Risk Factors Dashboard

Once a year, publicly traded companies issue a comprehensive report of their business, called a 10-K. A component mandated in the 10-K is the ‘Risk Factors’ section, where companies disclose any major potential risks that they may face. This dashboard highlights all major changes and additions in new 10K reports, allowing investors to quickly identify new potential risks and opportunities.

Risk Factors - CFFN

-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing

Item 1A. Risk Factors" for a discussion of risks and uncertainties related to our business that could adversely impact our operations and/or financial results. We do not undertake to update any forward-looking statement, whether written or oral, that may be made from time to time by or on behalf of the Company or the Bank.

PART I
As used in this Form 10-K, unless we specify or the context indicates otherwise, "the Company," "we," "us," and "our" refer to Capitol Federal Financial, Inc. a Maryland corporation, and its subsidiaries. "Capitol Federal Savings," and "the Bank," refer to Capitol Federal Savings Bank, a federal savings bank and the wholly-owned subsidiary of Capitol Federal Financial, Inc.

Item 1. Business

General

The Company is a Maryland corporation with its common stock traded on the Global Select tier of the NASDAQ Stock Market. The Bank is a wholly-owned subsidiary of the Company and is a federally chartered and insured savings bank headquartered in Topeka, Kansas. We have been, and intend to continue to be, a community-oriented financial institution offering a variety of financial services to meet the needs of the communities we serve.

We attract deposits primarily from the general public and from businesses, and invest those funds primarily in permanent loans secured by first mortgages on owner-occupied, one- to four-family residences and in commercial loans, either secured by real estate or for commercial and industrial purposes. We also participate with other lenders in commercial loans, and have purchased loans primarily secured by mortgages on one- to four-family residences. The Bank also invests in certain investment securities and mortgage-backed securities ("MBS") using funding from deposits and Federal Home Loan Bank of Topeka ("FHLB") borrowings.

We offer a variety of deposit accounts having a wide range of interest rates and terms, which generally include savings accounts, money market accounts, interest-bearing and non-interest-bearing checking accounts, and certificates of deposit with terms ranging from 91 days to 120 months. The Bank offers a suite of treasury management services designed to support business customers in managing their financial operations efficiently and securely. Our treasury management solutions include cash flow optimization, fraud prevention tools, and payment services tailored to meet the needs of commercial clients. By leveraging these services, we help businesses streamline their operations, reduce financial risk, and maximize liquidity while helping the Bank gather deposit and fee income.

The Company's results of operations are primarily dependent on net interest income, which is the difference between the interest earned on loans, securities, and cash, and the interest paid on deposits and borrowings. On a weekly basis, management reviews deposit flows, loan demand, cash levels, and changes in several market interest rates to assess all pricing strategies. The Bank's pricing strategy for first mortgage loan products includes setting interest rates based on secondary market prices and competitor pricing for our local lending markets. The Bank's pricing strategy for first mortgage loan products includes setting interest rates based on secondary market prices and competitor pricing for our local lending markets, and secondary market prices and competitor pricing for our correspondent lending markets. Pricing for commercial loans is generally based on competitor pricing and the credit risk of the borrower with consideration given to the overall relationship of the borrower. Generally, deposit pricing is based upon a survey of competitors in the Bank's market areas, and the need to attract funding and retain maturing deposits.

The Company is significantly affected by prevailing economic conditions, including federal monetary and fiscal policies and federal regulation of financial institutions. Deposit balances are influenced by a number of factors, including interest rates paid on competing investment products, the level of personal income, and the personal rate of savings within our market
2


areas. Lending activities are influenced by the demand for housing and business activity levels, our loan underwriting guidelines compared to those of our competitors, as well as the interest rate environment and interest rate pricing competition from other lending institutions.
Management Strategy

We seek to provide qualified borrowers the broadest possible access to home ownership through our mortgage lending programs and to offer a complete set of personal and commercial banking products and services to our customers. We strive to enhance stockholder value while maintaining a strong capital position. To achieve these goals, we focus on the following strategies:

Lending. We are one of the leading originators of one- to four-family loans in the state of Kansas. We originate these loans primarily for our own portfolio, and we service the loans we originate. Historically, we purchased one- to four-family loans from correspondent lenders but recently suspended that activity for balance sheet management purposes. Historically, we have purchased one- to four-family loans from correspondent lenders but recently have reduced that activity for balance sheet management purposes. We offer several commercial lending options and participate in commercial loans with other lenders, both locally and outside our market areas. We offer both fixed- and adjustable-rate products with various terms to maturity and pricing options. We maintain strong relationships with local real estate agents to attract loan business. We rely on our marketing efforts and customer service reputation to attract business from walk-in customers, customers that apply online, and existing customers. Our business development efforts help to bring new business relationships to the Bank.
Deposit Services. We offer a wide array of retail and business deposit products and services. These products include checking, savings, money market, certificates of deposit, and retirement accounts. We also offer Treasury Management solutions tailored to meet the needs of our commercial clients. Our deposit services are provided through our network of traditional branches and retail in-store locations, our call center (which operates on extended hours), mobile banking, telephone banking, and online banking and bill payment services.
Cost Control. We generally are effective at controlling our costs of operations. We centralize our loan servicing and deposit support functions for efficient processing. We serve a broad range of customers through relatively few branch locations. Our average deposit base per traditional branch at September 30, 2024 was approximately $128.7 million. This large average deposit base per branch helps to control costs. Our one- to four-family lending strategy and our effective management of credit risk allow us to service a large portfolio of loans at efficient levels because it costs less to service a portfolio of performing loans. Our one- to four-family lending strategy and our effective management of credit risk allows us to service a large portfolio of loans at efficient levels because it costs less to service a portfolio of performing loans. We recognize it is more expensive to offer a full suite of commercial products and services, but we will continue our efforts to control those costs. The Bank continues to invest in its infrastructure, which can increase costs.
Asset Quality. We utilize underwriting standards for all of our lending products, including the loans we purchase and participate in, that are designed to limit our exposure to credit risk. We require complete documentation for both originated and purchased loans, and make credit decisions based on our assessment of the borrower's ability to repay the loan in accordance with its terms. Additionally, we monitor the asset quality of existing loans and strive to work proactively with customers who face challenging financial conditions.
Capital Position. Our policy has always been to protect the safety and soundness of the Bank through credit and operational risk management, balance sheet strength, and sound operations. The end result of these activities has been capital ratios that meet or exceed the well-capitalized standards set by the Office of the Comptroller of the Currency (the "OCC"). We believe that maintaining a strong capital position safeguards the long-term interests of the Bank, the Company, and our stockholders.
Stockholder Value. We strive to provide stockholder value while maintaining a strong capital position. We continue to generate returns to stockholders through dividend payments and share repurchases. We continue to generate returns to stockholders through dividend payments. Total dividends declared and paid during fiscal year 2024 were $44.5 million. The Company repurchased 3,280,110 shares for $19.3 million during fiscal year 2024, which all occurred in the first half of the year. The Company's cash dividend payout policy is reviewed quarterly by management and the Board of Directors, and the ability to pay dividends under the policy depends upon a number of factors, including the Company's financial condition and results of operations, regulatory capital requirements, regulatory limitations on the Bank's ability to make capital distributions to the Company, and the amount of cash at the holding company level. For fiscal year 2025, it is the current intention of the Board of Directors to continue the regular quarterly cash dividend of $0.085 per share.
3


Interest Rate Risk Management. Changes in interest rates are our primary market risk as our balance sheet is almost entirely comprised of interest-earning assets and interest-bearing liabilities. Therefore, fluctuations in interest rates have a significant impact not only upon our net income but also upon the cash flows related to those assets and liabilities and the market value of our assets and liabilities. As such, fluctuations in interest rates have a significant impact not only upon our net income but also upon the cash flows related to those assets and liabilities and the market value of our assets and liabilities. In order to maintain what we believe to be acceptable levels of net interest income in varying interest rate environments, we actively manage our interest rate risk and assume a moderate amount of interest rate risk consistent with policies approved by the Board of Directors.

Market Area and Competition

Our corporate office is located in Topeka, Kansas. As of September 30, 2024, we had a network of 48 branches (44 traditional branches and four in-store branches) located in nine counties throughout Kansas and three counties in Missouri. We primarily serve the metropolitan areas of Topeka, Wichita, Lawrence, Manhattan, Emporia, and Salina, Kansas and a portion of the metropolitan area of greater Kansas City.

