First Bancorp Puerto Rico (FBP) Risk Analysis

State, federal, and foreign governments are increasingly enacting laws and regulations governing the collection, use, retention,sharing, transfer, and security of personally identifiable information and data. A variety of federal, state, local, and foreign laws and regulations, orders, rules, codes, regulatory guidance, and certain industry standards regarding privacy, data protection, consumer protection, information security, and the processing of personal information and other data apply to our business. State laws are changing rapidly, and new legislation proposed or enacted in a number of other states imposes, or has the potential to impose,additional obligations on companies that process confidential, sensitive and personal information, and will continue to shape the data privacy environment nationally. The U.S. federal government is also focused on privacy matters. Any failure by us or any of our business partners to comply with applicable laws, rules, and regulations may result in investigations or actions against us by governmental entities, private claims and litigation, fines, penalties or other liabilities. Such events may increase our expenses, expose us to liabilities, and impair our reputation, which could have a material adverse effect on our business. While we aim to comply with applicable data protection laws and obligations in all material respects, there is no assurance that we will not be subject to claims that we have violated such laws and obligations, will be able to successfully defend against such claims, or will not be subject to significant fines and penalties in the event of non-compliance. Additionally, to the extent multiple state-level laws are introduced in the U.S. with inconsistent or conflicting standards and there is no federal law to preempt such laws, compliance with such laws could be difficult and costly, or impossible, to achieve, and we could be subject to fines and penalties in the event of non-compliance.

We are subject to regulatory capital adequacy guidelines, and, if we fail to meet these guidelines, our business and financial

Recognition of deferred tax assets is dependent upon the generation of future taxable income by the Bank. As of December 31, 2023, the Corporation had a deferred tax asset of $150.1 million (net of a valuation allowance of $ $139.2 million, including a valuation allowance of $111.4 million against the deferred tax assets of FirstBank). Under the PR Tax Code, the Corporation and its subsidiaries, including FirstBank, are treated as separate taxable entities and are not entitled to file consolidated tax returns. Accordingly, in order to obtain a tax benefit from a NOL, a particular subsidiary must be able to demonstrate sufficient taxable income within the applicable NOL carry-forward period. Pursuant to the PR Tax Code, the carry-forward period for NOLs incurred during taxable years that commenced after December 31, 2004 and ended before January 1, 2013 is 12 years; for NOLs incurred during taxable years commencing after December 31, 2012, the carryover period is 10 years. Accounting for income taxes requires that companies assess whether a valuation allowance should be recorded against their deferred tax asset based on an assessment of the amount of the deferred tax asset that is more likely than not to be realized. Due to significant estimates utilized in determining the valuation allowance and the potential for changes in facts and circumstances in the future, the Corporation may not be able to reverse the remaining valuation allowance or may need to increase its current deferred tax asset valuation allowance.

