Risk Factors Dashboard

Item 1A. Risk Factors below. Risk Factors.

Privacy Requirements of the Gramm-Leach-Bliley Act and Cyber Security. Federal law places limitations on financial institutions like Quaint Oak Bank regarding the sharing of consumer financial information with unaffiliated third parties. Specifically, these provisions require all financial institutions offering financial products or services to retail customers to provide such customers with the financial institution’s privacy policy and provide such customers the opportunity to “opt out” of the sharing of personal financial information with unaffiliated third parties. Quaint Oak Bank currently has a privacy protection policy in place and believes such policy is in compliance with the regulations. In addition, on November 18, 2021, the federal banking agencies announced the adoption of a final rule providing for new notification requirements for banking organizations and their service providers for significant cybersecurity incidents. Specifically, the new rule requires a banking organization to notify its primary federal regulator as soon as possible, and no later than 36 hours after, the banking organization determines that a “computer-security incident” rising to the level of a “notification incident” has occurred. Notification is required for incidents that have materially affected or are reasonably likely to materially affect the viability of a banking organization’s operations, its ability to deliver banking products and services, or the stability of the financial sector. Service providers are required under the rule to notify affected banking organization customers as soon as possible when the provider determines that it has experienced a computer-security incident that has materially affected or is reasonably likely to materially affect the banking organization’s customers for four or more hours. Compliance with the new rule was required by May 1, 2022. Non-compliance with federal or similar state privacy and cybersecurity laws and regulations could lead to substantial regulatory imposed fines and penalties, damages from private causes of action and/or reputational harm.

In addition, the Securities and Exchange Commission adopted rules requiring registrants to disclose material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance. The new rules require registrants to disclose on the new Item 1.05 of Form 8-K any cybersecurity incident they determine to be material and to describe the material aspects of the incident's nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant. An Item 1.05 Form 8-K will generally be due four business days after a registrant determines that a cybersecurity incident is material. See Item 1C. Cybersecurity for annual disclosures. Cybersecurity.

Consumer Financial Services. The historical structure of federal consumer protection regulation applicable to all providers of consumer financial products and services changed significantly with the establishment of the Consumer Financial Protection Bureau (“CFPB”) as part of the Dodd-Frank Act reforms. The CFPB has broad rulemaking authority for a wide range of consumer protection laws that apply to all providers of consumer products and services, including Quaint Oak Bank, as well as the authority to prohibit “unfair, deceptive or abusive” acts and practices. The CFPB has examination and enforcement authority over providers with more than $10 billion in assets. FDIC-insured institutions with $10 billion or less in assets, like Quaint Oak Bank, continue to be examined by their applicable bank regulators.

Anti-Money Laundering. Federal anti-money laundering rules impose various requirements on financial institutions intended to prevent the use of the U.S. financial system to fund terrorist activities. These provisions include a requirement that financial institutions operating in the United States have anti-money laundering compliance programs, due diligence policies and controls to ensure the detection and reporting of money laundering. Such compliance programs supplement existing compliance requirements, also applicable to financial institutions, under the Bank Secrecy Act and the Office of Foreign Assets Control Regulations. Quaint Oak Bank has established policies and procedures to ensure compliance with the federal anti-laundering provisions.

In May 2025, the Bank entered into substantially identical Consent Orders (the “Orders”) with the Federal Deposit Insurance Corporation and the Pennsylvania Department of Banking and Securities that became effective immediately and relate primarily to the Bank’s Bank Secrecy Act compliance program. Although the Bank consented to the issuance of the Orders, it neither admitted nor denied any charges of unsafe or unsound banking practices or violations of law or regulations. The Orders do not impose restrictions on the Bank’s activities or include fines or penalties.

The Orders arose from an on-site examination that commenced on February 20, 2024 and were based on the Bank’s financial condition as of and for the year ended December 31, 2023. The Orders identify areas for improvement in the Bank’s anti-money laundering and countering the financing of terrorism (“AML/CFT”) program and require the Bank’s Board of Directors to enhance oversight and monitoring of Bank Secrecy Act compliance. Among other requirements, the Bank must develop and implement policies and procedures relating to third-party risk management, AML/CFT controls, independent testing, suspicious activity review, Office of Foreign Assets Control compliance, and related training.

The Bank has undertaken a number of actions to address the requirements of the Orders, including establishing a Financial Crime Management Department and appointing a new Vice President, Financial Crimes; enhancing its AML/CFT policies and procedures; increasing AML/CFT staffing through new hires and specialized consultants; strengthening training, third-party risk management, and independent audit processes; and enhancing Board and senior management oversight of the AML/CFT program. The Bank is committed to complying with the Orders within the prescribed timeframes and believes it has made significant progress in addressing the identified matters.

Regulatory Enforcement Authority. The federal banking laws provide substantial enforcement powers available to federal banking regulators. This enforcement authority includes, among other things, the ability to assess civil money penalties, to issue cease-and-desist or removal orders and to initiate injunctive actions against banking organizations and institution-affiliated parties, as defined. In general, these enforcement actions may be initiated for violations of laws and regulations and unsafe or unsound practices. Other actions or inactions may provide the basis for enforcement action, including misleading or untimely reports filed with regulatory authorities.

Community Reinvestment Act. All insured depository institutions have a responsibility under the Community Reinvestment Act and related regulations to help meet the credit needs of their communities, including low- and moderate-income neighborhoods. An institution’s failure to comply with the provisions of the Community Reinvestment Act could result in restrictions on its activities. Quaint Oak Bank received an “Outstanding” Community Reinvestment Act rating in its most recently completed examination.

Federal Home Loan Bank System. Quaint Oak Bank is a member of the Federal Home Loan Bank of Pittsburgh, which is one of 11 regional Federal Home Loan Banks. Each Federal Home Loan Bank serves as a reserve or central bank for its members within its assigned region. It is funded primarily from proceeds from the sale of consolidated obligations of the Federal Home Loan Bank System. It makes loans to members (i.e., advances) in accordance with policies and procedures established by the board of directors of the Federal Home Loan Bank.

As a member, Quaint Oak Bank is required to purchase and maintain stock in the Federal Home Loan Bank of Pittsburgh in an amount in accordance with the Federal Home Loan Bank’s capital plan and sufficient to ensure that the Federal Home Loan Bank remains in compliance with its minimum capital requirements. At December 31, 2025, Quaint Oak Bank was in compliance with this requirement.

Federal Reserve Board System. The Federal Reserve Board requires all depository institutions to maintain non-interest bearing reserves at specified levels against their transaction accounts, which are primarily checking and NOW accounts, and non-personal time deposits. The balances maintained to meet the reserve requirements imposed by the Federal Reserve Board may be used to satisfy the liquidity requirements that are imposed by the Pennsylvania Department of Banking and Securities. At December 31, 2025, Quaint Oak Bank was in compliance with these reserve requirements.

TAXATION

Federal Taxation

General. Quaint Oak Bancorp and Quaint Oak Bank are subject to federal income tax provisions of the Internal Revenue Code of 1986, as amended, in the same general manner as other corporations with some exceptions listed below. For federal income tax purposes, Quaint Oak Bancorp files a consolidated federal income tax return with its wholly owned subsidiaries on a fiscal year basis. The applicable federal income tax expense or benefit will be properly allocated to each entity based upon taxable income or loss calculated on a separate company basis.

Method of Accounting. For federal income tax purposes, income and expenses are reported on the accrual method of accounting and Quaint Oak Bancorp files its federal income tax return using a December 31 fiscal year end.

