional wellness benefits are available through the Company's medical insurance plans. Moreover, enrolled members can take advantage of mental health apps, weight loss and fitness programs, smoking cessation programs and various online resources, all provided at no extra cost.

Community Involvement

As a community bank, we are committed to supporting the communities where we operate, and we actively encourage and support our employees to do the same. In 2022, the Company implemented an annual volunteer event, during which the Bank closes for half a day, providing employees with a paid opportunity to volunteer in teams at various community organizations within our operating footprint. During the 2025 Volunteer Day, Heritage employees volunteered 2,112 hours with 55 organizations. Additionally in 2025, Heritage employees volunteered 5,106 hours with 177 organizations through the Volunteer Program where employees receive 16 hours paid time annually to use for volunteer activities of their choice.

ITEM 1A. RISK FACTORS

Investing in the Company’s common stock involves a high degree of risk. The material risks and uncertainties that management believes affect the Company are described below. Before you decide to invest, you should carefully review and consider the risks described below, together with all other information included in this Form 10-K and other reports and documents the Company files with the SEC. Any of the following risks, as well as risks that the Company does not know or currently deems immaterial, could have a material adverse effect on the Company’s business, reputation, financial condition, results of operations and growth prospects.

Market and Interest Rate Risks

The Company’s business is subject to interest rate risk, and fluctuations in interest rates or monetary policy may adversely affect the Company’s business, financial condition, results of operations and growth prospects.

Fluctuations in interest rates may negatively affect the Company’s business and weaken demand for some of its products. The Company’s earnings and cash flows are primarily dependent on net interest income, which is the difference between the interest income that the Company earns on interest earning assets such as loans and investment securities, and the interest expense that the Company pays on interest-bearing liabilities such as deposits and borrowings. Changes in interest rates also affect the Company’s ability to fund operations with customer deposits and the fair value of securities in the Company’s investment portfolio. Any change in general market interest rates, including changes in federal fiscal and monetary policies, could have a material adverse effect on the Company’s business, financial condition, results of operations and growth prospects. The Company’s interest earning assets and interest-bearing liabilities may react in different degrees to changes in market interest rates. Interest rates on some types of assets and liabilities may fluctuate prior to changes in broader market interest rates, while rates on other types of assets and liabilities may lag behind. The result of these changes to rates may cause differing spreads on interest earning assets and interest-bearing liabilities.

The Company could also be prevented from altering the interest rates charged on loans or from maintaining the interest rates offered on deposits and money market savings accounts due to “price” competition from other banks and financial institutions with which the Company competes.

The Company could recognize additional losses on securities held in the Company’s securities portfolio, particularly if interest rates increase or economic and market conditions deteriorate.

The foregoing factors, as well as changing economic and market conditions or other factors, could cause write-downs and realized or unrealized losses in future periods and declines in other comprehensive income, which could have a material adverse effect on the Company’s business, financial condition, results of operations and growth prospects. Decreases in the fair value of investment securities available for sale resulting from

Table of Contents

increases in interest rates could have an adverse effect on stockholders’ equity, specifically AOCI, which is increased or decreased by the amount of change in the estimated fair value of our securities available for sale, net of deferred income taxes. Increases in interest rates generally decrease the fair value of securities available for sale, adversely impacting stockholders’ equity. The Company could recognize impairment loss for any security that has declined in fair value below its amortized cost basis if management has the intent to sell the security, or if it is more likely than not that it will be required to sell the security before recovery of its amortized cost basis.

The Company cannot guarantee that its stock repurchase program will be fully implemented or that it will enhance long-term shareholder value.

On April 24, 2024, the Board approved the repurchase of up to 5% of the Company's outstanding common shares, or 1,734,492 shares. This stock repurchase program supersedes the previous stock repurchase program, authorized in March 2020, which allowed for the repurchase of up to 5% of the Company's outstanding common shares, or 1,799,054 shares. The number, timing and price of shares repurchased will depend on business and market conditions, regulatory requirements, availability of funds and other factors, including opportunities to deploy the Company's capital. The Company may, in its discretion, begin, suspend or terminate repurchases at any time prior to the stock repurchase program’s expiration, without any prior notice. Even if fully implemented, the stock repurchase program may not enhance long-term shareholder value.

Credit Risks

The Company’s business depends on its ability to manage credit risk.

The Company’s banking business requires it to manage credit risk; however, default risk may arise from events or circumstances that are difficult to detect, such as fraud, or difficult to predict, such as catastrophic events affecting certain industries. As a lender, the Company is exposed to the risk that its borrowers will be unable to repay their loans according to their terms, and that the collateral securing repayment of their loans, if any, may not be sufficient to ensure repayment. In addition, there are risks inherent in making any loan, including risks with respect to the period of time over which the loan may be repaid, proper loan underwriting, changes in economic and industry conditions and those inherent in dealing with specific borrowers, including the risk that a borrower may not provide information to the Company about its business in a timely manner, may present inaccurate or incomplete information to the Company or risks relating to the value of collateral.

To manage credit risk, the Company must maintain disciplined and prudent underwriting standards and ensure that the Company’s bankers follow those standards. The weakening of these standards for any reason, such as an attempt to attract higher yielding loans, a lack of discipline or diligence by the Company’s employees in underwriting and monitoring loans, the Company’s inability to adequately adapt policies and procedures to changes in economic or any other conditions affecting borrowers and the quality of the Company’s loan portfolio may result in loan defaults, foreclosures and charge-offs and may necessitate that the Company significantly increase its allowance for credit losses, each of which could adversely affect net income. As a result, the Company’s inability to successfully manage credit risk could have a material adverse effect on the Company’s business, financial condition, results of operations and growth prospects.

The Company’s high concentration of large loans to certain borrowers may increase the Company’s credit risk.

The Company has developed relationships with certain individuals and businesses that have resulted in a concentration of large loans to a small number of borrowers. As of December 31, 2025, the Company’s 10 largest borrowing relationships accounted for approximately 6.5% of the total loan portfolio. The Company has established an informal, internal limit on loans to one borrower, principal or guarantor, but the Company may, under certain circumstances, consider going above this internal limit in situations where management’s understanding of the industry, the borrower’s business and the credit quality of the borrower are commensurate with the increased size of the loan. If any one of these borrowers becomes unable to repay its loan obligations as a result of business, economic or market conditions, the Company’s nonaccruing loans and provision for loan losses could increase significantly, which could have a material adverse effect on the Company’s business, financial condition, results of operations and growth prospects.

The Company’s allowance for credit losses may prove to be insufficient to absorb potential losses in its loan portfolio.