government or the PROMESA oversight board to address the ongoing fiscal and economic challenges in Puerto Rico. A significant portion of the Corporation's business activities and credit exposure is concentrated in the Commonwealth of Puerto Rico, which has undergone significant economic challenges and debt reforms over the last decade. On June 15, 2023, the Puerto Rico Planning Board ("PRPB") presented the updated Economic Report to the Governor, which provides an analysis of Puerto Rico's economy during fiscal year 2022 and a short-term forecast for fiscal years 2023 and 2024. According to the PRPB, Puerto Rico's real gross national product ("GNP") expanded by 3.7% in fiscal year 2022, which was the highest annual real GNP growth registered in Puerto Rico since fiscal year 1999. The growth was primarily driven by a sharp increase in personal consumption expenditures reflecting an increase of approximately 8.5% when compared to fiscal year 2021, increase in exports of 4.8%, and growth in fixed capital investments of 12.6%, partially offset by an increase in imports of 10.3%. The 2023 Fiscal Plan prioritizes resource allocation across three major pillars: (i) entrenching a legacy of strong financial management through the implementation of a comprehensive financial management agenda, (ii) instilling a culture of public -sector performance and excellence to properly delivery quality public services, and (iii) investing for economic growth to ensure sufficient revenues are generated to support the delivery of services. According to the Transformation Plan, the fiscal and economic turnaround of Puerto Rico cannot be accomplished without the implementation of structural economic reforms that promote sustainable economic development. These reforms include power/energy sector reform to improve availability, reliability and affordability of energy,education reform to expand opportunity and prepare the workforce to compete for jobs of the future, and an infrastructure reform aimed at improving the efficiency of the economy and facilitating investment. The 2023 Fiscal Plan projects that these reforms, if implemented successfully, will contribute 0.75% in GNP growth by fiscal year 2026. Additionally, the 2023 Fiscal Plan provides a roadmap for a tax reform directed towards establishing a tax regime that is more competitive for investors and more equitable for individuals. The 2023 Fiscal Plan notes that Puerto Rico has had a strong recovery in the aftermath of the COVID-19 pandemic crisis with labor participation trending positively and unemployment at historically low levels. However, it recognizes that such recovery has been primarily fueled by the unprecedented influx of federal funds which have an outsized and temporary impact that may mask underlying structural weaknesses in the economy. As such, the 2023 Fiscal Plan projects a 0.7% decline in real GNP for the current fiscal year 2023, followed by a period of near-zero real growth in fiscal years 2024 through 2026. Also, the fiscal plan projects that Puerto Rico's population will continue the long-term trend of steady decline. Notwithstanding, the Transformation Plan depicts that, if managed properly, these non-recurring federal funds can be leveraged into sustainable longer-term growth and opportunity. The 2023 Fiscal Plan projects that approximately $81 billion in total disaster relief funding, from federal and private sources, will be disbursed as part of the reconstruction efforts over a span of 18 years (fiscal years 2018 through 2035). These funds will benefit individuals, the public (e.g., reconstruction of major infrastructure, roads, and schools), and will cover part of Puerto Rico's share of the cost of disaster relief funding. Also, the 2023 Fiscal Plan projects the $9.3 billion in remaining COVID-19 relief funds to be deployed in fiscal years 2023 through 2025, compared to $4.5 billion projected in the previous fiscal plan. Additionally, the 2023 Fiscal Plan continues to account for $2.3 billion in federal funds to Puerto Rico from the Bipartisan Infrastructure Law directed towards improving Puerto Rico's infrastructure over fiscal years 2022 through 2026. As of December 31, 2023, the Corporation had $297.9 million of direct exposure to the Puerto Rico government, its municipalities and public corporations. As of December 31, 2023, approximately $189.0 million of the exposure consisted of loans and obligations of municipalities in Puerto Rico that are supported by assigned property tax revenues and for which, in most cases, the good faith, credit and unlimited taxing power of the applicable municipality have been pledged to their repayment, and $59.4 million consisted of loans and obligations which are supported by one or more specific sources of municipal revenues. The municipalities are required by law to levy special property taxes in such amounts as are required for the payment of all of their respective general obligation bonds and notes. In addition to municipalities, the total direct exposure also included $8.9 million in loans to an affiliate of PREPA, $37.4 million in loans to an agency of the Puerto Rico government, and obligations of the Puerto Rico government, specifically a residential pass-through MBS issued by the PR Housing Finance Authority ("PRHFA"), at an amortized cost of $3.2 million as part of its available-for-sale debt securities portfolio (fair value of $1.4 million as of December 31, 2023). In addition, as of December 31, 2023, the Corporation had $77.7 million in exposure to residential mortgage loans that are guaranteed by the PRHFA. Residential mortgage loans guaranteed by the PRHFA are secured by the underlying properties and the guarantees serve to cover shortfalls in collateral in the event of a borrower default. The regulations adopted by the PRHFA require the establishment of adequate reserves to guarantee the solvency of its mortgage loans insurance program . As of June 30, 2022, the most recent date as of which information is available, the PRHFA had a liability of approximately $1 million as an estimate of the losses inherent in the portfolio. As of December 31, 2023, the Corporation had $2.7 billion of public sector deposits in Puerto Rico, which are fully collateralized. Approximately 20% of the public sector deposits as of December 31, 2023 were from municipalities and municipal agencies in Puerto Rico and 80% were from public corporations, the Puerto Rico central government and agencies, and U.S. federal government agencies in Puerto Rico. Instability in economic conditions, delays in the receipt of disaster relief funds allocated to Puerto Rico, and the potential impact on asset values resulting from past or future natural disaster events, when added to Puerto Rico's ongoing fiscal challenges, could materially adversely affect our business, financial condition, liquidity, results of operations and capital position.