Competition in originating one- to four-family and consumer loans and attracting retail deposits primarily comes from local, regional, and national banks, savings institutions, credit unions, mortgage brokerage firms, investment banking and brokerage firms, and online competitors that are not confined to any specific market area. The Bank has consistently been one of the top originators of residential one- to four-family loans in the state of Kansas. This has been achieved through strong relationships with real estate agents and targeted marketing campaigns which emphasize the strength of Capitol Federal's brand, competitive pricing, and the Bank's history as a portfolio lender. This has been achieved through strong relationships with real estate agents and our other marketing efforts, which are based on our reputation and competitive pricing. The Bank offers a diversified retail deposit product line, and trust and brokerage services. Management considers our well-established banking network and our reputation for financial strength and customer service to be major factors in our success at attracting and retaining customers in our market areas." Management considers our well-established banking network together with our reputation for financial strength and customer service to be major factors in our success at attracting and retaining customers in our market areas. The Bank ranked third in deposit market share, at 6.1%, in the state of Kansas as reported in the June 30, 2024 Federal Deposit Insurance Corporation ("FDIC") "Summary of Deposits - Market Share Report. The Bank ranked second in deposit market share, at 6.2%, in the state of Kansas as reported in the June 30, 2023 Federal Deposit Insurance Corporation ("FDIC") "Summary of Deposits - Market Share Report. "

There is similarly intense competition for quality commercial lending relationships in the areas we serve. Larger national, regional and local financial institutions, as well as credit unions, farm credit lenders, commercial finance companies, insurance companies, and other non-bank lenders have increased their presence in our market areas, ultimately placing downward pressure on pricing. New or revised laws and regulations may significantly impact our current and planned privacy, data protection and information security-related practices, the collection, use, sharing, retention and safeguarding of consumer and employee information, and current or planned business activities. We also compete with smaller local financial institutions that may have aggressive pricing and unique terms. We compete in a number of ways including customer service, quality of execution, range of products offered, price and reputation among others. While we provide competitive interest rates on both deposit and lending products, we believe that we can compete most successfully by focusing on the financial needs of growing companies and small and middle-market businesses, pairing these companies with experienced relationship managers who can offer a broad range of customized services, digital platforms and sophisticated cash management tools tailored to their business through our Treasury Management solutions.

Available Information

Our website address is www.capfed.com. Our annual reports on Form 10-K, quarterly reports on Form 10-Q, current reports on Form 8-K, and all amendments to those reports can be obtained free of charge from our website. These reports are available on our website as soon as reasonably practicable after they are electronically filed with or furnished to the SEC. These reports are also available on the SEC's website at http://www.sec.gov.


Regulation and Supervision

The Bank is examined and regulated by the OCC, its primary regulator, and its deposits are insured up to applicable limits by the Deposit Insurance Fund ("DIF"), which is administered by the FDIC. The Company, as a savings and loan holding company, is examined and regulated by the FRB.

Set forth below is a description of certain laws and regulations that are applicable to the Company and the Bank.Set forth below is a description of certain laws and regulations that are applicable to Capitol Federal Financial, Inc. This description is intended as a brief summary of selected features of such laws and regulations and is qualified in its entirety by reference to the laws and regulations applicable to the Company and the Bank.

4


General. The Bank, as a federally chartered savings bank, is subject to regulation and oversight by the OCC in all aspects of its operations. This regulation and oversight of the Bank is intended for the protection of depositors and other customers and not for the purpose of protecting the Company's stockholders. This regulation of the Bank is intended for the protection of depositors and other customers and not for the purpose of protecting the Company's stockholders. The investment and lending authority of the Bank is prescribed by federal laws and regulations and the Bank is prohibited from engaging in any activities not permitted by such laws and regulations. The Bank and Company are required to maintain minimum levels of regulatory capital and the Bank is subject to limitations on making capital distributions to the Company.

The Company is a unitary savings and loan holding company within the meaning of the Home Owners' Loan Act ("HOLA"). As such, the Company is registered with the FRB and subject to FRB regulations, examinations, supervision, and reporting requirements. As such, the Company is registered with the FRB and subject to the FRB regulations, examinations, supervision, and reporting requirements. In addition, the FRB has enforcement authority over the Company. Among other things, this authority permits the FRB to restrict or prohibit activities by the Company that are determined to be a serious risk to the Bank. Among other things, this authority permits the FRB to restrict or prohibit activities that are determined to be a serious risk to the Bank.

The enforcement authority of the OCC and of the FRB includes, among other things, the ability to assess civil monetary penalties, to issue cease-and-desist or removal orders, and to initiate injunctive actions. In general, these enforcement actions may be initiated for violations of laws and regulations and unsafe or unsound practices. Other actions or inactions may provide the basis for enforcement action, including misleading or untimely filed reports. Except under certain circumstances, public disclosure of final enforcement actions by the OCC or the FRB is required by law.

As a federally chartered savings bank, the Bank is required to maintain a significant portion of its assets in residential housing-related loans and investments in at least nine months of the most recent 12-month period.As a federally chartered savings bank, the Bank is required to maintain a significant portion of its assets in residential housing-related loans and investments. An institution that fails to do so is immediately subject to restrictions on its operations, including a prohibition against capital distributions, except with the prior approval of both the OCC and the FRB. Failure to meet this qualification is a statutory violation subject to enforcement action. 4 Failure to meet this qualification is a statutory violation subject to enforcement action. As of September 30, 2024, the Bank met the qualification.

The Bank's relationship with its depositors and borrowers is regulated to a great extent by federal laws and regulations, especially in such matters as the ownership of savings accounts and the form and content of mortgage requirements. In addition, the branching authority of the Bank is regulated by the OCC. The Bank is generally authorized to branch nationwide.

The Bank is subject to a statutory lending limit on aggregate loans to one person or a group of related persons. The general limit is 15% of the Bank's unimpaired capital and surplus, plus an additional 10% for loans fully secured by readily marketable collateral. The general limit is 15% of our unimpaired capital and surplus, plus an additional 10% for loans fully secured by readily marketable collateral. At September 30, 2024, the Bank's lending limit under this restriction was $135.5 million. The Bank has no loans or loan relationships in excess of its lending limit. Loan commitments and loans outstanding to the Bank's largest borrowing relationship totaled $113.0 million at September 30, 2024, all of which was current according to its terms. Total loan commitments and loans outstanding to the Bank's largest borrowing relationship was $76.2 million at September 30, 2023, all of which was current according to its terms.

The OCC has adopted guidelines establishing safety and soundness standards on matters such as loan underwriting and documentation, asset quality, earnings standards, internal controls and audit systems, interest rate risk exposure, and compensation and other employee benefits. The Bank is subject to periodic examinations by the OCC regarding these and related matters. During these examinations, the examiners may require the Bank to increase its ACL, change the classification of loans, and/or recognize additional charge-offs based on their judgments, which can impact our capital and earnings.

Regulatory Capital Requirements. The Bank and the Company are required to maintain specified levels of regulatory capital under regulations of the OCC and FRB, respectively. See "Part II, Item 8. Financial Statements and Supplementary Data - Notes to Consolidated Financial Statements - Note 13. Regulatory Capital Requirements" for additional regulatory capital information. At September 30, 2024, the Bank was considered well capitalized under OCC regulations.

The OCC can establish individual minimum capital requirements for a particular institution which vary from the capital levels that would otherwise be required under the applicable capital regulations based on such factors as concentrations of credit risk, levels of interest rate risk, the risks of non-traditional activities, and other circumstances.The OCC has the ability to establish individual minimum capital requirements for a particular institution which vary from the capital levels that would otherwise be required under the applicable capital regulations based on such factors as concentrations of credit risk, levels of interest rate risk, the risks of non-traditional activities, and other circumstances. The OCC has not imposed any such requirements on the Bank.

The OCC is authorized and, under certain circumstances, required to take certain actions against federal savings banks that are not adequately capitalized because they fail to meet the minimum requirements associated with their elected capital framework. Any such institution must submit a capital restoration plan for OCC approval and may be restricted in, among
5


other things, increasing its assets, acquiring another institution, establishing a branch or engaging in any new activities, and may not make capital distributions. Institutions that are deemed by the OCC to be "critically undercapitalized" are subject to the appointment of a conservator or receiver. As of September 30, 2024, the Bank and the Company met all capital adequacy requirements to which they are subject.