Lending money is a substantial part of our business. Every loan carries a certain risk that it will not be repaid in accordance with its terms or that any underlying collateral will not be sufficient to assure repayment. This risk is affected by, among other things:

•the cash flows of the borrower, guarantors and/or the project being financed;

•the changes and uncertainties as to the future value of the collateral, in the case of a collateralized loan;

•the character and creditworthiness of a particular borrower or guarantor;

•changes in economic and industry conditions; and

•the duration of the loan.

The ACL on loans is a valuation account that is deducted from the amortized cost of loans receivable to present the net amount expected to be collected. Loans are charged-off through the ACL on loans when management believes the uncollectibility of a loan balance is considered probable. Subsequent recoveries, if any, are recorded to the ACL on loans. The Company records the changes in the ACL on loans through earnings as a "Provision for (reversal of) credit losses" on the Consolidated Statements of Income.

The determination of the appropriate level of ACL on loans inherently involves a high degree of subjectivity and requires us to make significant estimates of current credit risks and future trends, all of which may undergo material changes. If our estimates are incorrect, the ACL on loans may not be sufficient to cover expected losses in our loan portfolio, resulting in the need for

Table of Contents

increases in our ACL on loans through the provision for credit losses. Management also recognizes that significant new growth in loan segments and new loan products can result in loans segments comprised of unseasoned loans that may not perform in a historical or projected manner and will increase the risk that our ACL on loans may be insufficient to absorb losses without significant additional provisions.

Deterioration in economic conditions affecting borrowers, new information regarding existing loans, identification of additional problem loans and other factors, both within and outside of our control, may require an increase in the ACL on loans. If current conditions in the housing and real estate markets weaken, we expect we will experience increased delinquencies and credit losses. Bank regulatory agencies also periodically review our ACL on loans and may require an increase in the provision for credit losses or the recognition of further loan charge-offs, based on their judgments about information available to them at the time of their examination. In addition, if charge-offs in future periods exceed the ACL on loans, we will need additional provisions to increase the ACL on loans.

A decline in the business and economic conditions in the Company’s market areas could have a material adverse effect on the Company’s business, financial condition, results of operations and growth prospects.

The Company’s business activities and credit exposure, including real estate collateral for many of its loans, are concentrated in the states of Washington, Oregon and Idaho, although the Company also pursues business opportunities nationally. Adverse economic developments in our market areas, among other things, could affect the volume of loan originations, increase the level of nonperforming assets, increase the rate of foreclosure losses on loans, reduce the value of the Company’s loans and affect the Company’s business, financial condition, results of operations and growth prospects. Any regional or local economic downturn that affects the Company’s market areas or existing or prospective borrowers or property values in such areas may affect the Company and the Company’s profitability more significantly and more adversely than the Company’s competitors whose operations are less geographically concentrated.

Negative changes in the economy affecting real estate values and liquidity, as well as environmental factors, could impair the value of collateral securing the Company’s real estate loans and result in loan and other losses.

At December 31, 2025, approximately 79.3% of the Company’s total loan portfolio was comprised of loans with real estate as the primary component of collateral. The repayment of such loans is highly dependent on the ability of the borrowers to meet their loan repayment obligations to us, which can be adversely affected by economic downturns and other factors. The market value of real estate can fluctuate significantly in a short period of time as a result of interest rates and market conditions in the area in which the real estate is located and some of these values have been negatively affected by the rise in prevailing interest rates. Additionally, the repayment of commercial real estate loans generally is dependent, in large part, on sufficient income from the properties securing the loans to cover operating expenses and debt service.

Many of the Company’s loans are to commercial borrowers, which have a higher degree of risk than other types of loans.

Commercial and industrial loans represented 17.1% of the Company’s total loan portfolio at December 31, 2025. These loans can be larger in size and involve greater risks than other types of lending. Because payments on such loans are often dependent on the successful operation of the business involved, repayment is often more sensitive than other types of loans to the general business climate and economy. A challenging business and economic environment generally, or in certain specific industries, may increase the Company’s risk related to commercial loans. Cumulative effects of inflation, labor shortages or employee turnover, supply chain constraints and the threat of new tariffs, mass deportations and changes in tax regulations implemented by the current Presidential administration may adversely affect commercial and industrial loans, especially if general economic conditions worsen. Inventory and equipment may depreciate over time, be difficult to appraise and fluctuate in value based on the success of the business and economic trends. If the cash flow from business operations is reduced, the borrower’s ability to repay the loan may be impaired. Due to the larger average size of each commercial loan as compared with other loans such as residential loans, as well as collateral that is generally less readily-marketable, losses recorded on a small number of commercial loans could have a material adverse effect on the Company’s business, financial condition, results of operations and growth prospects.

Nonperforming assets take significant time and resources to resolve and adversely affect the Company’s net interest income.

The Company’s nonperforming assets adversely affect net interest income in various ways. The Company does not record interest income on nonaccrual loans or foreclosed assets, thereby adversely affecting net income and returns on assets and equity. When the Company takes collateral in foreclosure and similar proceedings, the Company is required to mark the collateral to its then-fair market value, which may result in a loss. The resolution of nonperforming assets requires significant time commitments from management, which increase the

Table of Contents

Company’s loan administration costs and adversely affect its efficiency ratio. If the Company experiences increases in nonperforming assets, net interest income may be negatively impacted and the Company’s loan administration costs could increase, each of which could have a material adverse effect on the Company’s business, financial condition, results of operations and growth prospects.

Liquidity and Funding Risks

Liquidity risks could affect the Company’s operations and jeopardize its business, financial condition, results of operations and growth prospects.

Liquidity is essential to the Company’s business. Generally, liquidity risk is the risk of being unable to fund obligations to creditors, including, in the case of financial institutions, obligations to depositors, as such obligations become due and/or fund the acquisition of assets, as they come due, and is inherent in the Company’s operations. An inability to raise funds through deposits, borrowings, the sale of loans or investment securities, and from other sources could have a substantial negative effect on our liquidity. The Company’s most important source of funds consists of customer deposits, which can decrease for a variety of reasons, including when customers perceive alternative investments, such as bonds, treasuries or stocks, as providing a better risk/return trade off.

Additionally, uninsured deposits have historically been viewed by the FDIC as less stable than insured deposits. If a significant portion of our deposits were to be withdrawn within a short period of time such that additional sources of funding would be required to meet withdrawal demands, the Company may be unable to obtain funding on favorable terms, which may have an adverse effect on our net interest margin. Moreover, obtaining adequate funding to meet our deposit obligations may be more challenging during periods of higher prevailing interest rates. Our ability to attract depositors during a time of actual or perceived distress or instability in the marketplace may be limited. Interest rates paid for borrowings generally exceed the interest rates paid on deposits, which spread may be exacerbated during a time of higher prevailing interest rates. In addition, because our available for sale securities lose value when interest rates rise, after-tax proceeds resulting from the sale of such assets may be diminished during periods when interest rates are elevated. Under such circumstances, we may be required to access funding from sources such as the FRB’s discount window in order to manage our liquidity risk.