Taxable Distributions and Recapture. Prior to the Small Business Job Protection Act, bad debt reserves created prior to January 1, 1988 were subject to recapture into taxable income if a savings bank failed to meet certain thrift asset and definitional tests. New federal legislation eliminated these thrift related recapture rules. However, under current law, pre-1988 reserves remain subject to recapture should a savings bank make certain non-dividend distributions or cease to maintain a savings bank charter. At December 31, 2025, Quaint Oak Bank did not have federal pre-1988 reserves subject to recapture.

Corporate Dividends Received Deduction. Quaint Oak Bancorp may exclude from income 100% of dividends received from a member of the same affiliated group of corporations. The corporate dividends received deduction is 80% in the case of dividends received from corporations, which a corporate recipient owns less than 80%, but at least 20% of the distribution corporation. Corporations that own less than 20% of the stock of a corporation distributing a dividend may deduct only 70% of dividends received.

Other Matters. The Company is no longer subject to examination by taxing authorities for the years before January 1, 2022.

State and Local Taxation

Pennsylvania Taxation. Quaint Oak Bancorp is subject to the Pennsylvania Corporate Net Income Tax. The Corporation Net Income Tax rate for 2025 is 9.99% and is imposed on unconsolidated taxable income for federal purposes with certain adjustments.

Quaint Oak Bank is subject to tax under the Pennsylvania Mutual Thrift Institutions Tax Act (the “MTIT”), as amended to include thrift institutions having capital stock. Pursuant to the MTIT, the tax rate is 11.5%. The MTIT exempts Quaint Oak Bank from other taxes imposed by the Commonwealth of Pennsylvania for state income tax purposes and from all local taxation imposed by political subdivisions, except taxes on real estate and real estate transfers. The MTIT is a tax upon net earnings, determined in accordance with U.S. generally accepted accounting principles with certain adjustments. The MTIT, in computing income under U.S. generally accepted accounting principles, allows for the deduction of interest earned on state and federal obligations, while disallowing a percentage of thrift’s interest expense deduction in the proportion of interest income on those securities to the overall interest income of Quaint Oak Bank. Net operating losses, if any, thereafter can be carried forward three years for MTIT purposes.

Item 1A. Risk Factors.

The following paragraphs describe what we believe are the material risks of an investment in the common stock of Quaint Oak Bancorp, Inc. (the “Company”). We may face other risks as well, which we have not anticipated. The risk factors listed below are not intended to represent a complete list of the general or specific risks that may affect us, our banking subsidiary, Quaint Oak Bank (the “Bank”) or the Bank’s subsidiaries. Additional risks and uncertainties not presently known to us or that we currently deem immaterial may also impair our business operations. The realization of any of the risks described below could have a material adverse effect on our business, financial condition, results of operations or future prospects. The order of these risk factors does not reflect their relative importance or likelihood of occurrence. All references to “we” “our” and “us” include the Company and the Bank, depending on the context.

We have entered into correspondent banking relationships with international banking entities and other business arrangements, and these activities involve risks and uncertainties that could affect our liquidity. A failure of any such relationship or the exit from any such relationship may cost more than anticipated, subject us to additional risk, and could have a material adverse effect on our business and results of operations.

As a part of our liquidity management, we utilize correspondent banking relationships with international banking entities and deposit placement agreements with third party banks as funding sources in addition to core deposit growth, repayments and maturities of loans, and interest-bearing deposits in other banks. The deposits obtained through these relationships and agreements have resulted in significant concentrations of deposits. For additional detail regarding such concentrations, see “-The Company’s operations could be impaired by liquidity risk and deposit concentration.” We provide oversight of these relationships, which must meet all internal and regulatory requirements. We may elect to exit relationships where such requirements are not met or we are required by our regulators to exit such relationships. Also, our partner(s) could terminate a relationship with us for many reasons. If a relationship were to be terminated, it could be costly to the Bank, materially reduce our deposits and adversely impact our liquidity. Further, the withdrawal of such deposits or adverse operating results or changes in industry conditions could lead to difficulty or an inability to access these additional funding sources. Our financial flexibility will be severely constrained if we are unable to maintain our access to funding or if adequate financing is not available. If we are required to rely more heavily on more expensive funding sources, our operating margins and profitability could be adversely affected.

The Company’s operations could be impaired by liquidity risk and deposit concentration.

Liquidity is essential to the Company’s business. The Company’s primary funding source is consumer deposits, a substantial portion of which consist of certificates of deposit. As of December 31, 2025, approximately 61.3% of our total deposits were comprised of certificates of deposit. As noted above, the Company has identified one major interest-bearing checking account deposit customer that accounted for approximately 5.9% of total deposits at December 31, 2025. The outstanding balances of the major deposit customer totaled approximately $35.0 million at December 31, 2025. The amount of uninsured deposits (deposits greater than $250,000) was approximately $244.3 million, or 40.9% of total deposits at December 31, 2025. If these deposits were to be withdrawn in whole or in part, replacement of the funds may require us to pay higher interest rates on retail deposits or brokered deposits which would have an adverse effect on our net interest income and net income. If the Bank is less than well capitalized, the Federal Deposit Insurance Act restricts the Bank from accepting brokered deposits absent a waiver from the FDIC. The replacement of these deposits with other sources of funding, such as borrowings, could also increase our overall cost of funds and would negatively impact our results of operations. The Company has significant borrowing capacity available to fund liquidity needs, including borrowing agreements with the Federal Home Loan Bank of Pittsburgh (the “FHLB”) and the Federal Reserve Bank of Philadelphia. As of December 31, 2025, we had $269.3 million in borrowing capacity from the FHLB and $24.2 million in borrowing capacity with the Federal Reserve Bank of Philadelphia.

Although the Company has historically been able to replace maturing deposits and advances as necessary, it might not be able to replace such funds in the future on a timely basis. An inability to raise funds through traditional deposits, brokered deposits, borrowings, and the sale of securities or loans could have a substantial negative effect on the Company’s liquidity. The Company’s access to funding sources on terms which are acceptable to the Company could be impaired by factors that affect the Company specifically or the financial services industry or economy in general. However, the Company’s ability to borrow or attract and retain deposits in the future could be adversely affected by the Company’s financial condition or regulatory restrictions, or impaired by factors that are not specific to the Company, such as FDIC insurance changes, disruption in the financial markets or negative views and expectations about the prospects for the banking industry. Liquidity also may be affected by the Bank’s routine commitments to extend credit.

Sources of funds may not remain adequate for liquidity needs and the Bank may be compelled to seek additional sources of financing in the future. Additional borrowings, if sought, may not be available or, if available, may not be on favorable terms. If additional financing sources are unavailable or not available on reasonable terms to provide necessary liquidity, the Company’s financial condition, results of operations and future prospects could be materially and adversely affected.

We rely on short-term funding, which can be adversely affected by local and general economic conditions.

As of December 31, 2025, approximately $354.7 million of total deposits consisted of certificates of deposit, approximately $245.4 million of which, or approximately 41.1% of our total deposits, are due to mature within one year. Certificates of deposit obtained through a national listing service totaled $62.3 million, or approximately 17.6% of our certificates of deposit at December 31, 2025. These customers and in particular, those in the listing service, are interest-rate conscious and may be willing to move funds into higher-yielding investment alternatives. Historically, a majority of our certificates of deposit are renewed upon maturity as long as we pay competitive interest rates. Our ability to attract and maintain deposits, as well as our cost of funds, has been, and will continue to be significantly affected by financial markets and general economic conditions. Given recent economic challenges, if we have to increase interest rates paid to retain deposits, our earnings may be adversely affected.

We may need to raise additional capital or increase our liquidity in the future, but sufficient capital may not be available when it is needed.