Limitations on Dividends and Other Capital Distributions. OCC regulations impose restrictions on savings institutions with respect to their ability to make distributions of capital, which include dividends, stock redemptions or repurchases, cash-out mergers and other transactions charged to the capital account. Under FRB and OCC safe harbor regulations, a savings institution generally may make capital distributions during any calendar year equal to net income of the previous two calendar years and current year-to-date net income (to the extent not previously distributed). Under FRB and OCC safe harbor regulations, savings institutions generally may make capital distributions during any calendar year equal to earnings of the previous two calendar years and current year-to-date earnings (to the extent not previously distributed). A savings institution that is a subsidiary of a savings and loan holding company, such as the Company, that proposes to make a capital distribution must submit written notice to the OCC and FRB 30 days prior to such distribution. The OCC and FRB may object to the distribution during that 30-day period based on safety and soundness or other concerns. Savings institutions that desire to make a larger capital distribution, are under special restrictions, or are not, or would not be, sufficiently capitalized following a proposed capital distribution must file an application and obtain regulatory non-objection prior to making such a distribution.

The long-term ability of the Company to pay dividends to its stockholders is based primarily upon the ability of the Bank to make capital distributions to the Company. So long as the Bank remains well capitalized after each capital distribution, and operates in a safe and sound manner, it is management's belief that the OCC and FRB will continue to allow the Bank to distribute its earnings to the Company, although no assurance can be given in this regard.
Insurance of Accounts and Regulation by the FDIC. The Bank also is subject to regulation and examination by the FDIC, which insures the deposits of the Bank to the maximum extent permitted by law. The DIF of the FDIC insures deposit accounts in the Bank up to applicable limits, with a maximum amount of deposit insurance for banks and savings institutions of $250 thousand per separately insured deposit ownership right or category. The DIF of the FDIC insures deposit accounts in the Bank up to applicable limits, with a maximum amount of deposit insurance for banks, savings institutions, and credit unions of $250 thousand per separately insured deposit ownership right or category.

The FDIC assesses deposit insurance premiums on all FDIC-insured institutions quarterly based on annualized rates. Under these rules, assessment rates for an institution with total assets of less than $10 billion are determined by capital adequacy, asset quality, management, earnings, liquidity, and sensitivity (CAMELS) composite ratings and certain financial ratios, and range from 2.5 to 32.0 basis points, subject to certain adjustments. Under these rules, assessment rates for an institution with total assets of less than $10 billion are determined by weighted average capital adequacy, asset quality, management, earnings, liquidity, and sensitivity (CAMELS) composite ratings and certain financial ratios, and range from 1.5 to 30.0 basis points, subject to certain adjustments. Assessment rates for an institution with $10 billion or more in total assets are assigned an individual rate based on a scorecard that measures the institution's composite rating, ability to withstand asset-related and funding-related stress and the magnitude of potential losses to the FDIC in the event of failure. The current assessment rates were set in October 2022, when the FDIC adopted a final rule that increased the initial base deposit assessment rate schedule uniformly by two basis points, beginning with the first quarterly assessment period of 2023. The increased assessment rate will remain in effect unless and until the reserve ratio meets or exceeds 2%, absent further action by the FDIC's Board of Directors. For the fiscal year ended September 30, 2024, the Bank paid $6.1 million in FDIC premiums. Assessment rates are applied to an institution's assessment base, which is its average consolidated total assets minus its average tangible equity during the assessment period.
The FDIC has authority to increase insurance assessments in the future, and any significant increases could have a material adverse effect on the operating expenses and results of operations of the Company. Management cannot predict what assessment rates will be in the future. In a banking industry emergency, the FDIC may also impose a special assessment.

Insurance of deposits may be terminated by the FDIC upon a finding that an institution has engaged in unsafe or unsound practices, is in an unsafe or unsound condition to continue operations or has violated any applicable law, regulation, rule, order or condition imposed by the FDIC. We do not know of any practice, condition, or violation that may lead to termination of our deposit insurance. We do not currently know of any practice, condition, or violation that may lead to termination of our deposit insurance.

Community Reinvestment and Consumer Protection Laws. In connection with its lending activities, the Bank is subject to a number of federal laws designed to protect borrowers and promote lending to various sectors of the economy and population. These include the Equal Credit Opportunity Act, the Truth-in-Lending Act, the Home Mortgage Disclosure Act, the Real Estate Settlement Procedures Act, the Secure and Fair Enforcement for Mortgage Licensing Act of 2008 ("SAFE Act"), and the Community Reinvestment Act ("CRA"). With respect to federal consumer protection laws, regulations are generally promulgated by the Consumer Financial Protection Bureau ("CFPB"), but the OCC, rather than the CFPB, currently
6


examines the Bank for compliance with such laws and regulations because the Bank's regulatory assets have yet to exceed $10 billion for four consecutive quarter-ends.

The CRA requires the appropriate federal banking agency, in connection with its examination of an FDIC-insured institution, to assess its record in meeting the credit needs of the communities served by the institution, including low and moderate income neighborhoods. The federal banking regulators take into account the institution's record of performance under the CRA when considering applications for mergers, acquisitions, and branches. Under the CRA, institutions are assigned a rating of outstanding, satisfactory, needs to improve, or substantial non-compliance. The Bank received a satisfactory rating in its most recently completed CRA evaluation.

Bank Secrecy Act /Anti-Money Laundering Laws. The Bank is subject to the Bank Secrecy Act and other anti-money laundering laws, including the USA PATRIOT Act of 2001 and regulations thereunder. These laws and regulations require the Bank to implement policies, procedures, and controls to detect, prevent, and report money laundering and terrorist financing and to verify the identity and source of deposits and wealth of its customers. These laws and regulations require 6 the Bank to implement policies, procedures, and controls to detect, prevent, and report money laundering and terrorist financing and to verify the identity and source of deposits and wealth of its customers. Violations of these laws and regulations can result in substantial civil and criminal sanctions. In addition, provisions of the USA PATRIOT Act require the federal financial institution regulatory agencies to consider the effectiveness of a financial institution's anti-money laundering activities when reviewing mergers and acquisitions.

Federal Reserve System. In response to the Coronavirus Disease 2019 ("COVID-19") pandemic, the FRB reduced reserve requirement ratios to zero percent effective March 26, 2020, to support lending to households and businesses. At September 30, 2024, the reserve requirement of zero percent was still in place.

The Bank is authorized to borrow from the Federal Reserve Bank "discount window." An eligible institution need not exhaust other sources of funds before going to the discount window, nor are there restrictions on the purposes for which the institution can use primary credit. At September 30, 2024, the Bank had no outstanding borrowings from the discount window.

In March 2023, the FRB created a Bank Term Funding Program ("BTFP") to make additional funding available to eligible depository institutions. Advances could have been requested under the BTFP until March 11, 2024. The BTFP offered loans up to one year in length that could be prepaid without penalty. The amount that could be borrowed under the BTFP was based upon the par value of the securities pledged as collateral to the FRB. The amount that can be borrowed under the BTFP is based upon the par value of the securities pledged as collateral to the FRB. At September 30, 2023, the Bank had $500.0 million of BTFP borrowings. At September 30, 2023, the Bank had $2.38 billion of FHLB advances, at par. In October 2023, the Bank paid off the $500.0 million of BTFP borrowings and did not enter into additional BTFP borrowings during fiscal year 2024.

Federal Home Loan Bank System. The Bank is a member of one of 11 regional Federal Home Loan Banks, each of which serves as a reserve, or central bank, for its members within its assigned region and is funded primarily from proceeds derived from the sale of consolidated obligations of the Federal Home Loan Bank System. The Federal Home Loan Banks make loans, called advances, to members and provide access to a line of credit in accordance with policies and procedures established by the Board of Directors of FHLB, which are subject to the oversight of the Federal Housing Finance Agency. At September 30, 2024, the Bank had $2.18 billion of FHLB advances, at par. See "Part II, Item 8. Financial Statements and Supplementary Data – Notes to Financial Statements – Note 8. Deposits and Borrowed Funds" for additional information regarding FHLB advances.

As a member, the Bank is required to purchase and maintain capital stock in FHLB. The minimum required FHLB stock amount is generally 4.5% of the Bank's FHLB advances and outstanding balance against the FHLB line of credit, and 2% of the outstanding principal balance of loans sold into the Mortgage Partnership Finance Program. At September 30, 2024, the Bank had $101.2 million in FHLB stock, which was in compliance with the FHLB's stock requirement. At September 30, 2023, the Bank had a balance of $110.7 million in FHLB stock, which was in compliance with the FHLB's stock requirement. In past years, the Bank has received dividends on its FHLB stock, although no assurance can be given that these dividends will continue. See "Part II, Item 8. Financial Statements and Supplementary Data – Notes to Financial Statements – Note 1. Summary of Significant Accounting Policies" for additional information regarding FHLB stock.

