Equity Bancshares (EQBK) Risk Analysis

We are subject to supervision and regulation by federal and state banking agencies that periodically conduct examinations of our business, including compliance with laws and regulations – specifically, our subsidiary, Equity Bank, is subject to examination by the Federal Reserve and the OSBC and we are subject to examination by the Federal Reserve. Accommodating such examinations may require management to reallocate resources, which would otherwise be used in the day-to-day operation of other aspects of our business. If, as a result of an examination, any such banking agency was to determine that the financial condition, capital resources, allowance for credit losses, asset quality, earnings prospects, management, liquidity or other aspects of our operations had become unsatisfactory, or that we or our management were in violation of any law or regulation, such banking agency may take a number of different remedial actions as it deems appropriate. These actions include the power to enjoin "unsafe or unsound" practices, to require affirmative actions to correct any conditions resulting from any violation or practice, to issue an administrative order that can be judicially enforced, to direct an increase in our capital, to restrict our growth, to assess civil monetary penalties against us, our officers, or directors, to remove officers and directors and, if it is concluded that such conditions cannot be corrected or there is an imminent risk of loss to depositors, to terminate our deposit insurance. If we become subject to such a regulatory action, it could have a material adverse effect on our business, financial condition and results of operations.

Many aspects of our business involve substantial risk of legal liability. We have been named or threatened to be named as defendants in various lawsuits arising from our business activities (and in some cases from the activities of companies that we have acquired) including, but not limited to, consumer residential real estate mortgages. In addition, from time to time, we are, or may become, the subject of governmental and self-regulatory agency information-gathering requests, reviews, investigations and proceedings and other forms of regulatory inquiry, including by bank regulatory agencies, the Consumer Financial Protection Bureau, the SEC and law enforcement authorities. The results of such proceedings could lead to significant civil or criminal penalties, including monetary penalties, damages, adverse judgments, settlements, fines, injunctions, restrictions on the way in which we conduct our business or reputational harm.

Companies are facing increasing scrutiny from customers, regulators, investors, and other stakeholders related to their environmental, social and governance ("ESG") practices and disclosure. Investor advocacy groups, investment funds and influential investors are also increasingly focused on these practices, especially as they relate to the environment, health and safety, diversity, labor conditions and human rights. Increased ESG related compliance costs could result in increases to our overall operational costs. Failure to adapt to or comply with regulatory requirements or investor or stakeholder expectations and standards could negatively impact our reputation, ability to do business with certain partners, and our stock price. New government regulations could also result in new or more stringent forms of ESG oversight and expanding mandatory and voluntary reporting, diligence, and disclosure.

Recessionary periods historically have brought about increased foreclosures and unemployment which have resulted in significant write-downs of asset values by financial institutions, including government-sponsored entities and major commercial and investment banks. These write-downs, initially of mortgage-backed securities but spreading to credit default swaps and other derivative securities, have historically caused many financial institutions to seek additional capital, to merge with larger and stronger institutions and, in some cases, to fail. This market turmoil and tightening of credit have led to an increased level of commercial and consumer delinquencies, lack of consumer confidence, increased market volatility and widespread reduction of business activity generally. Although conditions have improved, a return of these trends could have a material adverse effect on our business and operations. Negative market developments may affect consumer confidence levels and may cause adverse changes in payment patterns, causing increases in delinquencies and default rates, which may impact our charge-offs and provisions for loan and credit losses. Economic deterioration that affects household and/or corporate incomes could also result in reduced demand for credit or fee-based products and services. These conditions would have adverse effects on us and others in the financial services industry.

As of December 31, 2024, our ten largest non-brokered depositors accounted for $438.7 million in deposits, or approximately 10.0% of our total deposits. Further, our non-brokered deposit account balance was $4.2 billion, or approximately 97.1% of our total deposits, as of December 31, 2024. Several of our large depositors have business, family or other relationships with each other, which creates a risk that any one customer's withdrawal of its deposit could lead to a loss of other deposits from customers within the relationship. Withdrawals of deposits by any one of our largest depositors or by one of our related customer groups could force us to rely more heavily on borrowings and other sources of funding for our business and withdrawal demands, adversely affecting our net interest margin and results of operations. We may also be forced, as a result of any withdrawal of deposits, to rely more heavily on other, potentially more expensive and less stable funding sources. Consequently, the occurrence of any of these events could have a material adverse effect on our business, results of operations, financial condition and future prospects.

We are a community bank and our reputation is one of the most valuable components of our business. As such, we strive to conduct our business in a manner that enhances our reputation. This is done, in part, by recruiting, hiring and retaining employees who share our core values of being an integral part of the communities we serve, delivering superior service to our customers and caring about our customers and associates. If our reputation is negatively affected by the actions of our employees or otherwise, our business and therefore, our operating results may be materially adversely affected. Further, negative public opinion can expose us to litigation and regulatory action as we seek to implement our growth strategy.