We face significant capital and other regulatory requirements as a financial institution. We may need to raise additional capital/liquidity in the future to provide us with sufficient capital resources and liquidity to meet our commitments and business needs, particularly if our asset quality or earnings were to deteriorate significantly. Our ability to raise additional capital/liquidity, if needed, will depend on, among other things, conditions in the capital and financial markets at that time, which are outside of our control, and our financial performance. Economic conditions and the loss of confidence in financial institutions may increase our cost of funding and limit access to certain customary sources of capital/liquidity, including depositors, other financial institution borrowings, repurchase agreements and borrowings from the discount window of the FRB. Any occurrence that may limit our access to the capital/liquidity markets, such as a decline in the confidence of other financial institutions, depositors or counterparties participating in the capital markets, may adversely affect our costs and our ability to raise capital/liquidity. An inability to raise additional capital/liquidity on acceptable terms when needed could have a materially adverse effect on our financial condition, results of operations and liquidity.

If the Company fails to maintain sufficient capital and liquidity under regulatory requirements, whether due to losses, an inability to raise additional capital or otherwise, that failure would adversely affect the Company’s financial condition and results of operations, as well as the Company’s ability to maintain regulatory compliance.

The Bank must meet regulatory capital requirements and maintain sufficient liquidity, and its regulators may modify and adjust such requirements in the future. Pursuant to FDIC regulations, all state nonmember banks, such as the Bank, must maintain certain minimum capital ratios to be deemed adequately capitalized (common equity Tier 1 capital of at least 4.5%, Tier 1 risk-weighted capital of at least 6.0%, total risk-weighted capital of at least 8.0%, and Tier 1 leverage ratio of at least 4.0%). Notwithstanding the minimum requirements, all FDIC-supervised institutions are required to maintain capital commensurate with the level and nature of all risks to which they are exposed. As of December 31, 2025, the Bank’s common equity Tier 1 capital ratio was 12.36%, its Tier 1 risk-weighted capital ratio was 12.36%, its total risk-weighted capital ratio was 13.55% and its Tier 1 leverage ratio was 10.26% and it was deemed to be “well-capitalized.”

The Company’s ability to raise additional capital, when and if needed, will depend on conditions in the capital markets, economic conditions and a number of other factors, including investor preferences regarding the banking industry, market conditions and governmental activities, many of which are outside the Company’s control, and on the Company’s financial condition and performance. Accordingly, the Company may not be able to raise additional capital if needed or on terms acceptable to the Company. If the Company fails to meet the minimum capital and other regulatory requirements, the Company’s regulators could take formal or informal actions against the Company and the Company’s growth prospects, financial condition, liquidity and results of operations would be materially and adversely affected.

Regulatory scrutiny of correspondent banking partnerships and related technology considerations have recently increased.

We provide correspondent banking services to our international correspondent bank partners, which may include facilitating U.S. dollar payments and providing other financial services infrastructure. Recently, federal bank regulators have increasingly focused on the risks related to international correspondent banking partnerships, raising concerns regarding risk management, oversight, internal controls, information security, change management, and information technology operational resilience. We could be subject to additional regulatory scrutiny with respect to our correspondent banking business that could have a material adverse effect on the business, financial condition, results of operations and growth prospects of the Company.

Our relationships with correspondent banks located in Puerto Rico create increased Office of Foreign Assets Control (“OFAC”), Bank Secrecy Act and Anti-Money Laundering compliance risk.

The Company has correspondent banking relationships, including one major interest-bearing checking account customer, located in Puerto Rico. The correspondent banking entities acquire deposits from individuals located in various international jurisdictions including Europe, Latin America, the Caribbean, and Asia. These cross-border correspondent banking relationships pose unique risks because it creates situations in which a U.S. financial institution will be handling funds from individuals in these jurisdictions who may not be transparent to us. Accordingly, these foreign individuals may pose higher money laundering risk to us. Because of the large amount of funds, multiple transactions, and our potential lack of familiarity with a foreign customer, these customers may be able to more easily conceal the source and use of illicit funds. Consequently, we may have a higher risk of non-compliance with the Bank Secrecy Act and other Anti-Money Laundering rules and regulations due to our correspondent banking relationships with these banking entities.

In recent years, sanctions that the regulators have imposed on banks that have not complied with all Bank Secrecy Act and Anti-Money Laundering requirements have been especially severe. In order to comply with regulations, guidelines and examination procedures in this area, we have dedicated significant resources to our Anti Money Laundering/Combating the Financing of Terrorism Program (“AML/CFT Program”). If our policies, procedures and systems are deemed deficient, we could be subject to liability, including fines and regulatory actions such as additional restrictions on our ability to pay dividends and the necessity to obtain regulatory approvals to proceed with certain aspects of our business plans, such as acquisitions and de novo branching. Further, our failure to strictly adhere to the terms and requirements of our OFAC license or our failure to adequately manage our AML/CFT Program in light of our correspondent banking relationships could result in regulatory or other actions being taken against us, including the imposition of civil money penalties, formal agreements and cease and desist orders. Lastly, failure to meet regulatory requirements could require the Bank to incur additional significant costs in order to bring our AML/CFT Program and operations into compliance, negatively impact our reputation, and have a material adverse effect on our business, financial condition and results of operations.

Potential gaps in our risk management policies and internal audit procedures may leave us exposed to unidentified or unanticipated risk, which could negatively affect our business.

Our enterprise risk management and internal audit programs are designed to mitigate material risks and loss to us. We have developed and continue to develop comprehensive risk management policies and procedures to identify, mitigate and provide a sound operational environment for the types of risk to which we are subject, including credit risk, market risk (interest rate and liquidity risks), operational risk, information security risk, compliance risk (including Bank Secrecy Act and Anti-Money Laundering and OFAC compliance), strategic risk, and reputational risk. In addition, we have designed and implemented internal audit policies and procedures to reflect ongoing reviews of our risks and expect to continue to do so in the future. Nonetheless, as with any risk management framework, there are inherent limitations to our current and future risk management strategies, including risks that we have not appropriately anticipated or identified, and our internal audit process may fail to detect such weaknesses or deficiencies in our risk management framework. Many of our methods for managing risk and exposures are based upon the use of observed historical market behavior to model or project potential future exposure. Models used by our business are based on assumptions and projections. These models may not operate properly or our inputs and assumptions may be inaccurate or may not be adopted quickly enough to reflect changes in behavior, markets or technology. As a result, these methods may not fully predict future exposures, which can be significantly different and greater than historical measures indicate. In addition, our business and the markets in which we operate are continuously evolving and we may fail to fully understand the implications of changes in our business or the financial markets or fail to adequately or timely enhance our enterprise risk framework to address those changes. Furthermore, there can be no assurance that we can effectively review and monitor all risks or that all of our employees will closely follow our risk management policies and procedures, nor can there be any assurance that our risk management policies and procedures will enable us to accurately identify all risks and limit timely our exposures based on our assessments. If our enterprise risk management framework proves ineffective, we could suffer unexpected losses, which could materially adversely affect our financial condition and results of operations.

Our operations are subject to third-party risk.

We rely on third-party service providers and partners, including other financial institutions, who, in turn, rely on their own networks of vendors, to deliver goods and services to us, our affiliates, and our customers. Our third-party service providers and partners are subject to the same or similar risks as we are, including technology failures, capacity constraints, and inadequate data management or privacy protections, the risk of which we may not be able to effectively monitor or mitigate. Any of these risks could impede their ability to provide products or services to us and materially disrupt our business (including our ability to process transactions and communicate with customers and counterparties), damage our reputation, and expose us to financial and regulatory consequences.

Additionally, failures experienced by shared financial market systems and providers, such as central banks, clearinghouses, custodians, exchanges and other shared technology infrastructure providers could have a material adverse effect on market participants, including us, and could disrupt the functioning of the overall financial system.