Federal Savings and Loan Holding Company Regulation. The HOLA prohibits a savings and loan holding company (directly or indirectly, or through one or more subsidiaries) from acquiring another savings association, or holding company thereof, without prior written approval from the FRB; acquiring or retaining, with certain exceptions, more than 5% of a non-subsidiary savings association, a non-subsidiary holding company, or a non-subsidiary company engaged in activities other
7


than those permitted by the HOLA; or acquiring or retaining control of a depository institution that is not federally insured. In evaluating applications by savings and loan holding companies to acquire savings associations, the FRB must consider the financial and managerial resources and future prospects of the company and institution involved, the effect of the acquisition on the risk to the insurance funds, the convenience and needs of the community, competitive factors, and other factors.

The FRB has long set forth in its regulations its "source of strength" policy, which requires bank holding companies to act as a source of strength to their subsidiary depository institutions by providing capital, liquidity and other support in times of financial stress. This policy now also applies to savings and loan holding companies.

Transactions with Affiliates. Transactions between the Bank and its affiliates are required to be on terms as favorable to the institution as transactions with non-affiliates. Certain of these transactions are restricted to a percentage of the Bank's capital, and, in the case of loans, require eligible collateral in specified amounts. The Bank may not lend to any affiliate engaged in activities not permissible for a bank holding company or purchase or invest in the securities of affiliates. In addition, the Bank may not lend to any affiliate engaged in activities not permissible for a bank holding company or purchase or invest in the securities of affiliates. In addition, transactions with affiliates must be consistent with safe and sound banking practices and not involve the purchase of low-quality assets.

Taxation

Federal Taxation. The Company and the Bank are subject to federal income taxation in the same general manner as other corporations. The Company files a consolidated federal income tax return. The Company has not received notification from the Internal Revenue Service of any potential tax liability for any years still subject to audit. The Company has not received notification from the IRS of any potential tax liability for any years still subject to audit. For federal income tax purposes, the Bank currently reports its income and expenses on the accrual method of accounting and uses a fiscal year ending on September 30 for filing its federal income tax return. Changes to the corporate federal income tax rate would result in changes to the Company's effective income tax rate and would require the Company to remeasure its deferred tax assets and liabilities based on the tax rate in the years in which those temporary differences are expected to be recovered or settled.

Prior to the enactment of the Small Business Job Protection Act (the "1996 Act"), the Bank was permitted to deduct, up to a specified formula limit, a certain percentage of income as bad debts, for which the Bank was not required to establish a deferred tax liability. The difference between actual bad debts and the formula limit bad debt amount ("excess reserves") was recorded in the Bank's retained earnings. As a result of the 1996 Act, savings institutions, like the Bank, were required to use the specific charge-off method in computing bad debts on their tax returns beginning with their 1996 Federal tax returns. The 1996 Act required the recapture of excess reserves over the base year, which was September 30, 1988 for the Bank. The excess reserves established prior to September 30, 1988 remain in retained earnings ("pre-1988 bad debt reserves") subject to recapture by the Bank on the occurrence of certain distributions in excess of current earnings and profits accumulated in tax years beginning after December 31, 1951 ("accumulated earnings and profits"). The Bank had $75.9 million in pre-1988 bad debt reserves at September 30, 2024, which equates to an unrecorded deferred tax liability of $15.9 million. See additional discussion regarding the Bank's pre-1988 bad debt recapture in "Part IA. Risk Factors - Other Risks", "Part II. Item 7. Management's Discussion and Analysis of Financial Condition and Results of Operations - Comparison of Operating Results for the Years Ended September 30, 2024 and 2023" and "Part II, Item 8. Financial Statements and Supplementary Data - Notes to Consolidated Financial Statements - Note 9. Income Taxes".

State Taxation. State Taxation. The earnings/losses of Capitol Federal Financial, Inc., Capitol Funds, Inc. and Capital City Investments, Inc. are combined for purposes of filing a consolidated Kansas corporate tax return. The Kansas corporate tax rate is 4.0%, plus a surcharge of 3.0% on earnings greater than $50 thousand.

The Bank files a Kansas privilege tax return. For Kansas privilege tax purposes, the minimum tax rate is 4.5% of earnings during fiscal year 2024, which is calculated based on federal taxable income, subject to certain adjustments. For Kansas privilege tax purposes, the minimum tax rate is 4.5% of earnings, which is calculated based on federal taxable income, subject to certain adjustments. The Bank has not received notification from the state of any potential tax liability for any years still subject to audit. The Bank's minimum rate for the Kansas privilege tax return will be reduced to 4.18% of earnings starting in fiscal year 2025.

Additionally, the Bank files state tax returns in 16 other states and two cities where it has significant loan balances. In these states and cities, the Bank has either established a nexus under an economic nexus theory or has exceeded enumerated nexus thresholds based on the amount of interest income derived from loans within the state. In these states, the Bank has either established nexus under an economic nexus theory or has exceeded enumerated nexus thresholds based on the amount of interest derived from sources within the state.

8


Employees and Human Capital Resources

At September 30, 2024, we had a total of 659 employees, including 76 part-time employees. The full-time equivalent of our total employees at September 30, 2024 was 636, an increase from 632 at September 30, 2023.

Our employees are not represented by any collective bargaining group. Management considers its employee relations to be good. We believe our ability to attract and retain employees is a key to our success. Accordingly, we strive to offer competitive salaries and employee benefits to all employees and monitor salaries in our market areas. Physical well-being is supported by the Company's health, dental, vision, life and various other insurances, and a wellness program that encourages employees to live a healthy and balanced lifestyle. Volunteer opportunities are provided and encouraged for all employees. Capitol Federal employees recorded over 3,690 hours in volunteer time for local organizations and charities during fiscal year 2024.

Our Company respects, values and encourages diversity in our employees and customers. We seek to recognize and develop the unique contributions each individual brings to our Company, and we are fully committed to maintaining a culture of diversity as a pillar of our values and our success. These efforts are supported by our Board of Directors. Since 1977, at least one woman has served as a director of the Bank and, since its inception in 1999, at least one woman has served on the Board of Directors of the Company. In addition, since 2012, at least one underrepresented minority has served as a director of the Company and the Bank. The Board of Directors annually reviews the Company's diversity recruitment efforts and employment statistics.

To assist in expanding diversity, the Company recruits employees through sources and organizations targeted at diverse communities.8 To assist in expanding diversity, the Company recruits employees through sources and organizations targeted at diverse communities. The Company also provides multiple opportunities for professional development and growth, including continuing education when applicable and specialty education within banking. Leadership development is supported through our Leadership Forum services, on a biannual basis, for mid-level leaders within the organization. Education for this program is currently provided by Banktastic. Annual employee educational requirements include targeted diversity, equity and inclusion training for all managers. All employees receive annual training on providing fair, high-quality service and understanding the causes of discrimination. All employees receive annual training on providing fair service, which is targeted at addressing implicit bias in providing customer service.

The Company actively participates in initiatives to promote diversity and inclusion, both internally and externally. The Company has an Inclusion Task Force that promotes diversity and inclusion. During the current fiscal year, the Inclusion Task Force hosted events such as book and documentary discussions and developed an internal community webpage. Our employees, together with the Capitol Federal Foundation, contribute to programs that promote educational opportunities in all communities as well as housing in low-and-moderate income communities, including scholarships specifically for diverse candidates.

Item 1A. Risk Factors
There are risks inherent in the Bank's and Company's business. The following is a summary of material risks and uncertainties relating to the operations of the Bank and the Company. Adverse experiences with these could have a material impact on the Company's financial condition and results of operations. Some of these risks and uncertainties are interrelated, and the occurrence of one or more of them may exacerbate the effect of others. These material risks and uncertainties are not necessarily presented in order of significance. In addition to the risks set forth below and the other risks described in this Annual Report, there may be risks and uncertainties that are not currently known to us or that we currently deem to be immaterial that could materially and adversely affect our business, financial condition or operating results.