Economic conditions and a loss of confidence in financial institutions may increase the Company’s cost of funding and limit access to certain customary sources of capital, including inter-bank borrowings and borrowings from the discount window of the FRB.

The Company may not be able to maintain a strong core deposit base or other low cost funding sources.

The Company supplements its core deposit funding with non-core, short-term funding sources, including brokered deposits, FHLB advances and borrowings from the FRB. If the Company is unable to pledge sufficient qualifying collateral to secure funding from the FHLB, it may lose access to this source of liquidity. If the Company is unable to access any of these types of funding sources or if its costs related to them increases, its liquidity and ability to support demand for loans could be materially adversely affected.

The Company’s liquidity is largely dependent on dividends from the Bank.

The Company is a legal entity separate and distinct from the Bank. A substantial portion of the Company’s cash flow, including cash flow to pay principal and interest on the Company’s debt, comes from dividends the Company receives from the Bank. Federal and state laws and regulations limit the amount of dividends that the Bank may pay to the Company. In the event the Bank is unable to pay dividends to the Company, it may not be able to service its debt, which could have a material adverse effect on the Company’s business, financial condition, results of operations and growth prospects.

The Company may need to raise additional capital in the future, and failure to maintain sufficient capital would adversely affect its business, financial condition, results of operations, growth prospects and ability to maintain regulatory compliance with capital requirements.

The Company faces significant capital and other regulatory requirements as a financial institution. The Company may need to raise additional capital in the future to provide sufficient capital resources and liquidity to meet its commitments and business needs, including possible acquisition financing. In addition, the Company, on a consolidated basis, and the Bank, on a stand-alone basis, must meet certain regulatory capital requirements and maintain sufficient liquidity. Regulatory capital requirements

Table of Contents

could increase from current levels, which could require the Company to raise additional capital or contract the Company’s operations. The Company’s ability to raise additional capital depends on conditions in the capital markets, economic conditions and a number of other factors, including investor perceptions regarding the banking industry, market conditions, governmental activities, the Company’s credit ratings, its ability to maintain a listing on Nasdaq and its financial condition and performance. Accordingly, the Company cannot provide assurances that it will be able to raise additional capital if needed or on terms acceptable to the Company. If the Company fails to maintain capital to meet regulatory requirements, or is unable to raise capital to meet its business needs, its business, financial condition, results of operations and growth prospects would be materially and adversely affected.

The Company may be adversely affected by changes in the actual or perceived soundness or condition of other financial institutions.

Financial services institutions that deal with each other are interconnected as a result of trading, investment, liquidity management, clearing, counterparty, reputational and other relationships. Concerns about, or a default by, one institution could lead to significant liquidity problems and losses or defaults by other institutions, as the commercial and financial soundness of many financial institutions is closely related as a result of these credit, trading, clearing and other relationships. Even the perceived lack of creditworthiness of, or questions about, a counterparty may lead to market-wide liquidity problems and losses or defaults by various institutions. For example, certain community banks experienced deposit outflows following the bank failures in 2023. This systemic risk may adversely affect financial intermediaries with which the Company interacts on a daily basis or key funding providers such as the FHLB, any of which could have a material adverse effect on the Company’s access to liquidity or otherwise have a material adverse effect on its business, financial condition, results of operations and growth prospects.

Operational, Strategic and Reputational Risks

The Company may not be successful in implementing its organic growth strategy, which could have a material adverse effect on the Company’s business, financial condition, results of operations and growth prospects.

Part of the Company’s business strategy is to focus on organic growth, which includes leveraging the Company’s business lines across the Company’s entire customer base, enhancing brand awareness and building the Company’s infrastructure. The Company may not be successful in generating organic growth if as a result of numerous factors, including delays in introducing and implementing new products and services and other impediments resulting from regulatory oversight or lack of qualified personnel at the Company’s office locations. In addition, the success of the Company’s organic growth strategy will depend on maintaining sufficient regulatory capital levels, the Company’s ability to raise additional capital to implement its business plan and on favorable economic conditions in the Company’s primary market areas. Failure to adequately manage the risks associated with the Company’s anticipated organic growth could have a material adverse effect on the Company’s business, financial condition, results of operations and growth prospects.

In addition to the Company’s organic growth strategy, it intends to expand business by acquiring other banks and financial services companies, but may not be successful in doing so, either because of an inability to find suitable acquisition candidates, constrained capital resources or otherwise.

While a key element of the Company’s business strategy is to grow the Company’s banking franchise and increase the Company’s market share through organic growth, the Company has historically supplemented its organic growth through acquisitions of other financial institutions, including the recent acquisition of Olympic. It will also depend on market conditions over which the Company has no control. Moreover, most acquisitions require the approval of the Company’s bank regulators, and the Company may not be able to obtain such approvals on acceptable terms, or at all. Acquiring other financial institutions involve risks commonly associated with acquisitions, including:

•potential exposure to unknown or contingent liabilities of the banks and businesses the Company acquires;

•exposure to potential asset and credit quality issues of the acquired bank or related business;

•difficulty and expense of integrating the operations, culture and personnel of banks and businesses the Company acquires, including higher than expected deposit attrition;

•potential disruption to the Company’s business;

•potential restrictions on the Company’s business resulting from the regulatory approval process;

•an inability to realize the expected revenue increases, costs savings, gains in market share or other anticipated benefits;

•an inability to successfully integrate the employees, customers and operations of the acquired bank or related business;

•potential diversion of the Company’s management’s time and attention; and

•the possible loss of key employees and customers of the banks and businesses the Company acquires.

The occurrence of fraudulent activity, breaches or failures of the Company’s information security controls or cybersecurity related incidents could have a material adverse effect on the Company’s business, financial condition, results of operations and growth prospects.

Table of Contents

As a financial institution, the Company is susceptible to fraudulent activity, information security breaches and cybersecurity-related incidents that may be committed against the Company, its customers or third parties with whom it interacts, which may result in financial losses or increased costs to the Company or its customers, disclosure or misuse of the Company’s information or its customer information, misappropriation of assets, privacy breaches against the Company’s customers, litigation or damage to the Company’s reputation. Such fraudulent activity may take many forms, including check fraud, electronic fraud, wire fraud, phishing, social engineering and other dishonest acts.

Consistent with industry trends, the Company has also experienced an increase in attempted electronic fraudulent activity, security breaches and cybersecurity related incidents in recent periods. During 2025, the Company is not aware of having experienced any misappropriation, loss or other unauthorized disclosure of confidential or personally identifiable information having a material impact on the Company as a result of a direct cyber security breach or other act on the Bank; however, some of the Company’s customers and third party vendors may have been affected by such breaches, which could increase their risks of identity theft and other fraudulent activity that could involve customer accounts at the Bank.