We focus our business development and marketing strategy primarily to serve the banking and financial services needs of small to medium-sized businesses and entrepreneurs. These small to medium-sized businesses and entrepreneurs may have fewer financial resources in terms of capital or borrowing capacity than larger entities. If economic conditions negatively impact our markets generally, and small to medium-sized businesses are adversely affected, our financial condition and results of operations may be negatively affected.

The Company's business is dependent upon the willingness and ability of our customers to conduct banking and other financial transactions. Outbreaks of highly contagious or infectious diseases could negatively impact the ability of our employees and customers to conduct such transactions and disrupt the business activities and operations of our customers in the geographic areas in which we operate. The COVID-19 pandemic caused changes in the behavior of customers, businesses, and their employees, including illness, quarantines, social distancing practices, cancellation of events and travel, business and school shutdowns, reduction in commercial activity and financial transactions, supply chain interruptions, increased unemployment, and overall economic and financial market instability. Similar impacts could be experienced in the future if such an outbreak or pandemic were to occur again. Notwithstanding our contingency plans and other safeguards against pandemics or another contagious disease, the spread of contagion could negatively impact the availability of Equity Bank staff who are necessary to conduct our business operations, as well as potentially impact the business and operations third party service providers who perform critical services for us. If the response to contain a similar highly infectious or contagious disease, is unsuccessful, the Company could experience a material adverse effect on our business operations, asset valuations, financial condition, and results of operations. Material adverse impacts may include all or a combination of valuation impairments on the Company's intangible assets, investments, loans, loan servicing rights, deferred tax assets, or counter-party risk derivatives.

The banking and financial services industries are undergoing rapid technological changes with frequent introductions of new technology-driven products and services. In addition to enhancing the level of service provided to customers, the effective use of technology increases efficiency and enables financial institutions to reduce costs. Our future success will depend, in part, upon our ability to address the needs of our customers by using technology to provide products and services that enhance customer convenience and create additional efficiencies in operations. Many of our competitors have greater resources to invest in technological improvements and we may not be able to effectively implement new technology-driven products and services, which could reduce our ability to effectively compete.