The FDIC requires financial institutions to maintain third-party and service provider risk management programs, which include due diligence requirements for third parties and service providers as well as for our affiliates who may perform services for us. In June 2023, the federal banking agencies issued updated guidance on managing risks associated with third-party relationships. The guidance sets forth considerations and a framework with respect to the management of risks arising from third-party relationships and replaces the federal banking agencies’ existing guidance on the topic. The guidance broadly applies to business arrangements between a banking organization and a third party. If our third-party risk and service provider management and due diligence program is not sufficiently robust, this could lead to regulatory intervention. Any of these occurrences could diminish our ability to operate one or more of our business lines, and may result in potential liability to clients, reputational damage or regulatory intervention, all of which could materially adversely affect us.

A decline in general business conditions and economic trends and any regulatory responses to such conditions and trends could adversely affect the Company’s business, financial condition and results of operations.

Our business and operations, which primarily consist of real estate mortgage loans and borrowing money from customers in the form of deposits, are sensitive to general business and economic conditions in the U.S., generally. Uncertainty about the federal fiscal policymaking process, and the medium- and long-term fiscal outlook of the U.S. government and U.S. economy, is a concern for businesses, consumers and investors in the U.S. In addition, economic conditions in foreign countries, including global political hostilities, U.S. and foreign tariff policies and uncertainty over the stability of the other currencies, could affect the stability of global financial markets, which could hinder domestic economic growth. A significant outbreak of disease pandemics or other adverse public health developments in the population could result in a widespread health crisis that could adversely affect the economies and financial markets of many countries, resulting in an economic downturn that could adversely affect our customers’ businesses and results of operations.

The resurgence of elevated levels of inflation may have an adverse impact on our business and on our customers.

Inflation risk is the risk that the value of assets or income from investments will be worth less in the future as inflation decreases the value of money. The inflationary outlook in the United States remains uncertain. The consumer price index increased 2.7% for the twelve (12) months ended December 31, 2025. While this is a significant reduction to the rate of inflation experienced in the past year, it is still above the FRB’s targeted rate. The risks to our business from inflation depend on the durability of the inflationary pressures in our markets. Although the FRB has reduced the federal fund rate three times in 2025, no assurance can be given that it will continue to do so. The resurgence of elevated levels of inflation could lead the FRB to cease reducing its benchmark rate or potentially starting to increase it again which could, in turn, increase the borrowings costs of our customers, making it more difficult for them to repay their loans or other obligations. Elevated interest rates may be needed to tame inflationary price pressures, which could also push down asset prices, including collateral values, and weaken economic activity.

As inflation increases, the value of our investment securities, particularly those with longer maturities, would decrease, although this effect can be less pronounced for floating rate instruments. In addition, inflation increases the cost of goods and services we use in our business operations, such as electricity and other utilities, which increases our noninterest expenses. Furthermore, our customers are also affected by inflation and the rising costs of goods and services used in their households and businesses, which could have a negative impact on their ability to repay their loans with us. A deterioration in economic conditions in the United States and our markets could result in an increase in loan delinquencies and non- performing assets, decreases in loan collateral values and a decrease in demand for our products and services, all of which, in turn, would adversely affect our business, financial condition and results of operations. Changes in the FRB’s monetary or fiscal policies could adversely affect the Company’s results of operations and financial condition.

The Company’s results of operations will be affected by domestic economic conditions and the monetary and fiscal policies of the United States government and its agencies. The FRB has, and is likely to continue to have, an important impact on the operating results of depository institutions through its power to implement national monetary policy, among other things, in order to curb inflation or combat a recession. The FRB affects the levels of bank loans, investments and deposits through its control over the issuance of U.S. government securities, its purchases of government and other securities, its regulation of the discount rate applicable to member banks and its influence over reserve requirements to which member banks are subject. The Company cannot predict the nature or impact of future changes in monetary and fiscal policies.

Changes in interest rates may adversely affect the Company’s net interest income and profitability.

The Company’s results of operations are highly dependent on the difference between the interest earned on loans and investments and the interest paid on deposits and borrowings. We rely on in-market consumer certificates of deposit that are often priced at “top of market.” Changes in market interest rates impact the rates earned on loans and investment securities and the rates paid on deposits and borrowings. In addition, changes to the market interest rates may impact the level of loans, deposits and investments and the credit quality of existing loans. In addition, the senior management team ensures that budgeted resources are allocated in a timely manner to support the various security initiatives. These rates may be affected by many factors beyond the Company’s control, including general economic conditions and the monetary and fiscal policies of various governmental and regulatory authorities. Changes in interest rates may negatively impact the Company’s ability to attract deposits, make loans and achieve satisfactory interest rate spreads, which could adversely affect the Company’s financial condition or results of operations.

The amount of nonperforming assets may increase, resulting in losses, costs and expenses that would negatively affect the Bank’s operations.

At December 31, 2025, the Bank’s nonperforming loans represented approximately 1.36% of our total loans. However, the economic outlook in the United States continues to remain uncertain. The Bank’s level of nonperforming assets could increase if industry or economic conditions deteriorate. Nonperforming asset levels could also increase due to a change in lending strategy, underwriting errors, a deterioration in our ability to effectively collect our loans, or due to other factors. Going forward, as the amount of nonperforming assets, classified assets, and special mention assets increase, the Bank’s losses, and the costs and expenses to maintain collateral likewise may increase as well. Any additional increase in losses related to such assets may have material adverse effects on the Bank’s business, financial condition, and results of operations.

Nonperforming assets take significant time and resources to resolve and adversely affect our results of operations and financial condition.

Nonperforming assets adversely affect our net income in various ways. We could incur losses relating to an increase in nonperforming assets. We generally do not record interest income on nonperforming loans or other real estate owned (“OREO”), thereby adversely affecting our income, and increasing our loan administration costs. An increase in the level of nonperforming assets increases our risk profile and may impact the capital levels our regulators believe are appropriate in light of the ensuing risk profile. While we reduce problem assets through loan extensions, workouts, restructurings and otherwise, decreases in the value of the underlying collateral, or in these borrowers’ performance or financial condition, whether or not due to economic and market conditions beyond our control, could adversely affect our business, results of operations and financial condition. In addition, the resolution of nonperforming assets requires significant commitments of time from management, which may materially and adversely impact their ability to perform their other responsibilities and can distract management from daily operations and other income producing activities. There can be no assurance that we will not experience future increases in nonperforming assets. Additionally, there are legal fees associated with the resolution of problem assets as well as carrying costs such as taxes, insurance and maintenance related to assets acquired through foreclosure. Finally, if our estimate of the allowance for credit losses is inadequate, we would have to increase the allowance for credit losses accordingly, which would have an adverse effect on our earnings. Significant increases in the level of our nonperforming assets from current levels, or greater than anticipated costs to resolve these credits, would have an adverse effect on our earnings.

Our allowance for credit losses may not be adequate to cover actual losses.

Like all financial institutions, we maintain an allowance for credit losses, which is a reserve established through a provision for credit losses charged to expense, that we believe is appropriate to provide for lifetime expected credit losses on loans in our loan portfolio. The allowance is evaluated on a regular basis by management. Management’s determination of the adequacy of the allowance for credit losses is based on the assessment of the expected credit losses on loans over the expected life of the loans (using the weighted average maturity method). Consideration is given to a variety of factors in establishing this estimate including, but not limited to, current economic conditions, delinquency statistics, geographic and industry concentrations, the adequacy of the underlying collateral, the financial strength of the borrower, results of internal loan reviews and other relevant factors. This evaluation is inherently subjective as it requires material estimates that may be susceptible to significant change. At December 31, 2025, the ratio of the allowance for credit losses to total loans and total nonperforming loans were 1.13% and 84.01%, respectively.