Breaches of information security also may occur through intentional or unintentional acts by those having access to the Company’s systems or the confidential information of its customers, including employees.

Issues with the use of artificial intelligence in our marketplace may result in reputational harm or liability, or could otherwise adversely affect the Company’s business.

Artificial intelligence, including generative artificial intelligence, is or may be enabled by or integrated into the Company’s products or those developed by its third party partners. As with many developing technologies, artificial intelligence presents risks and challenges that could affect its further development, adoption, and use, and therefore our business. Artificial intelligence algorithms may be flawed; for example datasets may contain biased information or otherwise be insufficient, and inappropriate or controversial data practices could impair the acceptance of artificial intelligence solutions and result in burdensome new regulations. If the analyses of those products incorporating artificial intelligence assist in producing for the Company or its third party partners are deficient, biased or inaccurate, the Company could be subject to competitive harm, potential legal liability and brand or reputational harm. The use of artificial intelligence may also present ethical issues. If the Company or its third party partners offer artificial intelligence enabled products that are controversial because of their purported or real impact on human rights, privacy, or other issues, the Company may experience competitive harm, potential legal liability and brand or reputational harm. In addition, the Company expects that governments will continue to assess and implement new laws and regulations concerning the use of artificial intelligence, which may affect or impair the usability or efficiency of products and services and those developed by the Company’s third party partners.

The Company depends on information technology and telecommunications systems, and any systems failures, interruptions or data breaches involving these systems could adversely affect the Company’s operations and financial condition.

The risks resulting from use of these systems result from a variety of factors, both internal and external. The Company is vulnerable to the impact of failures of its systems to operate as needed or intended. Such failures could include those resulting from human error, unexpected transaction volumes, intentional attacks or overall design or performance issues.

The Company outsources to third parties many of its major systems, such as data processing and mobile and online banking. The Company could also experience service denials if demand for such services exceeds capacity or such third party systems fail or experience interruptions. A system failure or service denial could result in a deterioration of the Company’s ability to process loans or gather deposits and provide customer service, compromise the Company’s ability to operate effectively, result in potential noncompliance with applicable laws or regulations, damage the Company’s reputation, result in a loss of customer business or subject the Company to additional regulatory scrutiny and possible financial liability, any of which could have a material adverse effect on its business, financial condition, results of operations and growth prospects. In addition,

Table of Contents

failures of third parties to comply with applicable laws and regulations, or fraud or misconduct on the part of employees of any of these third parties, could disrupt the Company’s operations or adversely affect its reputation.

Even if the Company is able to replace them, it may result in higher costs or losses of customers. Any such events could have a material adverse effect on the Company’s business, financial condition, results of operations and growth prospects.

The Company has a continuing need for technological change, and may not have the resources to effectively implement new technologies or may experience operational challenges when implementing new technologies.

The Company’s future success will depend in part upon its, and its third party partners’, ability to address the needs of the Company’s customers by using technology to provide products and services that will satisfy customer demands for convenience as well as to create additional efficiencies in operations. The Company may experience operational challenges as it implements these new technology enhancements, which could result in the Company not fully realizing the anticipated benefits from such new technology or require the Company to incur significant costs to remedy any such challenges in a timely manner. Many of the Company’s larger competitors have substantially greater resources to invest in technological improvements. As a result, they may be able to offer additional or superior products to those that the Company will be able to offer, which would put the Company at a competitive disadvantage. Accordingly, a risk exists that the Company will not be able to effectively implement new technology-driven products and services or be successful in marketing such products and services to customers.

In addition, the implementation of technological changes and upgrades to maintain current systems and integrate new ones may also cause service interruptions, transaction processing errors and system conversion delays and may cause the Company to fail to comply with applicable laws. The Company expects that new technologies and business processes applicable to the financial services industry will continue to emerge, and these new technologies and business processes may be better than those the Company currently uses. Because the pace of technological change is high and the Company’s industry is intensely competitive, it may not be able to sustain the Company’s investment in new technology as critical systems and applications become obsolete or as better ones become available. A failure to successfully keep pace with technological change affecting the financial services industry and failure to avoid interruptions, errors and delays could have a material adverse effect on the Company’s business, financial condition, results of operations and growth prospects.

The Company’s use of third party vendors and its other ongoing third party business relationships is subject to increasing regulatory requirements and attention.

The Company’s use of third party vendors for certain information systems is subject to increasingly demanding regulatory requirements and attention by the Company’s federal bank regulators. Recent regulations require the Company to enhance its due diligence, ongoing monitoring and control over the Company’s third party vendors and other ongoing third party business relationships. In certain cases, the Company may be required to renegotiate the Company’s agreements with these vendors to meet these enhanced requirements, which could increase costs. The Company expects that regulators will hold the Company responsible for deficiencies in oversight and control of its third party relationships and in the performance of the parties with which the Company has these relationships. As a result, if the Company’s regulators conclude that it has not exercised adequate oversight and control over the Company’s third party vendors or other ongoing third party business relationships or that such third parties have not performed appropriately, the Company could be subject to enforcement actions, including civil money penalties or other administrative or judicial penalties or fines, as well as requirements for customer remediation, any of which could have a material adverse effect on the Company’s business, financial condition, results of operations and growth prospects.

The Company is highly dependent on its management team and employees, and the loss of any of these individuals, or the inability to attract and retain qualified personnel, could harm the Company’s ability to implement its strategic plan and impair the Company’s relationships with customers.

The Company’s success is dependent, to a large degree, upon the continued service and skills of the Company’s executive management team and employees. Leadership changes may occur from time to time, and the Company cannot predict whether significant retirements or resignations will occur or whether the Company will be able to recruit additional qualified personnel.

Competition for high quality personnel is strong and the Company may not be successful in attracting or retaining the personnel it requires, and means the cost of hiring, incentivizing and retaining skilled personnel may continue to increase. In particular, many of the Company’s competitors are significantly larger with greater financial resources and may be able to offer more attractive compensation packages and broader career opportunities. Additionally, the Company may incur significant expenses and expend significant time and resources on training, integration, and business development before the Company is able to determine whether a new employee will be profitable or effective in their role. The loss of the services of any senior executive or other key personnel, the inability to recruit and retain qualified personnel in the future or the failure to develop and implement a viable

Table of Contents

succession plan could have a material adverse effect on the Company’s business, financial condition, results of operations and growth prospects.

The Company faces intense competition from other banks and non-bank financial services companies that could hurt its business.