Risks Related to Macroeconomic Conditions

Changes in interest rates could have an adverse impact on our results of operations and financial condition.
Our results of operations are primarily dependent on net interest income, which is the difference between the interest earned on loans, securities, cash at the Federal Reserve Bank and dividends received on FHLB stock, and the interest paid on deposits and borrowings. Changes in interest rates could have an adverse impact on our results of operations and financial condition because the majority of our interest-earning assets are long-term, fixed-rate loans, while the majority of our interest-bearing liabilities are shorter term, and therefore subject to a greater degree of interest rate fluctuations. This type of risk is known as interest rate risk and is affected by prevailing economic and competitive conditions that are beyond the
9


Company's control, including general economic conditions, inflationary trends and/or monetary policies of the FRB and fiscal policies of the United States federal government.

The impact of changes in interest rates is generally observed on the income statement. The magnitude of the impact will be determined by the difference between the amount of interest-earning assets and interest-bearing liabilities, both of which either reprice or mature within a given period of time, in addition to the yields earned on interest-earning assets and rates paid on interest-bearing liabilities. The magnitude of the impact will be determined by the difference between the amount of interest-earning assets and interest-bearing liabilities, both of which either reprice or mature within a given period of time. This difference provides an indication of the extent to which our net interest rate spread will be impacted by changes in interest rates. In addition, changes in interest rates will impact the expected level of repricing of the Bank's mortgage-related assets and callable debt securities. Generally, as interest rates decline, the amount of interest-earning assets expected to reprice will increase as borrowers have an economic incentive to reduce the cost of their mortgage or debt, which would negatively impact the Bank's interest income. Conversely, as interest rates rise, the amount of interest-earning assets expected to reprice will decline as the economic incentive to refinance the mortgage or debt is diminished. As this occurs, the amount of interest-earning assets repricing could diminish to the point where interest-bearing liabilities reprice to a higher interest rate at a faster pace than interest-earning assets, thus negatively impacting the Bank's net interest income. For additional information about the interest-rate risk we face, see "Part II, Item 7A. Quantitative and Qualitative Disclosures about Market Risk."

Changes in interest rates can also have an adverse effect on our financial condition, as available-for-sale ("AFS") securities are reported at estimated fair value. Stockholders' equity, specifically accumulated other comprehensive income (loss) ("AOCI"), is increased or decreased by the amount of change in the estimated fair value of our AFS securities, net of deferred income taxes. Increases in interest rates generally decrease the fair value of AFS securities, which adversely impacts stockholders' equity. For additional information, see "Part II, Item 7. Management's Discussion and Analysis of Financial Condition and Results of Operations - Strategic Securities Transaction," "Part II, Item 7. Management's Discussion and Analysis of Financial Condition and Results of Operations - Stockholders' Equity" and "Part II, Item 8. Financial Statements and Supplementary Data – Notes to Consolidated Financial Statements – Note 15. Accumulated Other Comprehensive Income."

Changes in interest rates, as they relate to customers, can also have an adverse impact on our financial condition and results of operations. In times of rising interest rates, default risk may increase among borrowers with adjustable-rate loans as the rates on their loans adjust upward and their payments increase. Fluctuations in interest rates also affect customer demand for loan and deposit products. Competition from financial institutions and others could affect our ability to attract and retain deposits and could result in the Bank paying more for deposits. Competition from other financial institutions and/or brokerage firms could affect our ability to attract and retain deposits and could result in us paying more for deposits.

In addition to general changes in interest rates, changes that affect the shape of the yield curve could negatively impact the Bank. The Bank's interest-bearing liabilities are generally priced based on short-term interest rates while the majority of the Bank's interest-earning assets are priced based on long-term interest rates. Income for the Bank is primarily driven by the spread between these rates. As a result, a steeper yield curve, meaning long-term interest rates are significantly higher than short-term interest rates, would provide the Bank with a better opportunity to increase net interest income. When the yield curve is flat, meaning long-term interest rates and short-term interest rates are essentially the same, or when the yield curve is inverted, meaning long-term interest rates are lower than short-term interest rates, the net yield between interest-earning assets and interest-bearing liabilities that reprice is compressed or diminished and would likely negatively impact the Bank's net interest income. See "Part II, Item 7A. Quantitative and Qualitative Disclosures About Market Risk" for additional information about the Bank's interest rate risk management.

An economic downturn, including a decline in real estate values, especially affecting our geographic market areas and certain regions of the country where we have commercial real estate loans or correspondent loans secured by one- to four-family properties, could have an adverse impact on our business and financial results.
As we have grown our commercial real estate lending portfolio, we have continued to maintain relationships not only in our local markets but in geographically diverse markets. As a result, we are particularly exposed to downturns in regional housing and commercial real estate markets and, to a lesser extent, housing and commercial real estate markets nationwide, along with changes in the levels of unemployment or underemployment. As a result, we are particularly exposed to downturns in regional housing and commercial real estate markets and, to a lesser extent, the US housing and commercial real estate markets, along with changes in the levels of unemployment or underemployment. We monitor the current status and trends of local and national employment levels and trends and current conditions in the real estate and housing markets, as well as commercial real estate markets, in our local market areas and certain areas where we have commercial real estate loans and correspondent loans. Decreases in local real estate values could adversely affect the value of the property used as collateral for our loans, which could cause us to realize a loss in the event of a foreclosure. Additionally, if insurance obtained by our
10


borrowers is insufficient to cover any losses sustained to the collateral, the decreases in the value of collateral securing our loans as a result of natural disasters or other related events could adversely impact our financial condition and results of operations. If insurance coverage is unavailable to our borrowers due to the reluctance of insurance companies to renew policies covering the collateral or due to other factors, the resulting increase in cost of home ownership could affect the ability of borrowers to repay loans. In addition, a decline in commercial real estate values would likewise adversely affect the value of collateral securing commercial real estate loans. Adverse conditions in our local economies and in certain areas where we have commercial real estate loans and correspondent loans, such as inflation, unemployment, supply chain disruptions, recession, natural disasters or pandemics, or other factors beyond our control, could adversely impact the ability of our borrowers to repay their loans. Adverse conditions in our local economies and in certain areas where we have correspondent loans and commercial real estate participation loans, such as inflation, unemployment, supply chain disruptions, recession, natural disasters or pandemics, or other factors beyond our control, could impact the ability of our borrowers to repay their loans. Declines in collateral values and adverse economic conditions could result in increased delinquencies, non-performing assets, loan losses, and future loan loss provisions.

Risks Related to Lending Activities

The increase in commercial loans in our loan portfolio exposes us to increased lending and credit risks, which could adversely impact our financial condition and results of operations.
A growing portion of our loan portfolio consists of commercial loans. These loan types tend to be larger than and in different geographic regions from most of our existing loan portfolio and are generally considered to have different and greater risks than one- to four-family residential real estate loans and may involve multiple loans to groups of related borrowers. A growing commercial loan portfolio also subjects us to greater regulatory scrutiny. Furthermore, these loan types can expose us to a greater risk of delinquencies, non-performing assets, loan losses, and future loan loss provisions than one- to four-family residential real estate loans because repayment of such loans often depends on the successful operation of a business or of the underlying property. Repayment of such loans may be affected by factors outside the borrower's control, such as adverse conditions in the real estate market, the economy, environmental factors, natural disasters or pandemics, and/or changes in government regulation. Also, there are risks inherent in commercial real estate construction lending as the value of the project is uncertain prior to the completion of construction and subsequent lease-up. A sudden downturn in the economy, labor and/or supply chain issues, or other unforeseen events could result in stalled projects or collateral shortfalls, thus exposing us to increased credit risk.

Commercial and industrial loans are primarily made based on the identified cash flow of the borrower and secondarily on the collateral underlying the loans. The borrowers' cash flow may prove to be unpredictable, and collateral securing these loans may fluctuate in value. Most often, this collateral consists of accounts receivable, inventory and equipment. Significant adverse changes in a borrower's industries and businesses could cause rapid declines in values of, and collectability associated with, those business assets, which could result in inadequate collateral coverage for our commercial and industrial loans and expose us to future losses. In the case of loans secured by accounts receivable, the availability of funds for the repayment of these loans may be substantially dependent on the ability of the borrower to collect amounts due from its clients. Inventory and equipment may depreciate over time, may be difficult to appraise, may be illiquid and may fluctuate in value based on the success of the business. If the cash flow from business operations is reduced, the borrower's ability to repay the loan may be impaired. An increase in valuation allowances and charge-offs related to our commercial and industrial loan portfolio could have an adverse effect on our business, financial condition, results of operations and future prospects.

Risks Related to Cybersecurity, Third Parties, and Technology.