The determination of the appropriate level of the allowance for credit losses is complex, inherently involves a high degree of subjectivity and requires us to make significant assumptions, judgments and estimates of current credit risks and future trends, all of which may undergo material changes. Changes in economic conditions affecting borrowers, new information regarding existing loans, identification of additional problem loans and other factors, both within and outside of our control, may require an increase in the allowance for credit losses. Increases in nonperforming loans have a significant impact on the Company’s reserve for credit losses. Generally, the Company’s nonperforming loans reflect difficulties of individual borrowers resulting from continued financial stress on the borrowers’ asset values and cash flow abilities. If the real estate market or the economy in general deteriorate, the Company may experience increased delinquencies and credit losses. While the Company strives to monitor credit quality and to identify adversely risk rated loans on a consistent and timely basis, including those that may become nonperforming, at any time there are loans in the portfolio that could result in losses that have not been identified as problem or nonperforming loans. The Company cannot be certain that it will be able to identify deteriorating loans before they become nonperforming assets or that it will be able to limit losses on those loans that have been identified. The reserve for credit losses may not be sufficient to cover actual loan-related losses.

In addition, bank regulatory agencies periodically review our allowance for credit losses and may require an increase in the provision for possible credit losses or the recognition of further loan charge-offs, based on judgments different than those of management. In addition, if charge-offs in future periods exceed the allowance for credit losses, we will need additional provisions to increase the allowance for credit losses. Any increases in the allowance for credit losses due to increased provisions will result in a decrease in net income and, possibly, capital, and may have a material negative effect on our financial condition and results of operations.

We have a high concentration of commercial real estate loans, which involve credit risks that could adversely affect our financial condition and results of operations.

At December 31, 2025, commercial real estate loans totaled $309.7 million, or 56.7% of our total loan portfolio. Commercial real estate loans consisted of $200.6 million, or 64.8%, of owner occupied loans and $109.1 million or 35.2% of non-owner occupied loans at December 31, 2025. Given their larger balances and the complexity of the underlying collateral, commercial real estate loans generally have more risk than the owner-occupied one- to four-family residential real estate loans we originate. Because the repayment of commercial real estate loans depends on the successful management and operation of the borrower’s properties or related businesses, repayment of such loans can be affected by adverse conditions in the local real estate market or economy. If we foreclose on these loans, our holding period for the collateral typically is longer than for a one- to four-family residential property because there are fewer potential purchasers of the collateral. In addition, commercial real estate loans typically involve larger loan balances to single borrowers or groups of related borrowers compared to one- to four-family residential loans. Accordingly, charge-offs on commercial real estate loans may be larger on a per loan basis than those incurred with our residential or consumer loan portfolios.

As our commercial real estate loan portfolio increases, the corresponding risks and potential for losses from these loans may also increase, which would adversely affect our business, financial condition and results of operations.

Our concentration of real estate loans in a limited market area exposes us to lending risks.

At December 31, 2025, approximately $449.8 million, or 82.4%, of our total loan portfolio, was secured by real estate, most of which is located in our primary lending market area of Bucks, Montgomery and Philadelphia counties and the Lehigh Valley area of Pennsylvania and surrounding areas. Future declines in the real estate values in our primary lending market and surrounding markets could significantly impair the value of the particular real estate collateral securing our loans and our ability to sell the collateral upon foreclosure for an amount necessary to satisfy the borrower’s obligations to us. This could require increasing our allowance for credit losses to address the decrease in the value of the real estate securing our loans, which could have a material adverse effect on our business, financial condition, results of operations and growth prospects.

The geographic concentration of our loan portfolio and lending activities makes us vulnerable to a downturn in our local market area.

Unlike larger financial institutions that are more geographically diversified, our profitability depends primarily on the general economic conditions in our primary market area. Local economic conditions have a significant impact on our residential real estate, commercial real estate, commercial and industrial and consumer lending, including, the ability of borrowers to repay these loans and the value of the collateral securing these loans.

A deterioration in economic conditions in our primary market area could result in the following consequences, any of which could have a material adverse effect on our business, financial condition, liquidity and results of operations:

●	demand for our products and services may decrease;

●	loan delinquencies, problem assets and foreclosures may increase;

●	collateral for loans, especially real estate, may decline in value, thereby reducing customers’ future borrowing power, and reducing the value of assets and collateral associated with existing loans;

●	the value of our securities portfolio may decrease; and

●	the net worth and liquidity of loan guarantors may decrease, thereby impairing their ability to honor commitments made to us.

Moreover, a significant decline in general economic conditions, caused by inflation, acts of terrorism, an outbreak of hostilities or other international or domestic calamities, or other factors beyond our control could further impact these local economic conditions and could further negatively affect our financial performance. In addition, deflationary pressures, while possibly lowering our operating costs, could have a significant negative effect on our borrowers, especially our business borrowers, and the values of underlying collateral securing loans, which could negatively affect our financial performance.

The imposition of further limits by the bank regulators on commercial real estate lending activities could curtail our growth and adversely affect our earnings.

The FDIC, the FRB and the Office of the Comptroller of the Currency have promulgated joint guidance on sound risk management practices for financial institutions with concentrations in commercial real estate lending. Under this guidance, a financial institution that, like us, is actively involved in commercial real estate lending should perform a risk assessment to identify concentrations. Regulatory guidance on concentrations in commercial real estate lending provides that a bank’s commercial real estate lending exposure could receive increased supervisory scrutiny where total commercial real estate loans, including loans secured by multi-family residential properties, owner-occupied and nonowner-occupied investor real estate, and construction and land loans, represent 300% or more of an institution’s total risk- based capital, and the outstanding balance of the commercial real estate loan portfolio has increased by 50% or more during the preceding 36 months.

As of December 31, 2025, our total commercial investor real estate loans, including loans secured by apartment buildings, commercial real estate, and construction and land loans represented 235.9% of the Bank’s total risk-based capital. The particular focus of the guidance is on exposure to commercial real estate loans that are dependent on the cash flow from the real estate held as collateral and that are likely to be at greater risk to conditions in the commercial real estate market (as opposed to real estate collateral held as a secondary source of repayment or as an abundance of caution). The purpose of the guidance is to guide institutions in developing risk management practices and capital levels commensurate with the level and nature of real estate concentrations. Management has established a commercial real estate lending framework to monitor specific exposures and limits by types within the commercial real estate portfolio and takes appropriate actions, as necessary. While we believe we have implemented policies and procedures with respect to our commercial real estate loan portfolio consistent with this guidance, the FDIC, the Bank’s primary federal regulator, could require us to implement additional policies and procedures pursuant to their interpretation of the guidance that may result in additional costs to us. In addition, if the FDIC were to impose restrictions on the amount of commercial real estate loans we can hold in our portfolio, our earnings would be adversely affected.

The banking industry and the Company operate under certain regulatory requirements that may change significantly and in a manner that further impairs revenues, operating income and financial condition.

The Company operates in a highly regulated industry and is subject to examination, supervision and comprehensive regulation by the FRB, the FDIC and the Pennsylvania Department of Banking and Securities. The regulations affect the Company’s investment practices, lending activities and dividend policy, among other things. Moreover, federal and state banking laws and regulations undergo frequent and often significant changes and have been subject to significant change in recent years, sometimes retroactively applied, and may change significantly in the future. Changes to these laws and regulations or other actions by regulatory agencies could, among other things, make regulatory compliance more difficult or expensive for the Company, limit the products the Company can offer or increase the ability of non-banks to compete and could adversely affect the Company in significant but unpredictable ways, which in turn could have a material adverse effect on the Company’s financial condition or results of operations.