The Company competes with national commercial banks, regional banks, private banks, mortgage companies, online lenders, savings banks, credit unions, non-bank financial services companies and other financial institutions, including investment advisory and wealth management firms, fintech companies and digital asset service providers and securities brokerage firms, operating within or near the areas the Company serves. Many of the Company’s non-bank competitors are not subject to the same extensive regulations that govern the Company’s activities and may have greater flexibility in competing for business. The financial services industry could become even more competitive as a result of legislative, regulatory and technological changes and continued consolidation.

While the Company does not offer products relating to digital assets, including cryptocurrencies, stablecoins and other similar assets, there has been a significant increase in digital asset adoption globally over the past several years. Certain characteristics of digital asset transactions, such as the speed with which such transactions can be conducted, the ability to transact without the involvement of regulated intermediaries, the ability to engage in transactions across multiple jurisdictions, and the anonymous nature of the transactions, are appealing to certain consumers notwithstanding the various risks posed by such transactions. Accordingly, digital asset service providers—which, at present are not subject to the same degree of scrutiny and oversight as banking organizations and other financial institutions—are becoming active competitors to more traditional financial institutions. The process of eliminating banks as intermediaries, known as “disintermediation,” could result in the loss of fee income, as well as the loss of customer deposits and the related income generated from using those deposits to fund loans and investment securities. The loss of these revenue streams and the lower cost deposits as a source of funds could have a material adverse effect on the Company’s business, financial condition, results of operations and growth prospects.

The Company’s dividend policy may change.

Although the Company has historically paid dividends to its shareholders and currently intends to maintain or increase its dividend levels in future quarters, the Company has no obligation to continue doing so and may change its dividend policy at any time without providing notice to the Company’s shareholders. Holders of the Company’s common shares are only entitled to receive such cash dividends as the Board, in its discretion, may declare out of funds legally available for such payments. Further, consistent with the Company’s strategic plans, growth initiatives, capital availability, projected liquidity needs, and other factors, the Company has made, and will continue to make, capital management decisions and policies that could adversely impact the amount of dividends paid to the Company’s common shareholders.

The Company’s ability to declare and pay dividends is also dependent on federal regulatory considerations, including guidelines of the Federal Reserve regarding capital adequacy and dividends. It is the policy of the Federal Reserve that bank holding companies should generally pay dividends on capital stock only out of earnings, and only if prospective earnings retention is consistent with the organization’s expected future needs, asset quality and financial condition. The Company is a separate and distinct legal entity from its subsidiaries, including the Bank. The Company receives substantially all of its revenue from dividends from the Bank, which it uses as the principal source of funds to pay dividends. Various federal and state laws and regulations limit the amount of dividends that the Bank may pay to the Company.

Future issuances of common stock could result in dilution, which could cause the Company’s common stock price to decline.

The Company is generally not restricted from issuing additional shares of common stock up to the amount authorized in its Articles of Incorporation. Currently, there are 50,000,000 shares of common stock authorized in the Company’s Articles of Incorporation, which may be increased by a vote of the holders of a majority of the Company’s shares of common stock. The Company may issue additional shares of common stock in the future pursuant to current or future equity compensation plans, upon conversions of preferred stock or debt, or in connection with future acquisitions or financings.

The Company may issue shares of preferred stock in the future, which could make it difficult for another company to acquire the Company or could otherwise adversely affect holders of the Company’s common stock, which could depress the price of the Company’s common stock.

Although there are currently no shares of the Company’s preferred stock issued and outstanding, the Company’s Articles of Incorporation authorize it to issue up to 2,500,000 shares of one or more series of preferred stock. The Board also has the power, without shareholder approval, to set the terms of any series of preferred stock that may be issued, including voting rights, dividend rights, preferences over the Company’s common shares with respect to dividends or in the event of a dissolution, liquidation or winding up, and other terms. If the Company issues preferred stock in the future that has a preference over the Company’s common stock with respect to the payment of dividends or upon the Company’s liquidation, dissolution or winding up, or if the Company issues preferred stock with voting rights that dilute the voting power of the Company’s common stock, the rights of the holders of the Company’s common stock or the market price of its common stock could be adversely affected. In addition, the ability of the Board to issue shares of preferred stock without any action on the part of the Company’s shareholders may impede a takeover of the Company and prevent a transaction perceived to be favorable to the Company’s shareholders.

Table of Contents

The Company’s business and operations may be adversely affected by weak economic conditions and global trade.

The Company’s businesses and operations are sensitive to general business and economic conditions. If the U.S. economy weakens, the Company’s growth and profitability from its lending, deposit and investment operations could be constrained. In addition, economic conditions in foreign countries and weakening global trade due to increased anti-globalization sentiment, international conflicts, and tariff activity could affect the stability of global financial markets, which could hinder the economic growth of the U.S. Adverse economic conditions and government policy responses to such conditions could have a material adverse effect on the Company’s business, financial condition, results of operations and growth prospects.

In addition, such events could affect the stability of the Company’s deposit base, impair the ability of borrowers to repay outstanding loans, impair the value of collateral securing loans, cause significant property damage, result in loss of revenue or cause the Company to incur additional expenses.

Legal, Accounting and Compliance Risks

The Company’s risk management framework may not be effective in mitigating risks or losses to the Company.

The Company’s risk management framework is comprised of various processes, systems and strategies, and is designed to manage the types of risk to which the Company is subject, including, among others, credit, market, liquidity, interest rate and compliance risk. The Company’s risk management framework also includes financial or other modeling methodologies that involve management assumptions and judgment. The Company’s risk management framework may not be effective under all circumstances, and may not adequately mitigate any risk or loss. If the Company’s framework is not effective, the Company could suffer unexpected losses and its business, reputation, financial condition, results of operations and growth prospects could be materially and adversely affected. The Company may also be subject to potentially adverse regulatory consequences.

The Company’s accounting estimates and risk management processes and controls rely on analytical and forecasting techniques and models and assumptions, which may not accurately predict future events.

The Company’s accounting policies and methods are fundamental to the way it records and reports its financial condition and results of operations. In some cases, management must select the accounting policy or method to apply from two or more alternatives, any of which may be reasonable under the circumstances, yet which may result in the reporting of materially different results than would have been reported under a different alternative. If the Company’s underlying assumptions or estimates prove to be incorrect, it could have a material adverse effect on its business, financial condition, results of operations and growth prospects.

The Company’s risk management processes, internal controls, disclosure controls and corporate governance policies and procedures are based in part on certain assumptions and can provide only reasonable (not absolute) assurances that the objectives of the system are met. Any failure or circumvention of the Company’s controls, processes and procedures or failure to comply with applicable regulations could necessitate changes in those controls, processes and procedures, which may increase the Company’s compliance costs, divert management attention from its business or subject the Company to regulatory enforcement actions and increased regulatory scrutiny. Any of these could have a material adverse effect on the Company’s business, financial condition, results of operations and growth prospects.