Our results of operations could be adversely affected by natural disasters, public health crises, political crises, negative global

security systems and infrastructure, and present significant reputational, legal and regulatory costs. Our business is highly dependent on the security, controls and efficacy of our infrastructure, computer and data management systems, as well as those of our customers, suppliers, and other third parties. To access our network, products and services, our employees, customers, suppliers, and other third parties, including downstream service providers, the financial services industry and financial data aggregators, with whom we interact, on whom we rely or who have access to our customers' personal or account information, increasingly use personal mobile devices or computing devices that are outside of our network and control environments and are subject to their own cybersecurity risks. Our business relies on effective access management and the secure collection,processing, transmission, storage and retrieval of confidential, proprietary, personal and other information in our computer and data management systems and networks, and in the computer and data management systems and networks of third parties. Information security risks for financial institutions have significantly increased in recent years, especially given the increasing sophistication and activities of organized computer criminals, hackers, and terrorists and our expansion of online and digital customer services to better meet our customer's needs. These threats may derive from fraud or malice on the part of our employees or third-party providers or may result from human error or accidental technological failure. These threats include cyber-attacks, such as computer viruses, malicious or destructive code, phishing attacks, denial of service attacks, or other security breach tactics that could result in the unauthorized release, gathering, monitoring, misuse, loss, destruction, or theft of confidential, proprietary, and other information, including intellectual property, of ours, our employees, our customers, or third parties, damages to systems, or otherwise material disruption to our or our customers' or other third parties' network access or business operations, both domestically and internationally. While we maintain an Information Security Program that continuously monitors cyber-related risks and ultimately ensures protection for the processing, transmission, and storage of confidential, proprietary, and other information in our computer systems and networks, as well as a vendor management program to oversee third party and vendor risks, there is no guarantee that we will not be exposed to or be affected by a cybersecurity incident. For example, as previously disclosed, one of our third-party vendors was the victim of a security incident in April 2023 involving a set of data that included some information on FirstBank's mortgage loan business. In response to learning of the incident, we promptly launched our own internal investigation, which confirmed that our own systems were not compromised, and any operational and financial impact was minimal. Our vendor has indicated (and we have no evidence to the contrary) that to date there is no evidence that there has been any actual or attempted misuse of information. The Corporation has not incurred any material expenses related to the incident and does not expect any future impact. Cyber threats are rapidly changing, and future attacks or breaches could lead to other security breaches of the networks, systems, or devices that our customers use to access our integrated products and services, which, in turn, could result in unauthorized disclosure,release, gathering, monitoring, misuse, loss or destruction of confidential, proprietary, and other information (including account data information) or data security compromises. As cyber threats continue to evolve, we may be required to expend significant additional resources to modify or enhance our protective measures, investigate, and remediate any information security vulnerabilities or incidents and develop our capabilities to respond and recover. The full extent of a particular cyberattack, and the steps that the Corporation may need to take to investigate such attack, may not be immediately clear, and it could take considerable additional time for us to determine the complete scope of information compromised, at which time the impact on the Corporation and measures to recover and restore to a business-as-usual state may be difficult to assess. These factors may also inhibit our ability to provide full and reliable information about the cyberattack to our customers, third-party vendors, regulators, and the public. A successful penetration or circumvention of our system security, or the systems of our customers, suppliers, and other third parties,could cause us serious negative consequences, including significant operational, reputational, legal, and regulatory costs and concerns. Any of these adverse consequences could adversely impact our results of operations, liquidity, and financial condition. In addition,our insurance policies may not be adequate to compensate us for the potential costs and other losses arising from cyber-attacks,failures of information technology systems, or security breaches, and such insurance policies may not be available to us in the future on economically reasonable terms, or at all. Insurers may also deny us coverage as to any future claim. Any of these results could harm our growth prospects, financial condition, business, and reputation.

products and services, or if we fail to respond to emerging technologies that seek to displace traditional financial services. Like most financial institutions, FirstBank significantly depends on technology to deliver its products and other services and to otherwise conduct business. To remain technologically competitive and operationally efficient, FirstBank invests in system upgrades,new technological solutions, and other technology initiatives. If competitors introduce new products and services embodying new technologies, or if new industry standards and practices emerge, our existing product and service offerings, technology and systems may become obsolete. Furthermore, if we fail to adopt or develop new technologies or to adapt our products and services to emerging industry standards, we may lose current and future customers, which could have a material adverse effect on our business, financial condition and results of operations. The financial services industry is changing rapidly and, in order to remain competitive, we must continue to enhance and improve the functionality and features of our products, services and technologies. These changes may be more difficult or expensive to implement than we anticipate. When we launch a new product or service, introduce a new platform for the delivery or distribution of products or services (including mobile connectivity and cloud computing), or make changes to an existing product or service, we may not fully appreciate or identify new operational risks that may arise from those changes, or we may fail to implement adequate controls to mitigate the risks associated with those changes. Significant failure in this regard could diminish our ability to operate our business or result in potential liability to our customers and third parties, increased operating expenses, weaker competitive standing, and significant reputational, legal and regulatory costs. Additionally, some recent innovations may trend toward replacing traditional banks as financial service providers rather than merely augmenting those services. For example, companies which claim to offer applications and services based on artificial intelligence are beginning to compete much more directly with traditional financial services companies in areas involving personal advice, including high-margin services such as financial planning and wealth management. The low-cost, high-speed nature of these "robo-advisor" services can be especially attractive to younger, less-affluent clients and potential clients, as well as persons interested in "self-service" investment management. Similarly, inventions based on blockchain technology eventually may be the foundation for greatly enhancing transactional security throughout the banking industry, but also eventually may reduce the need for banks as secure deposit-keepers and intermediaries. Any of the foregoing consequences could materially and adversely affect our businesses and