The occurrence of any information system failure or interruption, breach of security or cyberattack, at the Company, at its third-party service providers or counterparties may have an adverse effect on our business, reputation, financial condition and results of operations.
Information systems are essential to the conduct of our business, as we use such systems to manage our customer relationships, our general ledger, our deposits and our loans. In the normal course of our business, we collect, process, retain and transmit (by email and other electronic means) sensitive and confidential information regarding our customers, employees and others. We also outsource certain aspects of our data processing, data processing operations, remote network monitoring, engineering and managed security services to third-party service providers. In addition to confidential information regarding our customers, employees and others, we, and in some cases a third party, compile, process, transmit and store proprietary, non-public information concerning our business, operations, plans and strategies.

11


Information security risks for financial institutions continue to increase in part because of evolving technologies, the use of the internet and telecommunications technologies (including mobile devices) to conduct financial and other business transactions and the increased sophistication and activities of organized crime, perpetrators of fraud, hackers, terrorists and others. Cyber criminals use a variety of tactics, such as ransomware, denial of service, and theft of sensitive business and customer information to extort payment or other concessions from victims. In some cases, these attacks have caused significant impacts on other businesses' access to data and ability to provide services. We are not able to anticipate or implement effective preventive measures against all incidents of these types, especially because the techniques used change frequently and because attacks can originate from a wide variety of sources, including attacks on third-party vendors and their applications and products used by the Bank.

We use a variety of physical, procedural and technological safeguards to prevent or limit the impact of system failures, interruptions and security breaches and to protect confidential information from mishandling, misuse or loss, including detection and response mechanisms designed to contain and mitigate security incidents. However, there can be no assurance that such events will not occur or that they will be promptly detected and adequately addressed if they do, and early detection of security breaches may be thwarted by sophisticated attacks and malware designed to avoid detection. If there is a failure in or breach of our information systems, or those of a third-party service provider, the confidential and other information processed and stored in, and transmitted through, such information systems could be jeopardized, or could otherwise cause interruptions or malfunctions in our operations or the operations of our customers, employees, or others.

Our business and operations depend on the secure processing, storage and transmission of confidential and other information in our information systems and those of our third-party service providers. Although we devote significant resources and management focus to ensuring the integrity of our information systems through information security measures, risk management practices, relationships with threat intelligence providers and business continuity planning, our facilities, computer systems, software and networks, and those of our third-party service providers, may be vulnerable to external or internal security breaches, acts of vandalism, unauthorized access, misuse, computer viruses or other malicious code and cyberattacks that could have a security impact. In addition, breaches of security may occur through intentional or unintentional acts by those having authorized or unauthorized access to our confidential or other information or the confidential or other information of our customers, employees or others. While we regularly conduct security and risk assessments on our systems and those of our third-party service providers, there can be no assurance that their information security protocols are sufficient to withstand a cyberattack or other security breach. While we regularly conduct security and risk 11 assessments on our systems and those of our third-party service providers, there can be no assurance that their information security protocols are sufficient to withstand a cyberattack or other security breach. Across our industry, the cost of minimizing these risks and investigating incidents has continued to increase with the frequency and sophistication of these threats.

The occurrence of any of the foregoing could subject us to litigation or regulatory scrutiny, cause us significant reputational damage or erode confidence in the security of our information systems, products and services, cause us to lose customers or have greater difficulty in attracting new customers, have an adverse effect on the value of our common stock or subject us to financial losses that may not be covered by insurance, any of which could have an adverse effect on our business, financial condition and results of operations. As information security risks and cyber threats continue to evolve, we may be required to expend significant additional resources to further enhance or modify our information security measures and/or to investigate and remediate any information security vulnerabilities or other exposures arising from operational and security risks.

Furthermore, there continues to be heightened legislative and regulatory focus on privacy, data protection and information security. New or revised laws and regulations may significantly impact our current and planned privacy, data protection and information security-related practices, the collection, use, sharing, retention and safeguarding of consumer and employee information, and current or planned business activities. Compliance with current or future privacy, data protection and information security laws could result in higher compliance and technology costs and could restrict our ability to provide certain products and services, which could have an adverse effect on our business, financial condition and results of operations.

Our customers are also targets of cyberattacks and identity theft. There continues to be instances involving financial services and consumer-based companies reporting the unauthorized disclosure of client or customer information or the destruction or theft of corporate data. Large scale identity theft could result in customers' accounts being compromised and fraudulent activities being performed in their names. We have implemented certain safeguards against these types of activities, but they may not fully protect us from financial losses. The occurrence of a security breach involving our customers' information, regardless of its origin, could damage our reputation and result in a loss of customers and business, subject us to additional
12


regulatory scrutiny, and expose us to litigation and possible financial liability. Any of these events could have an adverse effect on our business, financial condition and results of operations. See "Part I, Item 1C.Item 1A. See "Part II, Item 7A. Cybersecurity" for additional discussion related to cybersecurity.

Third-party vendors subject the Company to potential business, reputation and financial risks.
Third-party vendors are sources of operational and information security risk to the Company, including risks associated with operations errors, information system interruptions or breaches, and unauthorized disclosures of sensitive or confidential customer information. The Company requires third-party vendors to maintain certain levels of information security; however, vendors may remain vulnerable to breaches, unauthorized access, misuse, computer viruses, and/or other malicious attacks that could ultimately compromise sensitive information. We have developed procedures and processes for selecting and monitoring third-party vendors, but ultimately are dependent on these third-party vendors to secure their information. If these vendors encounter any of these types of issues, or if we have difficulty communicating with them, we could be exposed to disruption of operations, loss of service or connectivity to customers, reputational damage, and litigation risk that could have an adverse effect on our business, financial condition and results of operations.

The failure of an external vendor to perform in accordance with the contracted arrangements under service level agreements, because of changes in the vendor's organizational structure, financial condition, support for existing products and services or strategic focus or for any other reason, could be disruptive to our operations, which could have an adverse effect on our business and, in turn, our financial condition and results of operations.12 The failure of an external vendor to perform in accordance with the contracted arrangements under service level agreements, because of changes in the vendor's organizational structure, financial condition, support for existing products and services or strategic focus or for any other reason, could be disruptive to our operations, which could have an adverse effect on our business and, in turn, our financial condition and results of operations. Additionally, replacing certain third-party vendors could also entail significant delay and expense.

We are heavily reliant on technology, and a failure to effectively implement technology initiatives or anticipate future technology needs or demands could adversely affect our business or performance.
Like most financial institutions, the Bank significantly depends on technology to deliver its products and services and to otherwise conduct business. To remain technologically competitive and operationally efficient, the Bank invests in system upgrades, new technological solutions, and other technology initiatives. Many of these solutions and initiatives have a significant duration, are tied to critical information systems, and require substantial resources. Although the Bank takes steps to mitigate the risks and uncertainties associated with these solutions and initiatives, there is no guarantee that they will be implemented on time, within budget, or without negative operational or customer impact. The Bank also may not succeed in anticipating its future technology needs, the technology demands of its customers, or the competitive landscape for technology. If the Bank were to falter in any of these areas, it could have an adverse effect on our business, financial condition and results of operations.

Risks Related to Competition

Strong competition may limit our growth and profitability.
While we are one of the largest mortgage loan originators in the state of Kansas, we compete in the same market areas as local, regional, and national banks, savings institutions, credit unions, mortgage brokerage firms, investment banking and brokerage firms, mortgage bankers and online competitors. We also compete with online investment and mortgage brokerages and online banks that are not confined to any specific market area. Many of these competitors operate on a national or regional level, are a conglomerate of various financial services providers housed under one corporation, or otherwise have substantially greater financial or technological resources than the Bank. We compete primarily on the basis of the interest rates offered to depositors, the terms of loans offered to borrowers, and the benefits afforded to customers as a local institution and portfolio lender. Should we face competitive pressure to increase deposit rates or decrease loan rates, our net interest income could be adversely affected. Additionally, our competitors may offer products and services that we do not or cannot provide, as certain deposit and loan products fall outside of our accepted level of risk. Our profitability depends upon our ability to compete in our local market areas.