Changes in accounting policies or standards could materially impact the Company’s financial statements.

From time to time, FASB, PCAOB or the SEC may change the financial accounting and reporting standards that govern the preparation of the Company’s financial statements. Such changes may result in the Company becoming subject to new or changing accounting and reporting standards. In addition, the agencies and other entities that interpret the accounting standards (such as banking regulators or outside auditors) may change their interpretations or positions on how these standards should be applied. In addition, trends in financial and business reporting, including environmental, social and governance related disclosures, could require the Company to incur additional reporting expense. These changes may be beyond the Company’s control, can be hard to predict and can materially impact how the Company records and reports its financial condition and results of operations. In some cases, the Company could be required to apply a new or revised standard retroactively, or apply an existing standard differently, in each case resulting in the Company’s needing to revise or restate prior period financial statements.

The obligations associated with being a public company require significant resources and management attention, which divert time and attention from the Company’s business operations.

Table of Contents

As a public company, the Company is subject to the reporting requirements of the Exchange Act and SOX. The Exchange Act requires, among other things, that the Company file annual, quarterly and current reports with respect to its business and financial condition with the SEC. SOX requires, among other things, that the Company establish and maintain effective internal controls and procedures for financial reporting. Compliance with these reporting requirements and other rules and regulations, including periodic revisions to and additional rules and regulations of the SEC, could increase the Company’s legal and financial compliance costs and make some activities more time consuming and costly. Further, the need to maintain the corporate infrastructure demanded of a public company is expensive and may divert management’s attention from implementing the Company’s strategic plan, which could prevent the Company from successfully implementing the Company’s growth initiatives and improving its business, results of operations and financial condition.

The financial reporting resources the Company has put in place may not be sufficient to ensure the accuracy of the additional information the Company is required to disclose as a publicly listed company.

As a public company, the Company is subject to heightened financial reporting standards under GAAP and SEC rules, including extensive levels of disclosure.

Litigation and regulatory actions, including possible enforcement actions, could subject the Company to significant fines, penalties, judgments or other requirements resulting in increased expenses or restrictions on the Company’s business.

The Company’s business is subject to increased litigation and regulatory risks because of a number of factors, including the highly regulated nature of the financial services industry and the focus of state and federal prosecutors on banks and the financial services industry generally. In the normal course of business, from time to time, the Company has in the past and may in the future be named as a defendant in various legal actions, including arbitrations, class actions and other litigation, arising in connection with the Company’s current or prior business or acquisition activities. Legal actions could include claims for substantial compensatory or punitive damages or claims for indeterminate amounts of damages. The Company may also, from time to time, be the subject of subpoenas, requests for information, reviews, investigations and proceedings (both formal and informal) by governmental agencies regarding the Company’s current or prior business or acquisition activities. Any such legal or regulatory actions may subject the Company to substantial compensatory or punitive damages, significant fines, penalties, obligations to change the Company’s business practices or other requirements resulting in increased expenses, diminished income and damage to the Company’s reputation. The Company’s involvement in any such matters, whether tangential or otherwise and even if the matters are ultimately determined in the Company’s favor, could also cause significant harm to the Company’s reputation and divert management attention from the operation of the Company’s business. Further, any settlement, enforcement action or adverse judgment in connection with any formal or informal proceeding or investigation by government agencies may result in litigation, investigations or proceedings as other litigants and government agencies begin independent reviews of the same activities. As a result, the outcome of legal and regulatory actions could have a material adverse effect on the Company’s business, reputation, financial condition, results of operations and growth prospects.

The Company is subject to extensive regulation, and the regulatory framework that applies to the Company, together with any future legislative or regulatory changes, may significantly affect its operations.

The banking industry is highly regulated and supervised under both federal and state laws and regulations that are intended primarily for the protection of depositors, customers, the federal deposit insurance fund and the banking system as a whole, and not for the protection of the Company’s shareholders. The Company is subject to supervision and regulation by the Federal Reserve, and the Bank is subject to supervision and regulation by the FDIC and the DFI. The laws and regulations applicable to the Company govern a variety of matters, including permissible types, amounts and terms of loans and investments the Company may make, the maximum interest rate that may be charged, the types of deposits the Company may accept and the amount of reserves the Company must hold on such deposits, maintenance of adequate capital and liquidity, changes in the control of the Company and the Bank, restrictions on dividends and the establishment of new offices. The Company must obtain approval from its regulators before engaging in certain activities, and there is the risk that such approvals may not be obtained, either in a timely manner or at all. The Company’s regulators also have the ability to compel it to take certain actions, or restrict it from taking certain actions, such as actions that the Company’s regulators deem to constitute an unsafe or unsound banking practice. The Company’s failure to comply with any applicable laws or regulations, or regulatory policies and interpretations of such laws and regulations, could result in the imposition of enforcement actions or sanctions by regulatory agencies, civil money penalties or damage to the Company’s reputation, all of which could have a material adverse effect on its business, financial condition, results of operations and growth prospects.

While the Company endeavors to maintain safe banking practices and controls beyond the regulatory requirements applicable to the Company, its internal controls may not match those of larger banking institutions that are subject to increased regulatory oversight. Financial institutions generally have also been subjected to increased scrutiny from regulatory authorities, which has

Table of Contents

resulted, and may continue to result in, increased costs of doing business, and may in the future, result in decreased revenues and net income, reduce the Company’s ability to compete effectively, to attract and retain customers, or make it less attractive for the Company to continue providing certain products and services. Any future changes in federal and state laws and regulations, as well as the interpretation and implementation of such laws and regulations, could affect the Company in substantial and unpredictable ways, including those listed above or other ways that could have a material adverse effect on the Company’s business, financial condition, results of operations and growth prospects.

There is uncertainty surrounding potential legal, regulatory and policy changes by new presidential administrations in the United States that may directly affect financial institutions and the global economy.

These changes typically impact the level of oversight and focus on the financial services industry. The nature, timing and economic and political effects of potential changes to the current legal and regulatory framework affecting financial institutions remain highly uncertain, and may take time to be implemented. Uncertainty surrounding future changes may adversely affect our operating environment and therefore our business, financial condition, results of operations and growth prospects.

Banking regulators periodically examine the Company’s business, and the Company may be required to remediate adverse examination findings.