operational risks could adversely affect our consolidated results of operations. We may fail to identify and manage risks related to a variety of aspects of our business, including, but not limited to, liquidity risk;interest rate risk; market risk; credit risk; operational risk; legal, regulatory and compliance risk; reputational risk; model risk; capital risk; strategic risk; and information technology and cybersecurity risk. We have adopted and periodically improve various controls,procedures, policies and systems to monitor and manage risk. Any improvements to our controls, procedures, policies and systems,however, may not be adequate to identify and manage the risks in our various businesses. If our risk framework is ineffective, either because it fails to keep pace with changes in the financial markets or our businesses or for other reasons, we could incur losses, suffer reputational damage, or find ourselves out of compliance with applicable regulatory mandates or expectations. We may also be subject to disruptions from external events, such as natural disasters and cyber-attacks, which could cause delays or disruptions to operational functions, including information processing and financial market settlement functions. In addition, our customers, vendors and counterparties could suffer from such events. Should these events affect us, or the customers, vendors or counterparties with which we conduct business, our consolidated results of operations could be negatively affected. When we record balance sheet reserves for probable loss contingencies related to operational losses, we may be unable to accurately estimate our potential exposure, and any reserves we establish to cover operational losses may not be sufficient to cover our actual financial exposure, which may have a material impact on our consolidated results of operations or financial condition for the periods in which we recognize the losses.

Labor shortages and constraints in the supply chain could adversely affect our clients' operations as well as our operations. Many sectors in Puerto Rico, the United States, the Virgin Islands and around the world are experiencing a shortage of workers. Many of our commercial clients have been impacted by this shortage along with disruptions and constraints in the supply chain, which could adversely impact their operations and could lead to reduced cash flow and difficulty in making loan repayments. The Corporation's industry has also been affected by the shortage of workers, as well as increasing wages for entry level and certain professional roles. This may lead to open positions remaining unfilled for longer periods of time, which may affect the level of service provided by the Corporation, or a need to increase wages to attract workers.

We are subject to ESG risks that could adversely affect our reputation and the market price of our securities. There is an increased focus from certain government regulators, investors, customers, business partners and other stakeholders concerning ESG matters, and the expectations related to ESG matters are rapidly evolving. The increased focus by investors and other stakeholders on the ESG practices of publicly traded companies, like us, has included or may in the future include expanding mandatory and voluntary reporting, diligence, and disclosure on topics such as climate change, human capital, labor and risk oversight, and could expand the nature, scope, and complexity of matters that we are required to control, assess and report. These requirements would likely result in increased ESG-related compliance costs, which could result in increases to our overall operational costs. Failure to adapt to or comply with regulatory requirements or investor or stakeholder expectations and standards could negatively impact our reputation, ability to do business with certain partners, and our stock price. For example, we may be exposed to negative publicity based on the identity and activities of those to whom we lend and with which we otherwise do business and the public's view of the approach and performance of our customers and business partners with respect to ESG matters. Any such negative publicity could arise from adverse news coverage in traditional media and could also spread through the use of social media platforms. The Corporation's relationships and reputation with its existing and prospective customers and third parties with which we do business could be damaged if we were to become the subject of any such negative publicity. This, in turn, could have an adverse effect on our ability to attract and retain customers and employees and could have a negative impact on our business, financial condition and results of operations. In addition, we could be criticized by ESG detractors for the scope or nature of our ESG initiatives or policies or for any revisions to these policies. We could also be subjected to negative responses by governmental actors (such as anti-ESG legislation or retaliatory legislative treatment) or consumers (such as boycotts or negative publicity campaigns) that could adversely affect our reputation, results of operations and financial condition.