The Dodd-Frank Act instituted major changes to the banking and financial institutions regulatory regimes in light of the performance of and government intervention in the financial services sector. Included in the Dodd-Frank Act are, for example, changes related to deposit insurance assessments, executive compensation and corporate governance requirements, payment of interest on demand deposits, interchange fees and overdraft services. The Dodd-Frank Act also requires the implementation of the Volcker Rule for banks and bank holding companies, which prohibits proprietary trading, investment in and sponsorship of hedge funds and private equity funds, and otherwise limits the relationships with such funds.

The Company cannot predict the substance or impact of pending or future legislation or regulation. The Company’s compliance with these laws and regulations is costly and may restrict certain activities, including payment of dividends, mergers and acquisitions, investments, loans and interest rates charged, interest rates paid on deposits, access to capital and brokered deposits and locations of banking offices. Failure to comply with these laws or regulations could result in fines, penalties, sanctions and damage to the Company’s reputation which could have an adverse effect on the Company’s business and financial results.

The costs and effects of litigation, investigations or similar matters, or adverse facts and developments related thereto, could materially affect the Company’s business, operating results and financial condition.

While we are currently not involved in any legal proceedings except nonmaterial litigation incidental to the ordinary course of business, from time to time, we may be involved in a variety of litigation, investigations or similar matters arising out of our business. It is inherently difficult to assess the outcome of these matters, and we may not prevail in any proceedings or litigation. Our insurance may not cover all claims that may be asserted against us and indemnification rights to which we are entitled may not be honored, and any claims asserted against us, regardless of merit or eventual outcome, may harm our reputation. Should the ultimate judgments or settlements in any litigation or investigation significantly exceed our insurance coverage or to the extent that we incur civil money penalties that are not covered by insurance, they could have a material adverse effect on our business, financial condition and results of operations. In addition, premiums for insurance covering the financial and banking sectors are rising. We may not be able to obtain appropriate types or levels of insurance in the future, nor may we be able to obtain adequate replacement policies with acceptable terms or at historic rates, if at all.

Our business activities and operations are subject to regulation, supervision and examination, and can be limited and proscribed, by our federal and state regulators.

Under applicable laws, the FDIC and the Pennsylvania Department, as the Bank’s primary regulators, and the FRB, as the Company’s primary federal regulator, have the ability to impose substantial sanctions, restrictions and requirements on us if they find, upon examination or otherwise, weaknesses with respect to our operations. Applicable law prohibits disclosure of specific examination findings by the regulators.

As of December 31, 2025, the Bank’s total risk-based capital ratio was 13.55%, and the Bank was therefore considered “well-capitalized” under the regulatory framework for prompt corrective action. However, the FDIC and the Pennsylvania Department have the authority to classify any bank as not “well- capitalized” based on unsafe and unsound practices discovered during an examination. If additional regulatory restrictions were imposed as a result of such reclassification, they could have a material adverse effect on our business, financial condition, results of operations, cash flows and/or future prospects.

If a state non-member bank is classified as undercapitalized, the bank is required to submit a capital restoration plan to the FDIC. Pursuant to the Federal Deposit Insurance Corporation Improvement Act of 1991 (“FDICIA”), an undercapitalized bank is prohibited from increasing its assets, engaging in a new line of business, acquiring any interest in any company or insured depository institution, or opening or acquiring a new branch office, except under certain circumstances, including the acceptance by the FDIC of a capital restoration plan for the bank. Furthermore, if a state non-member bank is classified as undercapitalized, the FDIC may take certain actions to correct the capital position of the bank. If a bank is classified as significantly undercapitalized or critically undercapitalized, the FDIC would be required to take one or more prompt corrective actions. These actions would include, among other things, requiring sales of new securities to bolster capital; improvements in management; limits on interest rates paid; prohibitions on transactions with affiliates; termination of certain risky activities and restrictions on compensation paid to executive officers. If a bank is classified as critically undercapitalized, FDICIA requires the bank to be placed into conservatorship or receivership within ninety days, unless the FDIC determines that other action would better achieve the purposes of FDICIA regarding prompt corrective action with respect to undercapitalized banks.

Under FDICIA, banks may be restricted in their ability to accept brokered deposits, depending on their capital classification. While “well-capitalized” banks are permitted to accept brokered deposits, banks that are not well-capitalized are subject to restrictions on accepting such deposits. The FDIC may, on a case-by-case basis, permit banks that are adequately capitalized to accept brokered deposits if the FDIC determines that acceptance of such deposits would not constitute an unsafe or unsound banking practice with respect to the bank.

Finally, the capital classification of a bank affects the frequency of examinations of the bank, the deposit insurance premiums paid by such bank, and the ability of the bank to engage in certain activities, all of which could have a material adverse effect on our business, financial condition, results of operations, cash flows and/or future prospects.

Changes in laws and regulations and the cost of regulatory compliance with new laws and regulations may adversely affect our operations and/or increase our costs of operations.

The Bank is subject to extensive regulation, supervision and examination by the Pennsylvania Department and the FDIC, and the Company is subject to extensive regulation, supervision and examination by the FRB. Such regulation and supervision governs the activities in which an insured depository institution and its holding company may engage and are intended primarily for the protection of the federal deposit insurance fund and the depositors and borrowers of the Bank, rather than for our security holders.

Regulatory authorities have extensive discretion in their supervisory and enforcement activities, including the imposition of restrictions on our operations, the classification of our assets and determination of the level of our allowance for credit losses. These regulations, along with existing tax, accounting, securities, insurance and monetary laws, rules, standards, policies, and interpretations, control the methods by which financial institutions conduct business, implement strategic initiatives and tax compliance, and govern financial reporting and disclosures. Any change in such regulation and oversight, whether in the form of regulatory policy, regulations, legislation or supervisory action, may have a material impact on our operations. Further, changes in accounting standards can be both difficult to predict and involve judgment and discretion in their interpretation by us and our independent registered public accounting firm. These changes could materially impact, potentially even retroactively, how we report our financial condition and results of operations.

We are subject to the Community Reinvestment Act (the “CRA”) and fair lending laws, and failure to comply with these laws could lead to material penalties.

The CRA, the Equal Credit Opportunity Act, the Fair Housing Act and other fair lending laws and regulations impose nondiscriminatory lending requirements on financial institutions. The U.S. Department of Justice and other federal agencies are responsible for enforcing these laws and regulations. A successful challenge to an institution’s performance under the CRA or fair lending laws and regulations could result in a wide variety of sanctions, including the required payment of damages and civil money penalties, injunctive relief, imposition of restrictions on mergers and acquisitions activity, and restrictions on expansion activity. Private parties may also have the ability to challenge an institution’s performance under fair lending laws in private class action litigation.

Significantly heightened regulatory and supervisory expectations and scrutiny in the U.S. have increased our compliance, regulatory and other risks and costs and subject us to legal and regulatory examinations, investigations and enforcement actions.

The regulatory and political environment has generally been challenging for U.S. financial institutions, which have been subject to increased regulatory scrutiny, including in the wake of the failures of several regional banks and other banking stresses in recent periods. The general heightened scrutiny and expectations from regulators could lead to a more stringent regulatory posture by the regulators, investigations and other inquiries, as well as remediation requirements, regulatory and operational restrictions, more regulatory or other enforcement proceedings, civil litigation and substantial compliance, regulatory and other risks and costs. Our regulators have broad powers and discretion under their supervisory authority. A failure to comply with regulators’ expectations and requirements, even if inadvertent, or to resolve any identified deficiencies in a timely and sufficiently satisfactory manner to regulators, could result in increased regulatory oversight; material restrictions, including, among others, imposition of limitations on capital distributions or other business activities or operations; enforcement proceedings; penalties; and fines. Responding to regulatory inquiries and proceedings can be time consuming and costly and divert management attention from our other business activities. As a result of these regulatory efforts and pressures, like many other financial institutions, from time to time, we may be subject to public and non-public written agreements, cease and desist orders, consent orders, memoranda of understanding or other enforcement or supervisory actions by our regulators.

The Company is leveraged and therefore may be unable to serve as a source of strength to the Bank.

As of December 31, 2025, the Company’s double leverage ratio was 128.4%. The double leverage ratio reflects the extent to which equity in subsidiaries is financed by debt at the savings and loan holding company level and is calculated by dividing the Company’s equity investments in its subsidiaries by the Company’s equity. The FRB uses the double leverage ratio as an indicator of a savings and loan holding company’s exposure to risk related to high levels of debt. The FRB may take supervisory action to require the Company to reduce its debt, and therefore its double leverage ratio, if it believes the Company is unable to manage such risk.

As a matter of policy, the FRB expects a savings and loan holding company to act as a source of financial and managerial strength to a subsidiary bank and to commit resources to support such subsidiary bank. The Dodd-Frank Act codified the FRB’s policy on serving as a source of financial strength. Under the “source of strength” doctrine, the FRB may require a savings and loan holding company to make capital injections into a troubled subsidiary bank, even if the company would not ordinarily do so and even if such contribution is to its detriment or the detriment of its shareholders. The FRB may charge the savings and loan holding company with engaging in unsafe and unsound practices for failure to commit resources to a subsidiary bank. A capital injection may be required at times when the savings and loan holding company may not have the resources to provide it and therefore may be required to borrow the funds or raise capital.

The Bank’s deposit insurance premium could be higher in the future, which could have a material adverse effect on its future results of operations.

The FDIC insures deposits at FDIC-insured financial institutions, including the Bank. The FDIC charges the insured financial institutions assessments to maintain the Deposit Insurance Fund (the “DIF”) at a certain level; if an FDIC-insured financial institution fails, payments of deposits up to insured limits are made from the DIF. An increase in the risk category of the Bank, adjustments to assessment rates and/or a special assessment could have an adverse effect on the Company’s results of operations.

In order to maintain a strong funding position and restore the reserve ratios of the DIF, the FDIC has, in the past, increased deposit insurance assessment rates and charged a special assessment to all FDIC- insured financial institutions. Although the DIF reserve ratio currently exceeds targeted levels, further increases in assessment rates or special assessments may occur in the future, especially if there are significant additional financial institution failures. Any future special assessments, increases in assessment rates or required prepayments in FDIC insurance premiums could reduce profitability or limit the Company’s ability to pursue certain business opportunities, which could have an adverse effect on its business, financial condition, and results of operations.

The Company may not be able to attract or retain key banking employees, which could adversely impact our business and operations.

Much of our future success will be strongly influenced by our ability to attract and retain management experienced in banking and financial services and familiarity with the communities in our market areas. Our ability to retain executive officers, the functional area managers, branch managers and loan officers of the Bank will continue to be important to the successful implementation of our strategy. It is also critical to be able to attract and retain qualified management and loan officers with the appropriate level of experience and knowledge about our market areas to implement our community-based operating strategy.

The Company strives to attract and retain key banking professionals, management and staff. Even the existence of employment agreements does not necessarily ensure that the Company will be able to continue to retain employees’ services. Banking-related revenues and net income could be adversely affected in the event of the unexpected loss of key personnel. Competition to attract the best professionals in the industry can be intense which will limit the Company’s ability to hire new professionals. The unexpected loss of services of key management personnel, or the inability to recruit and retain qualified personnel in the future, could have an adverse effect on our business, results of operations and financial condition.

The soundness of other financial institutions could adversely affect the Company.

Our ability to engage in routine funding and other transactions could be adversely affected by the actions and commercial soundness of other financial institutions. Financial services companies are interrelated as a result of trading, clearing, counterparty or other relationships. We have exposure to different industries and counterparties, and through transactions with counterparties in the financial services industry, including brokers and dealers, commercial banks, investment banks, and other institutional clients. Defaults by, or even rumors or questions about, one or more financial institutions or market utilities, or the financial services industry generally, may lead to market-wide liquidity problems, losses of depositor, creditor and counterparty confidence and losses or defaults by us or by other institutions. These losses or defaults could have a material adverse effect on our business, financial condition, results of operations and growth prospects. Additionally, if our competitors were extending credit on terms we found to pose excessive risks, or at interest rates which we believed did not warrant the credit exposure, we may not be able to maintain our business volume and could experience deteriorating financial performance.

Changes in accounting standards could affect reported earnings.

The bodies responsible for establishing accounting standards, including FASB, the SEC and other regulatory bodies, periodically change the financial accounting and reporting guidance that governs the preparation of the Company’s consolidated financial statements. These changes can be hard to predict and can materially impact how the Company records and reports its financial condition and results of operations. In some cases, the Company could be required to apply new or revised guidance retroactively.

The financial services business is intensely competitive, and the Company may not be able to compete effectively.

The Company faces competition for its services from a variety of competitors. The Company’s future growth and success depend on its ability to compete effectively. The Company competes for deposits, loans and other financial services with numerous financial service providers including banks, thrifts, credit unions, mortgage companies, broker dealers and insurance companies. To the extent these competitors have less regulatory constraints, lower cost structures or increased economies of scale, they may be able to offer a greater variety of products and services or more favorable pricing for such products and services. In addition, improvements in technology, communications and the Internet have intensified competition. As a result, the Company’s competitive position could be weakened, which could adversely affect the Company’s financial condition and results of operations.

The Bank is a community bank and its ability to maintain its reputation is critical to the success of its business and the failure to do so may materially adversely affect the Company’s performance.

The Bank is a community bank, and its reputation is one of the most valuable components of its business. A key component of the Bank’s business strategy is to rely on its reputation for customer service and knowledge of local markets to expand its presence by capturing new business opportunities from existing and prospective customers in its market area and contiguous areas. As such, the Bank strives to conduct its business in a manner that enhances its reputation. This is done, in part, by recruiting, hiring and retaining employees who share the Bank’s core values of being an integral part of the communities the Bank serves, delivering superior service to its customers and caring about its customers and associates. If the Company’s or the Bank’s reputation is negatively affected, by the actions of their employees, by their inability to conduct their operations in a manner that is appealing to current or prospective customers, or otherwise, the Company’s business and, therefore, its operating results may be materially adversely affected.

We face significant operational risks because of our reliance on technology. Our information technology systems may be subject to failure, interruption or security breaches.

Information technology systems are critical to our business. Our business requires us to collect, process, transmit and store significant amounts of confidential information regarding our customers, employees, business, operations, plans and business strategies. We use various technology systems to manage our customer relationships, general ledger, securities investments, deposits, and loans. Our computer systems, data management and internal processes, as well as those of third parties, are integral to our performance. Our operational risks include the risk of malfeasance by employees or persons outside the Bank, errors relating to transaction processing and technology, systems failures or interruptions, breaches of our internal control systems and compliance requirements, and business continuation and disaster recovery. There have been increasing efforts by third parties to breach data security at financial institutions. Such attacks include computer viruses, malicious or destructive code, phishing attacks, denial of service or information or other security breaches that could result in the unauthorized release, gathering, monitoring, misuse, loss or destruction of confidential, proprietary, personal and other information, damage to systems, or other material disruptions to network access or business operations. Although we take protective measures and believe that we have not experienced any of the data breaches described above, the security of our computer systems, software, and networks may be vulnerable to breaches, unauthorized access, misuse, computer viruses, or other malicious code or cyber-attacks that could have an impact on information security. Because the techniques used to cause security breaches change frequently, we may be unable to proactively address these techniques or to implement adequate preventative measures.

If there is a breakdown in our internal control systems, improper operation of systems or improper employee actions, or a breach of our security systems, including if confidential, personal or proprietary information were to be mishandled, misused or lost, we could suffer financial loss, loss of customers and damage to our reputation, and face regulatory action or civil litigation. Any of these events could have a material adverse effect on our financial condition and results of operations. Insurance coverage may not be available for such losses, or where available, such losses may exceed insurance limits.

If we are not able to invest successfully and introduce digital and other technological developments across all our business, our financial performance may suffer.

Our industry is subject to rapid and significant technological changes and our ability to meet our customers’ needs and expectations is key to our ability to grow revenue and earnings. We expect digital technologies to have a significant impact on banking over time. Consumers expect robust digital experiences from their financial services providers. The ability for customers to access their accounts and conduct financial transactions using digital technology, including mobile applications, is an important aspect of the financial services industry and financial institutions are rapidly introducing new digital and other technology-driven products and services that aim to offer a better customer experience and to reduce costs. We continue to invest in digital technology designed to attract new customers, facilitate the ability of existing customers to conduct financial transactions and enhance the customer experience related to our products and services.

Our continued success depends, in part, upon our ability to address the needs of our customers by using digital technology to provide products and services that meet their expectations. The development and launch of new digital products and services depends in large part on our capacity to invest in and build the technology platforms that can enable them, in a cost effective and timely manner.

Some of our competitors are substantially larger than we are, which may allow those competitors to invest more money into their technology infrastructure and digital innovation than we do. A failure to maintain or enhance our competitive position with respect to digital products and services, whether because we fail to anticipate customer expectations or because our technological developments fail to perform as desired or are not implemented in a timely or successful manner, could negatively impact our business and financial results.

Risks associated with the Company’s internet-based systems and online commerce security, including “hacking” and “identify theft,” could adversely affect the Company’s business.

The Company has a website and conducts a portion of its business over the Internet. The Company relies heavily upon data processing, including loan servicing and deposit processing software, communications systems and information systems from a number of third parties to conduct its business. Third party, or internal, systems and networks may fail to operate properly or become disabled due to deliberate attacks or unintentional events. The Company’s operations are vulnerable to disruptions from human error, natural disasters, power loss, computer viruses, spam attacks, denial of service attacks, unauthorized access and other unforeseen events. Undiscovered data corruption could render the Company’s customer information inaccurate. These events may obstruct the Company’s ability to provide services and process transactions. While the Company believes that it is in compliance with all applicable privacy and data security laws, an incident could put its confidential customer information at risk.

Although the Company has not experienced a cyber-incident that has been successful in compromising its data or systems, the Company can never be certain that all of its systems are entirely free from vulnerability to breaches of security or other technological difficulties or failures. The Company monitors and modifies, as necessary, its protective measures in response to the perpetual evolution of cyber threats.

A breach in the security of any of the Company’s information systems, or other cyber incident, could have an adverse impact on, among other things, its revenue, ability to attract and maintain customers and business reputation. In addition, as a result of any breach, the Company could incur higher costs to conduct its business, to increase protection, or related to remediation.

Furthermore, the Company’s customers could incorrectly blame the Company and terminate their accounts with the Company for a cyber-incident which occurred on their own system or with that of an unrelated third party. In addition, a security breach could also subject the Company to additional regulatory scrutiny and expose the Company to civil litigation and possible financial liability.

Past Bank performance is not a meaningful financial indicator upon which to base an estimate of our future financial performance.

Although the Bank has a long operational history, the past financial performance of the Bank is not a complete indicator of the future financial performance of the Bank. As described in these Risk Factors, we face a wide variety of economic, financial, operational, regulatory and other risks which could have a material negative effect on our financial condition and results of operations.

Item 1B. Unresolved Staff Comments.

Not applicable.

Item 1C. Cybersecurity.

Overview. Our Board of Directors and management consider information security and cybersecurity as high priorities in our strategic and operational plans. We understand the critical nature of the confidentiality, integrity, and availability of customer and bank sensitive information. Any loss of confidentiality, integrity, or availability introduces operational, compliance, strategic, transactional, reputational, legal, and capital risks which we actively seek to avoid. It is understood that any one of these risks, if realized, will have a negative impact upon Quaint Oak Bancorp and Quaint Oak Bank. Our approach to information and cybersecurity is proactive and strives to avoid incidents where possible through the use of technical, administrative, and physical controls.

Governance. Our efforts for increased information and cybersecurity readiness are driven from the top of the organization. The Enterprise Risk Management Committee has the responsibility of assessing risks associated with technology and information security, including cybersecurity. The Enterprise Risk Management Committee reports directly to our Board of Directors. The Board of Directors reviews and approves Information Security Risk Assessments and performance reviews which guides the actions of the management team, staff members, and supporting third-party service providers. In addition, the Board is active in the review and approval of all policies concerning information technology and information security. The Board further reviews reports provided by the management team regarding the status of Quaint Oak Bank’s GLBA compliance, risk management program, Third Party Risk Management program, and the results of tests and exercises conducted for business continuity, disaster recovery, cybersecurity incident response, and pandemic response. The Board further reviews reports provided by the management team regarding the status of Quaint Oak Bank’s GLBA compliance, risk management program, vendor management program, and the results of tests and exercises conducted for business continuity, disaster recovery, cybersecurity incident response, and pandemic response. Lastly, the Board of Directors reviews and approves the budget for information and cybersecurity, ensuring that we have sufficient resources to properly address all current and foreseeable information and cybersecurity threats.

Management and Strategy. Senior management takes the guidance provided by the Board of Directors and transforms this guidance into operational priorities which are implemented and maintained by the staff members and third-party service providers. In addition, the senior management team ensures that budgeted resources are allocated in a timely manner to support the various security initiatives.

Operational Information Technology and Information Security staff members, and third-party service providers utilize the direction and resources provided by the senior management team to develop procedures, standards, and guidelines to achieve the strategic goals defined by the Board of Directors. Operational and security health is reported quarterly to the IT Steering Committee, Enterprise Risk Management Committee, and the Board of Directors. Operational and security health is reported monthly to Operating Risk and Executive Committees and the Board of Directors. Recommendations for improvements are shared between operational staff and the senior management team as part of a continuous improvement program for information security and cybersecurity.

Operational staff members actively maintain, review, update, and exercise plans and procedures designed to enhance our overall business resiliency. Incident Response team members are trained annually on current information and cybersecurity trends, techniques, and their responsibilities to keep our information confidential, accurate, and available. All staff members are trained annually on current information and cybersecurity trends, techniques, and their responsibilities to keep our information confidential, accurate, and available.

We also utilize the services of third-party providers to conduct an IT audit, external and internal vulnerability testing, external and internal penetration testing, and social engineering testing on at least an annual basis. The results of these independent audits and tests are sent to the Board of Directors for review.

Finally, Quaint Oak Bank complies with its regulatory requirements by having Federal and State safety and security examinations performed on a schedule dictated by the regulatory agencies. The results of these examinations are reviewed and approved by the Board of Directors. Additionally, all findings from these examinations are recorded and prioritized for remediation.

Conclusion. Our Board of Directors and management take very seriously the information security and cybersecurity obligations Quaint Oak Bancorp and Quaint Oak Bank have to their respective customers, shareholders, staff members, and regulatory agencies. In support of these obligations, we have and actively maintain a robust information security and cybersecurity program based upon industry best practices, regulatory requirements, and the expertise of staff members and supporting third-party vendors.

45

---

To our knowledge, we have not had a cybersecurity incident that has materially affected Quaint Oak Bancorp, its business strategy, financial condition, or results of operation.