Risks Related to Regulation

We operate in a highly regulated environment, which limits the manner and scope of our business activities, and we may be adversely affected by new and/or changes in laws and regulations or interpretation of existing laws and regulations.
We are subject to extensive regulation, supervision, and examination by the OCC, the FRB, and the FDIC. These regulatory authorities exercise broad discretion in connection with their supervisory and enforcement activities, including the ability to
13


impose restrictions on a bank's operations, reclassify assets, determine the adequacy of a bank's ACL, and determine the level of deposit insurance premiums assessed. The CFPB has broad powers to supervise and enforce consumer protection laws, including a wide range of consumer protection laws that apply to all banks and savings institutions, like the authority to prohibit unfair, deceptive or abusive acts and practices. The CFPB also has examination and enforcement authority over all banks with regulatory assets exceeding $10 billion at four consecutive quarter-ends. There are increased direct costs, additional regulatory burdens with indirect costs, and lost revenue, mainly related to interchange fees, associated with the Bank being over $10 billion in regulatory assets at certain points in time and for four consecutive quarter-ends. As long as the Bank does not exceed $10 billion in regulatory assets for four consecutive quarter ends, it will continue to be examined for compliance with consumer protection laws and the regulations of the CFPB by the Bank's primary bank regulator, the OCC. The Dodd-Frank Act also weakens the federal preemption rules that have been applicable for national banks and federal savings associations and gives state attorneys general the ability to enforce federal consumer protection laws.

Any change in such regulation and oversight, whether in the form of regulatory policy, regulations, legislation, interpretation or application, could have an adverse impact on our operations. Moreover, bank regulatory agencies have been active in responding to concerns and trends identified in examinations and have issued formal enforcement orders requiring capital ratios in excess of regulatory requirements and/or assessing monetary penalties. Bank regulatory agencies, such as the OCC, the FRB and the FDIC, govern the activities in which we may engage, primarily for the protection of depositors' funds, the DIF and the safety and soundness of the banking system as a whole, and not for the protection or benefit of investors. The CFPB enforces consumer protection laws and regulations for the benefit of consumers and not the protection or benefit of investors. The CFPB enforces consumer protection laws and regulations for the benefit of the consumer and not the protection or benefit of investors. In addition, new laws and regulations, including those related to environmental, social, and governance initiatives, may continue to increase our costs of regulatory compliance and of doing business, and otherwise affect our operations. New laws and regulations may significantly affect the markets in which we do business, the markets for and value of our loans and securities, the products we offer, the fees we can charge and our ongoing operations, costs, and profitability.

The Company is also directly subject to the requirements of entities that set and interpret accounting standards such as the Financial Accounting Standards Board, and indirectly subject to the actions and interpretations of the Public Company Accounting Oversight Board, which establishes auditing and related professional practice standards for registered public accounting firms and inspects registered firms to assess their compliance with certain laws, rules, and professional standards in public company audits. These regulations, along with existing tax, accounting, securities, and monetary laws, regulations, rules, standards, policies and interpretations, control the methods by which financial institutions and their holding companies conduct business, engage in strategic and tax planning, implement strategic initiatives, and govern financial reporting.

The Company's failure to comply with laws, regulations or policies could result in civil or criminal sanctions and money penalties by state and federal agencies, and/or reputational damage, which could have an adverse effect on the Company's business, financial condition and results of operations. See "Part I, Item 1. Business - Regulation and Supervision" for more information about the regulations to which the Company is subject.

Other Risks

The Company's ability to pay dividends and repurchase shares is subject to the ability of the Bank to make capital distributions to the Company.
The long-term ability of the Company to pay dividends to its stockholders and repurchase shares is based primarily upon the ability of the Bank to generate sufficient earnings to make capital distributions to the Company and on the availability of cash at the holding company level in the event the Bank's earnings are not sufficient to make capital distributions to the Company. Under certain circumstances, capital distributions from the Bank to the Company may be subject to regulatory approvals. See "Item 1. Business – Regulation and Supervision" for additional information.

The Bank's bad debt recapture amount may impact the amount and timing of capital distributions to the Company.
The Bank will report a net loss for tax purposes for fiscal year 2024 due to the sale of securities in October 2023 associated with the securities strategy and will therefore have negative current and accumulated earnings and profits for fiscal year 2024. As a result of the negative current and accumulated earnings and profits, capital distributions from the Bank to the holding company during fiscal year 2024 were deemed to be drawn out of the Bank's pre-1988 bad debt reserves and resulted in the recognition of income tax expense based on the amount of the capital distribution multiplied by the then-current Bank income tax rate. This additional tax expense reduced the amount of earnings available to be distributed to the holding company
14


during fiscal year 2024. The Bank had $75.9 million in pre-1988 bad debt reserves at September 30, 2024, which equates to an unrecorded deferred tax liability of $15.9 million.

Given the amount of cash at the holding company level ($50.1 million as of September 30, 2024), and in an effort to minimize the tax associated with the bad debt recapture, it is currently the intention of management and the Board of Directors to not distribute earnings from the Bank to the Company during fiscal year 2025. It is anticipated that the Bank will have sufficient taxable income during fiscal year 2025 to replenish tax accumulated earnings and profits to a positive level, allowing the Bank to make capital distributions to the Company during fiscal year 2026 and not be taxed on those distributions.

See additional discussion regarding the Bank's pre-1988 bad debt recapture in "Part II. Item 7. Management's Discussion and Analysis of Financial Condition and Results of Operations - Comparison of Operating Results for the Years Ended September 30, 2024 and 2023" and "Part II, Item 8. Financial Statements and Supplementary Data - Notes to Consolidated Financial Statements - Note 9. Income Taxes".

Our risk management and compliance programs and functions may not be effective in mitigating risk and loss.
We maintain an enterprise risk management program that is designed to identify, quantify, monitor, report, and control the risks that we face. These risks include: interest-rate, credit, liquidity, operations, reputation, compliance and litigation. We also maintain a compliance program to identify, measure, assess, and report on our adherence to applicable laws, policies and procedures. While we assess and improve these programs on an ongoing basis, there can be no assurance that our risk management or compliance programs, along with other related controls, will effectively mitigate all risk and limit losses in our business. If conditions or circumstances arise that expose flaws or gaps in our risk management or compliance programs, or if our controls do not function as designed, the performance and value of our business could be adversely affected.

The Company may not be able to attract and retain skilled employees.
The Company's success depends, in large part, on its ability to attract and retain key people. Competition for the best people can be intense, and the Company spends considerable time and resources attracting and hiring qualified people for its operations. The unexpected loss of the services of one or more of the Company's key personnel could have an adverse impact on the Company's business because of their skills, knowledge of the Company's market, and years of industry experience, as well as the difficulty of promptly finding qualified replacement personnel.

The Company may be adversely affected by an increasing prevalence of fraud and other financial crimes.
Reported instances of fraud and related financial crimes are rising nationwide. Like all financial institutions, the Company is vulnerable to increasing fraud losses as fraud schemes perpetrated against the Company and its customers continue to evolve and become more sophisticated. While the Company has procedures and systems in place to detect, prevent, and mitigate fraud losses, fraud losses may still occur and could be material to the Company's results of operations.


Item 1B. Unresolved Staff Comments
None.
Item 1C.Item 1A. Cybersecurity
Risk Management and Strategy

Information security and privacy are an important part of our culture and foundational to our goal of delivering safe, secure and quality products and services. This philosophy is emphasized throughout the Bank by its Board of Directors, senior leaders, officers, managers and other employees to promote a Bank-wide culture of cybersecurity risk management.

As a financial institution we collect, store, and transmit sensitive, confidential, and proprietary data and other information, including intellectual property, business information, funds-transfer instructions, payment card data, and personally identifiable information of our customers and employees. This information can be of significant value to criminal actors, and, as described in Item 1A. Risk Factors, cybersecurity incidents and other security breaches involving this information at the Bank, at our service providers or counterparties, may negatively impact our business or performance.

15


We have implemented a strategy to address threats to Bank assets and confidential information. Our information security program, under the responsibility of the Chief Information Officer and the Chief Compliance & Risk Management Officer, balances security risks with business goals and provides appropriate protections for the confidentiality, integrity and availability of Bank and customer information. We annually benchmark our information security program to assess its strength as measured against recommended industry security best practices.

Due to our heavy reliance on the strength and capability of our technology systems, which we use both to interface with our customers and to manage our internal financial reporting and other systems, we utilize a layered cybersecurity model designed to protect our systems and sensitive data. This model is composed of a variety of different components including administrative controls, technical controls and other safeguards. These various components are centrally managed and monitored, creating a multi-layered and interlocking cybersecurity defense system. Unauthorized access to our customers' confidential or proprietary information as a result of a cybersecurity incident or otherwise could expose us to reputational harm and litigation and adversely affect our ability to attract and retain customers.

We maintain a variety of programs and policies to support the management of cybersecurity risk with a focus on prevention, detection and recovery processes. These programs and policies leverage frameworks and controls from the National Institute of Standards and Technology ("NIST") Cybersecurity Framework, Federal Financial Institutions Examination Council ("FFIEC") cybersecurity guidance, Center for Internet Security ("CIS") Benchmarks, as well as various other regulatory requirements and industry-specific standards. The Bank also participates in the federally recognized Financial Services Information Sharing and Analysis Center and requires its employees and contractors to complete various education and training programs related to information security.

The Bank's Information Technology ("IT") and Compliance and Risk Management ("C&RM") teams have the primary responsibility for establishing appropriate policies and procedures that are responsive to cybersecurity threats and other information security risks. Members of these teams have a wide variety of relevant certifications, such as Certified Information Systems Security Professional, Certified Information Security Manager, Certification in Risk Management Assurance and Certified in Risk and Information Systems Control. Our C&RM team provides risk management oversight to the IT team. The Bank's Internal Audit function, using internal and outside expertise, independently oversees, reviews and validates the IT and C&RM activities and reports to the Board of Directors' Audit Committee on the effectiveness of governance, risk management and internal controls.

We have established an Enterprise Risk Management program. As part of this program, the C&RM team reviews our IT risk management practices, which are designed to identify, assess, manage, monitor, and report cybersecurity risks. The IT team is responsible for implementing risk management practices set forth in the IT risk management program.

As one of the critical elements of the Bank's overall risk management approach, our cybersecurity risk management program and strategy is focused on the following key areas:

Incident Response and Recovery Planning: The Bank has implemented a comprehensive, cross-functional approach to identifying, preventing and mitigating cybersecurity threats and incidents, while also implementing controls and procedures that provide for the prompt escalation of certain cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by management in a timely manner.
Technical Safeguards: The Bank deploys technical safeguards that are designed to protect the sensitive information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality and multifactor authentication and other access controls, which are evaluated and improved through vulnerability assessments and cybersecurity threat intelligence.
Outside Experts: The Bank routinely works with outside experts, consultants, auditors and other third parties in connection with managing its cybersecurity risks and for advice regarding best practices and technical expertise.
Education and Awareness: The Bank provides regular, mandatory training for personnel regarding cybersecurity threats on matters such as phishing and email security best practices to equip our personnel with effective tools to address cybersecurity threats, and to communicate the Bank's evolving information security policies, standards, processes and practices.

16


While processes are in place to minimize the chance of a successful cyberattack, the Bank has established incident response procedures to address a cyberattack that may occur despite these safeguards. The response procedures are designed to identify, analyze, contain and remediate any such cyber incident that occurs.

The Bank engages in the periodic assessment and testing of our policies, standards, processes and practices that are designed to address cybersecurity threats and incidents. These efforts include a wide range of activities, including audits, assessments, tabletop exercises, threat modeling, vulnerability testing and other exercises focused on evaluating the effectiveness of our cybersecurity measures and planning. We regularly engage third parties to perform assessments on our cybersecurity measures, including information security maturity assessments, audits, penetration tests and independent reviews of our information security control environment and operating effectiveness. The results of such assessments, audits and reviews are analyzed by the cybersecurity team and the Information Technology Oversight Committee ("ITOC") and provided to the Bank's Board of Directors. We adjust our cybersecurity policies, standards, processes and practices as necessary based on the information provided by these assessments, audits and reviews.

We have implemented a third-party risk program to oversee and manage information security and privacy risks associated with third-party relationships. The program includes the assessment of third parties that provide key services or will access, store, process, or transmit sensitive information during initial onboarding and throughout the lifecycle of the relationship, and management of applicable contractual requirements relating to confidentiality, integrity, availability and privacy obligations, including timely notification of incidents. Third-party services related to advice, assessments, auditing, testing and support related to cybersecurity and information technology processes and services, where appropriate, are also subject to the third-party risk program.

Like other financial institutions, the Bank experiences malicious cyber activity on an ongoing basis directed at its websites, computer systems, software, networks and users. This malicious activity includes attempts at unauthorized access and implantation of computer viruses or malware. The Bank also experiences large volumes of phishing and other forms of social engineering attempted for the purpose of perpetuating fraud. Notwithstanding the breadth of our information security and privacy program, it may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse impact. Unauthorized access to our computer systems or stored data could result in theft, including cyber theft, or improper disclosure of confidential information, and the deletion or modification of records could cause interruptions in our operations. The impact of a material information technology event could have a materially adverse effect on our competitive position, reputation, results of operations, financial condition or cash flows.

Board Governance

The members of the Boards of Directors of the Company and the Bank are identical. The Bank's Board of Directors oversees cybersecurity risk management and strategy for both entities through management updates regarding the policies, practices and security results related to the Gramm-Leach-Bliley Act, IT risk management, IT security metrics, penetration testing, tabletop exercises, IT risk assessments, disaster recovery testing, and security awareness testing and training. Management is responsible for designing and implementing policies, processes and procedures, and deploying physical and virtual technology and safeguards to measure, monitor, and control cybersecurity risk. The Bank's Chief Information Officer provides an annual comprehensive update to the Board of Directors on the status of IT, and the plans for the future as well as quarterly updates which include any cyber incidents. The Bank's Chief Technology Officer provides annual training on cyber security topics and reports to the Board of Directors on the Bank's cyber incidents, if any. Cyber incidents with (i) the potential of materiality; (ii) anticipated publicity; or (iii) anticipated written notices to a significant number of customers; have been promptly reported to the Board with ongoing updates during regular Board meetings. The Bank's Chief Information Officer presents updates on new security measures, programs and services to ITOC. The minutes and materials from the ITOC meetings are available to the Board of Directors on the Directors' Board Portal. The Bank's Information Security Officer provides the Board of Directors an annual report on all aspects of Information Security, including steps taken to minimize the risk of cyber incidents through training and testing employees on phishing, social engineering, etc. This annual report also includes an independent third-party assessment of the Bank's information security systems together with information on steps taken to address any identified weaknesses. The Board of Directors also participates in an annual evaluation of risk and is presented with management's assessment of the top risks, which generally includes several cybersecurity components.

17


Material Cybersecurity Incidents

As of September 30, 2024, we were not aware of any cybersecurity incidents that have materially affected or are reasonably likely to materially affect the Bank, including its business strategies, results of operations or financial condition. For more information on our cybersecurity-related risks, see "Item 1A. Risk Factors – Risks Related to Cybersecurity, Third Parties, and Technology”.


Recently Filed
Click on a ticker to see risk factors
Ticker * File Date
CLSK 14 hours ago
ALCO 1 day, 19 hours ago
ALTX 4 days, 9 hours ago
DBMM 4 days, 10 hours ago
TMRC 4 days, 10 hours ago
FLNC 4 days, 11 hours ago
EACO 4 days, 12 hours ago
ESE 4 days, 13 hours ago
SNEX 4 days, 17 hours ago
UNEX 4 days, 19 hours ago
CNBX 4 days, 20 hours ago
CENT 6 days, 10 hours ago
LESL 6 days, 10 hours ago
DSRO 6 days, 10 hours ago
SANM 6 days, 12 hours ago
CFFN 6 days, 12 hours ago
BDX 6 days, 13 hours ago
SPH 6 days, 15 hours ago
MOG-A 6 days, 17 hours ago
ENTA 6 days, 18 hours ago
HOLX 6 days, 19 hours ago
LGYV 6 days, 19 hours ago
LEDS 6 days, 20 hours ago
AZTA 1 week ago
UGI 1 week ago
JJSF 1 week ago
RJF 1 week ago
NJR 1 week ago
ARWR 1 week ago
CASH 1 week ago
BERY 1 week ago
ADI 1 week ago
ABQQ 1 week ago
ABC 1 week ago
WWD 1 week ago
LEXX 1 week ago
SMG 1 week ago
PNNT 1 week, 1 day ago
PFLT 1 week, 1 day ago
AEHA 1 week, 1 day ago
CRNC 1 week, 1 day ago
IIIV 1 week, 1 day ago
BLBD 1 week, 1 day ago
GLDM 1 week, 1 day ago
GLD 1 week, 1 day ago
ROAD 1 week, 1 day ago
J 1 week, 1 day ago
ENRT 1 week, 4 days ago
VVV 1 week, 4 days ago
GEOS 1 week, 4 days ago

OTHER DATASETS

House Trading

Dashboard

Corporate Flights

Dashboard

App Ratings

Dashboard