The Federal Reserve, FDIC and DFI periodically examine the Company and the Bank, including their operations and compliance with laws and regulations. If, as a result of an examination, a banking agency were to determine that the Company’s financial condition, capital resources, asset quality, asset concentrations, earnings prospects, management, liquidity, sensitivity to market risk or other aspects of any of the Company’s operations had become unsatisfactory, or that the Company was in violation of any law or regulation, they may take a number of different remedial actions as they deem appropriate. These actions include the power to enjoin “unsafe or unsound” practices, to require affirmative action to correct any conditions resulting from any violation or practice, to issue an administrative order that can be judicially enforced, to direct an increase in the Company’s capital, to restrict the Company’s growth, to assess civil monetary penalties, to fine or remove officers and directors and, if it is concluded that such conditions cannot be corrected or there is an imminent risk of loss to depositors, to terminate the Company’s deposit insurance and place the Company into receivership or conservatorship. Any regulatory action against the Company could have a material adverse effect on its business, reputation, financial condition, results of operations and growth prospects.

Regulations relating to privacy, information security and data protection could increase the Company’s costs, affect or limit how the Company collects and use personal information and adversely affect its business opportunities.

The Company is subject to various privacy, information security and data protection laws, including requirements concerning security breach notification, and the Company could be negatively affected by these laws. Various state and federal banking regulators and states have also enacted data security breach notification requirements with varying levels of individual, consumer, regulatory or law enforcement notification in certain circumstances in the event of a security breach. Legislators and regulators are also increasingly adopting or revising privacy, information security and data protection laws, including with respect to the use of artificial intelligence by financial institutions and their service providers, that potentially could have a significant impact on the Company’s current and planned privacy, data protection and information security-related practices, the Company’s collection, use, sharing, retention and safeguarding of consumer or employee information and some of the Company’s current or planned business activities. This could also increase the Company’s costs of compliance and business operations and could reduce income from certain business initiatives.

The Federal Reserve may require the Company to commit capital resources to support the Bank.

A bank holding company is required by law to act as a source of financial and managerial strength to a subsidiary bank and to commit resources to support such subsidiary bank. Under the “source of strength” doctrine, the Federal Reserve may require a bank holding company to make capital injections into a troubled subsidiary bank and may charge the bank holding company with engaging in unsafe and unsound practices for failure to commit resources to a subsidiary bank. A capital injection may be required at times when the holding company may not have the resources to provide it and therefore may be required to borrow the funds or raise capital, which could result in a material adverse effect on its business, financial condition, results of operations and growth prospects, and could negatively impact the price of its common stock.

The level of the Company’s commercial real estate portfolio may subject the Company to heightened regulatory scrutiny.

The federal banking regulators have issued the Concentrations in Commercial Real Estate Lending, Sound Risk Management Practices guidance, or CRE Guidance, which provides supervisory criteria, including the following numerical indicators, to assist bank examiners in identifying banks with potentially significant commercial real estate loan concentrations that may warrant greater supervisory scrutiny: (i) commercial real estate loans exceeding 300% of capital and increasing 50% or more in the preceding three years; or (ii) construction and land development loans exceeding 100% of capital. The CRE Guidance does not limit the Bank’s levels of commercial real estate lending activities, but rather, guides institutions in developing risk management practices and levels of capital that are commensurate with the level and nature of their commercial real estate concentrations. The federal bank agencies expect FDIC-insured institutions to maintain underwriting discipline and exercise prudent risk-management practices to identify, measure, monitor, and manage the risks arising from CRE lending. In addition, FDIC-insured institutions must maintain capital commensurate with the level and nature of their CRE concentration risk. As of December 31, 2025, the Bank did not exceed these guidelines.

Table of Contents

If the goodwill that the Company recorded in connection with the Company’s recent acquisitions becomes impaired, it could have a negative impact on its financial condition and results of operations.

As of December 31, 2025, the Company had goodwill of $240.9 million, or 26.1% of the Company’s total stockholders’ equity. As a result of its recent acquisition of Olympic, completed in January 2026, the Company will record additional goodwill which will be determined over the measurement period and subject to measurement period adjustments. The excess purchase price over the fair value of net assets acquired in certain mergers and acquisitions, or goodwill, is evaluated for impairment at least annually and on an interim basis if specific events suggest potential impairment. In testing for impairment, the Company conducts a qualitative assessment, and also estimates the fair value of net assets based on analyses of its market value, discounted cash flows and peer values. Consequently, the determination of the fair value of goodwill is sensitive to market-based economics and other key assumptions. Variability in market conditions or in key assumptions could result in impairment of goodwill, which is recorded as a non-cash adjustment to income. An impairment of goodwill could have a material adverse effect on the Company’s business, financial condition, results of operations and growth prospects.

ITEM 1B. UNRESOLVED STAFF COMMENTS

The Company has no unresolved staff comments from the SEC as it relates to the Company's financial information as reported in this Form 10-K.

ITEM 1C. CYBERSECURITY

Risk Management and Strategy

Enterprise Risk Management and Technology Risk Management. The Company's Enterprise Risk Management program and team plays a pivotal role in overseeing the organization's risk posture, specifically focusing on the implementation of a holistic risk management program for overseeing the assessment and appropriate control of information and cybersecurity risks. Risks identified are subject to rigorous controls, ensuring both design and operational effectiveness and adherence to regulatory requirements. Instances where a risk is identified as inadequately controlled are promptly reported to Management requiring formal dispositioning and/or remediation activities and those activities are tracked and reported to the Risk and Technology Committee of the Board, until measures are implemented to reduce the risk to an acceptable level.

Identification of risks is a multifaceted process, encompassing diverse activities such as the execution of formal risk assessments, as described above, management self-disclosures, monitoring of regulatory and interagency authorities, engagement with professional and industry forums, internal and external audits, collaboration with third-party professional services, policy reviews and walkthroughs, adherence to best practice frameworks, leveraging subject matter expertise and industry experience, and maintaining a collaborative relationship with third party service providers/vendors. The dedicated Technology Risk Management team operates a continuous risk management framework, utilizing information gathered daily, weekly, monthly, quarterly and annually to provide insights into the state of controlled risk within the organization. Security testing and assurance activities are performed internally and are outsourced to independent audit and security firms based on factors such as resource capacity, subject matter expertise, regulatory requirements, and the prevailing rate and condition of risk.

Daily operational activities are in place to ensure the achievement and implementation of security requirements, including the management of the Bank’s security architecture, monitoring for potential security events or incidents, and the reporting and response to detected threats in our technology environments. The Information and Cyber Security Policy and Program establishes the additional policies and standards the Bank is required to implement in support of these practices and processes. Additionally, we maintain a compliant and comprehensive Security Incident Response Plan, incorporating accessible resources such as insurance providers, digital and cyber forensic experts and law enforcement, along with documentation of regulatory notification requirements. Our practices are interdependent with third party vendors, and we collaborate appropriately with these partners on notification and investigation processes to ensure complete visibility into security risks and events.