Information security risks for financial institutions have generally increased in recent years, in part because of the proliferation of new technologies, the use of the internet and telecommunications technologies to conduct financial transactions and the increased sophistication and activities of organized crime, hackers, terrorists, activists and other external parties. The financial services industry has seen increases in electronic fraudulent activity, hacking, security breaches, sophisticated social engineering and cyber-attacks, including in the commercial banking sector, as cyber criminals have been targeting commercial bank accounts on an increasing basis. We are under continuous threat of loss due to fraudulent activity, hacking and cyber-attacks, especially as we continue to expand customer capabilities to utilize internet and other remote channels to transact business. Our risk and exposure to these matters remains heightened because of the evolving nature and complexity of these threats from cyber criminals and hackers, our plans to continue to provide internet banking and mobile banking channels and our plans to develop additional remote connectivity solutions to serve our customers. Therefore, the secure processing, transmission and storage of information in connection with our online banking services are critical elements of our operations. However, our network is vulnerable to unauthorized access, computer viruses and other malware, phishing schemes or other security failures. In addition, our customers may use personal smartphones, tablet PCs or other mobile devices that are beyond our control systems in order to access our products and services. Our technologies, systems and networks and our customers' devices, may become the target of cyber-attacks, electronic fraud or information security breaches that could result in the unauthorized release, gathering, monitoring, misuse, loss or destruction of our or our customers' confidential, proprietary and other information, or otherwise disrupt our or our customers' or other third parties' business operations. As cyber threats continue to evolve, we may be required to spend significant capital and other resources to protect against these threats or to alleviate or investigate problems caused by such threats. Our business relies on the secure processing, storage, transmission and retrieval of confidential customer information in our computer and data management systems and networks, and in the computer and data management systems and networks of third parties, and any breaches or unauthorized access to such information could present significant regulatory costs and expose us to litigation and other possible liabilities. Any inability to prevent these types of security threats could also cause existing customers to lose confidence in our systems and could adversely affect our reputation and ability to generate deposits. The occurrence of any cyber-attack or information security breach could result in financial losses or increased costs to us or our clients, disclosure or misuse of confidential information belonging to us or personal or confidential information belonging to our clients, misappropriation of assets, reputational damage, damage to our competitive position and the disruption of our operations, all of which could adversely affect our financial condition or results of operations. In recent periods, several governmental agencies and large corporations, including financial service organizations and retail companies, have suffered major data breaches, in some cases exposing not only their confidential and proprietary corporate information, but also sensitive financial and other personal information of their clients or clients and their employees or other third parties and subjecting those agencies and corporations to potential fraudulent activity and their clients, clients and other third parties to identity theft and fraudulent activity in their credit card and banking accounts. Therefore, security breaches and cyber-attacks can cause significant increases in operating costs, including the costs and capital expenditures required to correct the deficiencies and strengthen the security of data processing and storage systems. Unfortunately, it is not always possible to anticipate, detect, or recognize these threats to our systems, or to implement effective preventative measures against all breaches, whether those breaches are malicious or accidental. Cybersecurity risks for banking organizations have significantly increased in recent years and have been difficult to detect before they occur because, among other reasons: - the proliferation of new technologies and the use of the internet and telecommunications technologies to conduct financial transactions;- these threats arise from numerous sources, not all of which are in our control, including among others, human error, fraud or malice on the part of employees or third parties, accidental technological failure, electrical or telecommunication outages, failures of computer servers or other damage to our property or assets, natural disasters or severe weather conditions, health emergencies or pandemics, or outbreaks of hostilities or terrorist acts;- the techniques used in cyber-attacks change frequently and may not be recognized until launched or until well after the breach has occurred;- the increased sophistication and activities of organized crime groups, hackers, terrorist organizations, hostile foreign governments, disgruntled employees or vendors, activists and other external parties, including those involved in corporate espionage;- the vulnerability of systems to third parties seeking to gain access to such systems either directly or using equipment or security passwords belonging to employees, customers, third-party service providers or other users of our systems; and - our frequent transmission of sensitive information to, and storage of such information by, third parties, including our vendors and regulators, and possible weaknesses that go undetected in our data systems notwithstanding the testing we conduct of those systems. While we invest in systems and processes that are designed to detect and prevent security breaches and cyber-attacks and we conduct periodic tests of our security systems and processes, we may not succeed in anticipating or adequately protecting against or preventing all security breaches and cyber-attacks from occurring. Even the most advanced internal control environment may be vulnerable to compromise. Targeted social engineering attacks are becoming more sophisticated and are extremely difficult to prevent. Additionally, the existence of cyber-attacks or security breaches at third parties with access to our data, such as vendors, may not be disclosed to us in a timely manner. Further, we may not be able to insure against losses related to cyber threats. As cyber threats continue to evolve, we may be required to expend significant additional resources to continue to modify or enhance our protective measures or to investigate and remediate any information security vulnerabilities or incidents. As is the case with non-electronic fraudulent activity, cyber-attacks or other information or security breaches, whether directed at us or third parties, may result in a material loss or have material consequences. Furthermore, the public perception that a cyber-attack on our systems has been successful, whether or not this perception is correct, may damage our reputation with customers and third parties with whom we do business. A successful penetration or circumvention of system security could cause us negative consequences, including loss of customers and business opportunities, disruption to our operations and business, misappropriation or destruction of our confidential information and/or that of our customers, or damage to our customers' and/or third parties' computers or systems, and could expose us to additional regulatory scrutiny and result in a violation of applicable privacy laws and other laws, litigation exposure, regulatory fines, penalties or intervention, loss of confidence in our security measures, reputational damage, reimbursement or other compensatory costs, additional compliance costs, and could adversely impact our results of operations, liquidity and financial condition.

We are exposed to many types of operational risk, including the risk of fraud by employees and outsiders, clerical record-keeping errors and transactional errors. Our business is dependent on our employees as well as third-party service providers to process a large number of increasingly complex transactions. We could be materially adversely affected if someone causes a significant operational breakdown or failure, either as a result of human error or where an individual purposefully sabotages or fraudulently manipulates our operations or systems. When we originate loans, we rely upon information supplied by loan applicants and third parties, including the information contained in the loan application, property appraisal and title information, if applicable, and employment and income documentation provided by third parties. If any of this information is misrepresented and such misrepresentation is not detected prior to loan funding, we generally bear the risk of loss associated with the misrepresentation. Any of these occurrences could result in a diminished ability of us to operate our business, potential liability to customers, reputational damage and regulatory intervention, which could negatively impact our business, financial condition and results of operations.

As a member institution of the FDIC, our banking subsidiary, Equity Bank, is assessed a quarterly deposit insurance premium. We are generally unable to control the amount of premiums or special assessments that Equity Bank is required to pay, future bank failures may stress the Deposit Insurance Fund and prompt the FDIC to increase its premiums or to issue special assessments. Any future changes in the calculation or assessment of FDIC insurance premiums may have a material adverse effect on our results of operations, financial condition and our ability to continue to pay dividends on our common stock at the current rate or at all.