From time-to-time, we have identified cybersecurity threats that require us to make changes to our processes and to implement additional safeguards. While none of these identified threats or incidents have materially affected us, it is possible that threats and incidents we identify in the future could have a material adverse effect on our business strategy, reputation, results of operations and financial condition. During the reporting period, the Company had not experienced any material cybersecurity events or incidents. Although third party service providers that the Bank engages have encountered cybersecurity events or incidents during the year ended December 31, 2025, the Bank’s investigation of each event or incident has shown that these occurrences have not resulted in a material impact on our systems, computing environments, customers, or data.

Governance

Board Oversight: The Board provides active oversight of cybersecurity threats in accordance with the Board-approved Information and Cyber Security Policy and Program. These policies and programs aim to achieve a controlled risk environment while meeting regulatory, legislative, and compliance requirements, including but not limited to the Gramm-Leach-Bliley Act (GLBA), Health Insurance Portability and Accountability Act (HIPAA), Information Technology Sarbanes-Oxley Act (IT SOX) Compliance, and Payment Card Industry Data Security Standard (PCI-DSS) Compliance.

Direct oversight of information and cybersecurity risks is delegated to the Risk and Technology Committee of the Board. The Risk and Technology Committee meets at least quarterly and receives reports detailing current risks, maturity and functioning of associated processes and controls, and emerging or anticipated risks and threats. Additionally, the Risk and Technology Committee Chair provides a verbal summarized report to the full Board following each quarterly meeting, and as needed on an

Table of Contents

interim basis to address developing risk. All Risk and Technology Committee reports are available to the full Board for review. In the event critical matters arise between scheduled meetings, the Chief Risk Officer promptly notifies the Board and Risk and Technology Committee.

To further ensure independence and effectiveness, the Board has delegated authority for the Information and Cybersecurity Policy and Program, including the referenced reports, to the Technology Risk Management Director, who is also designated as the Chief Information Security Officer. This position reports to the Chief Risk Officer who in turn reports independently to the Chair of the Risk and Technology Committee. Additional layers of oversight are integrated into the program through the Director of Internal Audit, who conducts independent audits of critical information technology and cybersecurity activities. The results of these audits are reported to the Board's Audit and Finance Committee, providing an extra layer of assurance and accountability. The Director of Internal Audit reports independently to the Chair of the Board's Audit and Finance Committee.

Management's Role in Assessing and Managing Cybersecurity Risks. Management's role in assessing and managing material risks from cybersecurity threats is integral to the Company's governance framework. As discussed above, the Information and Cyber Security Policy and Program outline specific roles and responsibilities delegated to management and the Enterprise Risk Management Program, which includes the Technology Risk Management team, and responsibilities assigned to various employees and the Risk and Technology Committee.

The Technology Risk Management Director, a seasoned information and cyber security expert with significant experience in financial institutions, oversees the Technology Risk Management function. This expert conducts comprehensive assessments of cybersecurity risks inherent in the industry and the Company's business activities, evaluating controls implemented to address identified risks.

The Technology Risk Management Director is responsible for maintaining the Company's information and cyber security risk management framework. This framework establishes standards and processes for the continuous assessment of material cybersecurity risks, covering identification, measurement, mitigation activities, monitoring and reporting of the risk posture at any given time. Additionally, the Director ensures oversight and compliance with the Security Incident Response Plan, providing guidance during security incidents, whether within the Company or involving service provider/vendor engagements.

The Company’s information technology department, including a dedicated security operations group, plays a crucial role in implementing practices aligned with the Information and Cyber Security Policy and Program requirements. Responsibilities include the maintenance and monitoring of systems, network(s), and application access and error logs, identification of unauthorized access attempts, adherence to access controls standards, configuration management, and the implementation of controls to mitigate risks related to information availability, integrity, and confidentiality.

Business activities, products, and services are managed by experts in their respective fields, with employees receiving training to detect and prevent material cybersecurity threats. Business leaders are expected to understand specific threats within their areas of responsibility and adhere to established processes and standards to control such threats.

To facilitate a transparent and collaborative approach to managing cybersecurity risk, an executive management level committee has been established. Chaired by the Chief Risk Officer and administered by the Technology and Risk Management Director, the committee ensures continual awareness of the information and cybersecurity risk posture, emerging threats, known threat actors, and vulnerabilities. Its purpose is to foster a security culture within the Company through active participation in planning and managing threat and security risk activities.

The Risk and Technology Committee provides similar reports to the full Board quarterly, as well as on an as-needed basis. Results of cybersecurity-related audits are also reported to the Board's Audit and Finance Committee.

Recently Filed

Click on a ticker to see risk factors

Ticker *	File Date
NVTS	56 minutes ago
DAN	59 minutes ago
FSBC	an hour ago
CLMB	an hour ago
NPKI	an hour ago
SBGI	an hour ago
BXP	an hour ago
SHO	an hour ago
HFWA	an hour ago
SSP	an hour ago
FBP	an hour ago
WULF	2 hours ago
GSG	2 hours ago
SLV	2 hours ago
IBIT	2 hours ago
IAUM	2 hours ago
IAU	2 hours ago
ETHA	2 hours ago
SOLV	2 hours ago
NWN	2 hours ago
TDC	2 hours ago
SAFT	2 hours ago
RPC	2 hours ago
FMAO	2 hours ago
HMN	2 hours ago
STLD	2 hours ago
UBSI	2 hours ago
DKL	2 hours ago
DK	2 hours ago
SBAC	2 hours ago
GLP	3 hours ago
CCBG	3 hours ago
CRI	3 hours ago
SBR	3 hours ago
MSIF	3 hours ago
MAIN	4 hours ago
FMC	4 hours ago
FMBH	4 hours ago
NYT	4 hours ago
LASR	4 hours ago
TXRH	4 hours ago
DRH	4 hours ago
DROR	4 hours ago
ACA	5 hours ago
HOMB	5 hours ago
AVB	5 hours ago
EPD	5 hours ago
WWW	6 hours ago
CHE	6 hours ago
MBWM	6 hours ago

OTHER DATASETS

House Trading

Dashboard

Corporate Flights

Dashboard

App Ratings

Dashboard

Strategies

Alerts

Browse Data

Risk Factors Dashboard

View risk factors by ticker

Search filings by term

Risk Factors - HFWA

-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing

Recently Filed

OTHER DATASETS

House Trading

Corporate Flights

App Ratings

TRADE SMARTER

TRADE SMARTER

Strategies

Alerts

Browse Data

Risk Factors Dashboard

View risk factors by ticker

Search filings by term

Risk Factors - HFWA

-New additions in green-Changes in blue-Hover to see similar sentence in last filing

Recently Filed

OTHER DATASETS

House Trading

Corporate Flights

App Ratings

TRADE SMARTER

TRADE SMARTER

-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing