Five Star (FSBC) Risk Analysis

From time to time, in the normal course of business, we have in the past been and may in the future be named as a defendant in various legal actions, arising in connection with our current and/or prior business activities. Legal actions could include claims for substantial compensatory or punitive damages or claims for indeterminate amounts of damages. Further, in the future our regulators may impose consent orders, civil money penalties, matters requiring attention, or similar types of supervisory criticism. We may also, from time to time, be the subject of subpoenas, requests for information, reviews, investigations, and proceedings (both formal and informal) by governmental agencies regarding our current and/or prior business activities. Any such legal or regulatory actions may subject us to substantial compensatory or punitive damages, significant fines, penalties, obligations to change our business practices, or other requirements resulting in increased expenses, diminished income, and damage to our reputation. Our involvement in any such matters, whether tangential or otherwise and even if the matters are ultimately determined in our favor, could also cause significant harm to our reputation and divert management attention from the operation of our business. Further, any settlement, consent order, or adverse judgment in connection with any formal or informal proceeding or investigation by government agencies may result in litigation, investigations, or proceedings as other litigants and government agencies begin independent reviews of the same activities. As a result, the outcome of legal and regulatory actions could have an adverse effect on our business, financial condition, and results of operations.

One component of our business consists of originating and periodically selling U.S. government-guaranteed loans, in particular those guaranteed by the SBA. Pursuant to the Consolidated Appropriations Act, 2021, the SBA guaranteed 90% of the principal amount of each qualifying SBA loan originated under the SBA's 7(a) loan program through October 1, 2021. The SBA presently guarantees 75% to 90% of the principal amount of qualifying loans originated under the 7(a) loan program. The U.S. government may not maintain the SBA 7(a) loan program, and even if it does, the guaranteed portion may not remain at its current or anticipated level. In addition, from time to time, the government agencies that guarantee these loans reach their internal limits and cease to guarantee future loans. In addition, these agencies may change their rules for qualifying loans or Congress may adopt legislation that would have the effect of discontinuing or changing the loan guarantee programs. Non-governmental programs could replace government programs for some borrowers, but the terms might not be equally acceptable. Therefore, if these changes occur, the volume of loans to small business and industrial borrowers of the types that now qualify for government-guaranteed loans could decline. Also, the profitability of the sale of the guaranteed portion of these loans could decline as a result of market displacements due to increases in interest rates, and premiums realized on the sale of the guaranteed portions could decline from current levels. As the funding and sale of the guaranteed portion of SBA 7(a) loans is a major portion of our business and a significant portion of our non-interest income, any significant changes to the SBA 7(a) loan program, such as its funding or eligibility requirements, may have an unfavorable impact on our prospects, future performance, and results of operations. The aggregate principal balance of SBA 7(a) guaranteed portions sold during the year ended December 31, 2024 was approximately $18.3 million, compared to approximately $36.5 million for the year ended December 31, 2023. In addition, current or future delays to, reductions of, and/or cancellations of certain federal government payments in connection with cost-saving and government efficiency efforts undertaken by the Trump Administration may lead to increased repayment risk from clients of the Bank who rely on payments from the federal government in conducting their businesses. Potential losses could adversely affect our business, financial condition, and results of operations.

Our business requires the collection and retention of large volumes of customer data, including personally identifiable information ("PII"), in various information systems that we maintain and in those maintained by third-party service providers. We also maintain important internal company data such as PII about our employees and information relating to our operations. We are subject to complex and evolving laws and regulations governing the privacy and protection of PII of individuals (including customers, employees, and other third parties). For example, our business is subject to the GLB Act, which, among other things: (i) imposes certain limitations on our ability to share nonpublic PII about our customers with nonaffiliated third parties; (ii) requires that we provide certain disclosures to customers about our information collection, sharing, and security practices and afford customers the right to "opt out" of any information sharing by us with nonaffiliated third parties (with certain exceptions); and (iii) requires that we develop, implement, and maintain a written comprehensive information security program containing appropriate safeguards based on our size and complexity, the nature and scope of our activities, and the sensitivity of customer information we process, as well as plans for responding to data security breaches. Various federal and state banking regulators and states have also enacted data breach notification requirements with varying levels of individual, consumer, regulatory, or law enforcement notification in the event of a security breach. The California Consumer Privacy Act grants California residents the rights to know about personal information collected about them, to delete certain of this personal information, to opt out of the sale of personal information, and to non-discrimination for exercising these rights. Ensuring that our collection, use, transfer, and storage of PII complies with all applicable laws and regulations can increase our costs. Furthermore, we may not be able to ensure that customers and other third parties have appropriate controls in place to protect the confidentiality of the information that they exchange with us, particularly where such information is transmitted by electronic means. If personal, confidential, or proprietary information of customers or others were to be mishandled or misused (in situations where, for example, such information was erroneously provided to parties who are not permitted to have the information, or where such information was intercepted or otherwise compromised by third parties), we could be exposed to litigation or regulatory sanctions under privacy and data protection laws and regulations. Concerns regarding the effectiveness of our measures to safeguard PII, or even the perception that such measures are inadequate, could cause us to lose customers or potential customers and thereby reduce our revenues. Accordingly, any failure or perceived failure to comply with applicable privacy or data protection laws and regulations may subject us to inquiries, examinations, and investigations that could result in requirements to modify or cease certain operations or practices or in significant liabilities, fines, or penalties, and could damage our reputation and otherwise adversely affect our business, financial condition, and results of operations.

The financial services industry is undergoing rapid technological changes, with frequent introductions of new technology-driven products and services. The effective use of technology increases efficiency and enables financial institutions to better serve customers and reduce costs. Our future success will depend, in part, upon our ability to address the needs of our customers by using technology to provide products and services that will satisfy customer demands for convenience, as well as to create additional efficiencies in our operations. Many of our competitors have substantially greater resources to invest in technological improvements than we do. We may not be able to implement new technology-driven products and services effectively or be successful in marketing these products and services to our customers. Failure to keep pace successfully with technological change affecting the financial services industry could harm our ability to compete effectively and could have an adverse effect on our business, financial condition, and results of operations. As these technologies improve in the future, we may be required to make significant capital expenditures in order to remain competitive, which may increase our overall expenses and have an adverse effect on our business, financial condition, and results of operations.

Failures in, or breaches of, our computer systems and network infrastructure, or those of our third-party vendors or other service providers, including as a result of cyber-attacks, cybersecurity breaches, and other disruptions, could disrupt our business, result in the disclosure or misuse of confidential or proprietary information, result in supervisory liability or regulatory enforcement action, damage our reputation, result in a loss of customers and business, result in a loss of confidence in the security of our systems, products, and services, increase our costs, and cause losses. Our operations are dependent upon our ability to protect our computer equipment against damage from fire, power loss, telecommunications failure, or a similar catastrophic event. Any damage or failure that causes an interruption in our operations could have an adverse effect on our business, financial condition, and results of operations. In addition, our operations are dependent upon our ability to protect our computer systems and network infrastructure, including our internet banking activities, against damage from physical break-ins, cybersecurity breaches, and other disruptive problems caused by the internet or other users. Cybersecurity breaches and other disruptions would jeopardize the security of information stored in and transmitted through our computer systems and network infrastructure, which may result in business disruptions, significant liability to us, and damage to our reputation and may discourage current and potential customers from using our internet banking services. Our security measures, including firewalls and penetration testing, as well as oversight by our board of directors and the Audit Committee as well as management's assessment, identification, and management of cybersecurity risks, may not prevent or detect future potential losses from system failures or cybersecurity breaches, attacks, or other disruptions. While we seek to continuously monitor for and react to any and all such malicious cyber activity and develop our systems to protect our technology infrastructure and data, such monitoring and systems development may not be effective in preventing misuse, misappropriation, or corruption. In the ordinary course of business, our board of directors receives quarterly cybersecurity risk management updates and members of the Audit Committee of our board of directors also attend the meetings of our information technology steering committee on a quarterly basis. Cybersecurity risk management is incorporated into our overall enterprise risk management model, which is updated on a quarterly basis and subject to oversight by our board of directors. In the normal course of business, we collect, process, and retain sensitive and confidential information regarding our customers. Although we devote significant resources, oversight by our board of directors, and management focus to ensuring the integrity of our systems through information security and business continuity programs, our facilities and systems, and those of our third-party service providers, are vulnerable to external or internal security breaches, acts of vandalism, computer viruses, malware, misplaced or lost data, programming or human errors, or other similar events. We and our third-party service providers have experienced these types of events in the past and expect to continue to experience them in the future. These events could interrupt our business or operations or result in significant legal and financial exposure (including costs associated with remediating any security breaches), supervisory liability, regulatory enforcement action, damage to our reputation, loss of customers and business, or a loss of confidence in the security of our systems, products, and services. Although the impact to date from these events has not had an adverse effect on us, we cannot be sure this will be the case in the future. Any of these occurrences could have an adverse effect on our business, financial condition, and results of operations. We are not able to anticipate or implement effective preventive measures against all security breaches of these types, especially because attacks are increasingly sophisticated, change frequently, often are not recognized until launched, and can originate from a wide variety of sources. Our early detection and response mechanisms could fail to detect, mitigate, or remediate these risks in a timely manner. Despite our implementation of protective measures and endeavoring to modify them as circumstances warrant, our computer systems, software, and networks may be vulnerable to human error, equipment failure, natural disasters, power loss, unauthorized access, supply chain attacks, distributed denial of service attacks, computer viruses and other malicious code, and other events that could result in significant liability and damage to our reputation, and have an ongoing impact on the security and stability of our operations. In addition, although we maintain insurance coverage that may, subject to terms and conditions, cover certain aspects of cyber and information security risks, such insurance coverage may be insufficient to cover all losses, such as litigation costs or financial losses that exceed our policy limits or are not covered under any of our current insurance policies. Information security risks for financial institutions like us have increased recently in part because of new technologies, the use of the internet, cloud, and telecommunications technologies (including mobile devices) to conduct financial and other business transactions, and the increased sophistication and activities of organized crime, perpetrators of fraud, hackers, terrorists, and others. Additionally, like many large enterprises, we have introduced more remote work arrangements for our employees. The increase in remote work arrangements over the past few years has introduced potential new vulnerabilities to cyber threats. We also face increased cybersecurity risk as we deploy additional technologies and digital solutions, including our website and digital banking platform with complementary treasury management solutions. Moreover, any cyber-attack or other security breach may persist for an extended period of time without detection. We endeavor to design and implement policies and procedures to identify such cyber-attacks or breaches as quickly as possible; however, we expect that any investigation of a cyber-attack or breach would take substantial amounts of time, and that there may be extensive delays before we obtain full and reliable information. During such time we would not necessarily know the extent of the harm or how best to remediate it, and certain errors or actions could be repeated or compounded before they are discovered and remediated, all of which would further increase the costs and consequences of such an attack or breach. In addition to cyber-attacks or other security breaches involving the theft of sensitive and confidential information, hackers recently have engaged in attacks against large financial institutions that are designed to disrupt key business services, such as consumer-facing web sites. We are not able to anticipate or implement effective preventive measures against all security breaches of these types, especially because the techniques used change frequently and because attacks can originate from a wide variety of sources. Our early detection and response mechanisms may be thwarted by sophisticated attacks and malware designed to avoid detection. Banking organizations are required to notify their primary federal regulator of significant computer security incidents within 36 hours of determining that such an incident has occurred. Failure to comply with this requirement in the event of such an incident could result in sanctions by regulatory agencies, civil money penalties, and/or damage to our reputation, all of which could have an adverse effect on our business, financial condition, and results of operations. The SEC enacted rules, effective as of December 18, 2023, requiring public companies to disclose material cybersecurity incidents that they experience on Form 8-K within four business days of determining that a material cybersecurity incident has occurred and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance. If we fail to comply with these new requirements we could incur regulatory fines in addition to other adverse consequences to our reputation, business, financial condition, and results of operations. We may also be subject to liability under various data protection laws. In the normal course of business, we collect, process, and retain sensitive and confidential information regarding our customers and employees, including personal data. As a result, we are subject to numerous laws and regulations designed to protect this information, such as U.S. federal, state, and international laws governing the protection of personally identifiable information. These laws and regulations are increasing in complexity and number. If any person, including any of our employees, negligently disregards or intentionally breaches our established controls with respect to client or employee data, or otherwise mismanages or misappropriates such data, we could be subject to significant monetary damages, regulatory enforcement actions, fines and/or criminal prosecution. In addition, unauthorized disclosure of sensitive or confidential client or employee data, whether through system failure, employee negligence, fraud, or misappropriation, could damage our reputation and cause us to lose clients and related revenue. Potential liability in the event of a security breach of client data could be significant. Depending on the circumstances giving rise to the breach, this liability may not be subject to a contractual limit or an exclusion of consequential or indirect damages.

As of December 31, 2024, a significant majority of our loan portfolio was comprised of loans with real estate as a primary or secondary component of collateral, with a majority of these real estate loans concentrated in Northern California. Real property values in our market may be different from, and in some instances worse than, real property values in other markets or in the United States as a whole and may be affected by a variety of factors outside of our control and the control of our borrowers, including national and local economic conditions, generally. Declines in real estate values, including prices for homes and commercial properties, could result in a deterioration of the credit quality of our borrowers, an increase in the number of loan delinquencies, defaults, and charge-offs, and reduced demand for our products and services, generally. Our commercial real estate loans may have a greater risk of loss than residential mortgage loans, in part because these loans are generally larger or more complex to underwrite. In particular, real estate construction and land acquisition and development loans have risks not present in other types of loans, including risks associated with construction cost overruns, project completion risk, general contractor credit risk, and risks associated with the ultimate sale or use of the completed construction. In addition, declines in real property values in California could reduce the value of any collateral we realize following a default on these loans and could adversely affect our ability to continue to grow our loan portfolio consistent with our underwriting standards. We may have to foreclose on real estate assets if borrowers default on their loans, in which case we are required to record the related asset to the then-fair market value of the collateral, which may ultimately result in a loss. An increase in the level of nonperforming assets increases our risk profile and may affect the capital levels regulators believe are appropriate in light of the ensuing risk profile. Our failure to effectively mitigate these risks could have an adverse effect on our business, financial condition, and results of operations.

A key differentiating factor for our business is the strong reputation we are building in our market. Maintaining a positive reputation is critical to attracting and retaining customers and employees. Adverse perceptions of us could make it more difficult for us to execute on our strategy. Harm to our reputation can arise from many sources, including actual or perceived employee misconduct, errors or misconduct by our third-party vendors or other counterparties, litigation or regulatory actions, our failure to meet our high customer service and quality standards, and compliance failures. In particular, it is not always possible to prevent employee error or misconduct, and the precautions we take to prevent and detect this activity may not be effective in all cases. Because the nature of the financial services business involves a high volume of transactions, certain errors may be repeated or compounded before they are discovered and successfully rectified. Our necessary dependence upon processing systems to record and process transactions and our large transaction volume may further increase the risk that employee errors, tampering, or manipulation of those systems will result in losses that are difficult to detect. Employee error or misconduct could also subject us to financial claims. If our internal control systems fail to prevent or detect an occurrence, or if any resulting loss is not insured, exceeds applicable insurance limits, or if insurance coverage is denied or not available, it could have an adverse effect on our business, financial condition, and results of operations. Additionally, as a financial institution, we are inherently exposed to operational risk in the form of theft and other fraudulent activity by employees, customers, and other third parties targeting us and our customers or data. Such activity may take many forms, including check fraud, electronic fraud, wire fraud, phishing, social engineering, and other dishonest acts. Although we devote substantial resources to maintaining effective policies and internal controls to identify and prevent such incidents, given the increasing sophistication of possible perpetrators, we may experience financial losses or reputational harm as a result of fraud. Negative publicity about us, whether accurate or not, may also damage our reputation, which could have an adverse effect on our business, financial condition, and results of operations.

Our success depends, in large part, on the retention of our management team and key employees. Our management team and other key employees, including those who conduct our loan origination and other business development activities, have significant industry experience. We cannot ensure that we will be able to retain the services of any members of our management team or other key employees. Though we have employment agreements in place with certain members of our management team, they may still elect to leave at any time. The loss of any of our management team or our key employees could adversely affect our ability to execute our business strategy, and we may not be able to find adequate replacements on a timely basis, or at all. Our future success also depends on our continuing ability to attract, develop, motivate, and retain key employees. Qualified individuals are in high demand, and we may incur significant costs to attract and retain them. Because the market for qualified individuals is highly competitive, we may not be able to attract and retain qualified officers or candidates. Failure to attract and retain a qualified management team and qualified key employees could have an adverse effect on our business, financial condition, and results of operations. There can be no assurance that we will be able to continue to grow and to remain profitable in future periods, or, if profitable, that our overall earnings will remain consistent with our prior results of operations or increase in the future. A downturn in economic conditions in our market, particularly in the real estate market, heightened competition from other financial services providers, an inability to retain or grow our core deposit base, regulatory and legislative considerations,and failure to attract and retain high-performing talent, among other factors, could limit our ability to grow assets or increase profitability as rapidly as we have in the past. Sustainable growth requires that we manage our risks by following prudent loan underwriting standards, balancing loan and deposit growth without materially increasing interest rate risk or compressing our net interest margin, maintaining more than adequate capital at all times, managing a growing number of customer relationships, scaling technology platforms, hiring and retaining qualified employees, and successfully implementing our strategic initiatives. We must also successfully implement improvements to, or integrate, our management information and control systems, procedures, and processes in an efficient and timely manner and identify deficiencies in existing systems and controls. In particular, our controls and procedures must be able to accommodate an increase in loan volume in various markets and the infrastructure that comes with expanding operations, including new branches. Our growth strategy may require us to incur additional expenditures to expand our administrative and operational infrastructure. If we are unable to effectively manage and grow our banking franchise, we may experience compliance and operational problems, have to slow the pace of growth, or have to incur additional expenditures beyond current projections to support such growth. We may not have, or may not be able to develop, the knowledge or relationships necessary to be successful in new markets. Our failure to sustain our historical rate of growth, adequately manage the factors that have contributed to our growth, or successfully enter new markets could have an adverse effect on our earnings and profitability and, therefore, on our business, financial condition, and results of operations.

We outsource some of our operational activities and, accordingly, depend on relationships with third-party providers for services such as core systems support, informational website hosting, internet services, online account opening, and other processing services. Our business depends on the successful and uninterrupted functioning of our information technology and telecommunications systems, many of which also depend on third-party providers. The failure of these systems, a cybersecurity breach involving any of our third-party service providers, or the termination or change in terms of a third-party software license or service agreement on which any of these systems is based could interrupt our operations. Because our information technology and telecommunications systems interface with and depend on third-party systems, we could experience service denials if demand for such services exceeds capacity, or such third-party systems fail or experience interruptions. Replacing vendors or addressing other issues with our third-party service providers could entail significant delay, expense, and disruption of service. As a result, if these third-party service providers experience difficulties, are subject to cybersecurity breaches, or terminate their services, and we are unable to replace them with other service providers, particularly on a timely basis, our operations could be interrupted. If an interruption were to continue for a significant period of time, our business, financial condition, and results of operations could be adversely affected. Even if we are able to replace third-party service providers, it may be at a higher cost to us, which could adversely affect our business, financial condition, and results of operations. Furthermore, third-party service providers, and banking organizations' relationships with those providers, are subject to demanding regulatory requirements and attention by bank regulators. These regulatory expectations may change, and potentially become more rigorous in certain ways, due to an interagency effort to replace existing guidance on the risk management of third-party relationships with new guidance. Our regulators may hold us responsible for any deficiencies in our oversight or control of our third-party service providers and in the performance of the parties with which we have these relationships. As a result, if our regulators assess that we have not exercised adequate oversight and control over our third-party service providers or that such providers have not performed adequately, we could be subject to administrative penalties, fines, or other forms of regulatory enforcement action as well as requirements for consumer remediation, any of which could have an adverse effect on our business, financial condition, and results of operations.

All of our offices, a significant portion of the real estate securing loans we make, and many of our borrowers' business operations in general, are located in California. California has had and will continue to have major earthquakes in areas where a significant portion of the collateral and assets of our borrowers are concentrated. California is also prone to wildfires, droughts, mudslides, floods, and other natural disasters. Additionally, acts of terrorism, war, civil unrest, violence, other man-made disasters, or the effects of climate change could also cause disruptions to our business or to the economy as a whole. The occurrence of natural or man-made disasters or the effects of climate change could destroy, or cause a decline in the value of, mortgaged properties or other assets that serve as our collateral and increase the risk of delinquencies, defaults, foreclosures, and losses on our loans, damage our banking facilities and offices, negatively impact regional economic conditions, result in a decline in loan demand and loan originations, result in drawdowns of deposits by customers impacted by disasters, and negatively impact the implementation of our growth strategy. Natural or man-made disasters or the effects of climate change could also disrupt our business operations more generally. We have implemented a business continuity program that allows us to move critical functions to a backup data center in the event of a catastrophe. Although this program has been tested, we cannot guarantee its effectiveness in any disaster scenarios. Regardless of the effectiveness of our disaster recovery and business continuity plan, the occurrence of any natural or man-made disaster or the effects of climate change could have an adverse effect on our business, financial condition, and results of operations. Climate change also could present financial risks to us as a result of transition risks, such as societal and/or technological responses to climate change, which could include changes in climate policy or in the regulation of financial institutions with respect to risks posed by climate change.

Liquidity is essential to our business, and we monitor our liquidity and manage our liquidity risk at the holding company and bank levels. We require sufficient liquidity to fund asset growth, meet customer loan requests, facilitate customer deposit maturities and withdrawals, make payments on our debt obligations as they come due, and fulfill other cash commitments under both normal operating conditions and other unpredictable circumstances, including events causing industry or general financial market stress. Liquidity risk can increase due to a number of factors, which include, but are not limited to, an over-reliance on a particular source of funding, changes in the liquidity needs of our depositors, adverse regulatory actions against us, or a downturn in the markets in which our loans are concentrated. Market conditions or other events could also negatively affect the level or cost of funding, affecting our ongoing ability to accommodate liability maturities and deposit withdrawals, meet contractual obligations, and fund asset growth and new business transactions at a reasonable cost, in a timely manner, and without adverse consequences. Our inability to raise funds through deposits, borrowings, the sale of loans, and other sources could have an adverse effect on our business, financial condition, and results of operations, and could result in the closure of the Bank. Other primary sources of funds consist of cash flows from operations, maturities and sales of investment securities, and proceeds from issuance and sale of our equity and debt securities. Additional liquidity is provided by the ability to borrow from the FHLB and the Federal Reserve Bank of San Francisco to fund our operations. We may also borrow funds from third-party lenders, such as other financial institutions. Our access to funding sources in amounts adequate to finance our activities or on acceptable terms could be impaired by factors that affect our organization specifically or the financial services industry or economy in general. Our access to funding sources could also be affected by a decrease in the level of our business activity as a result of a downturn in our primary market or by one or more adverse regulatory actions against us. Any substantial, unexpected, and/or prolonged change in the level or cost of liquidity could impair our ability to fund operations and meet our obligations as they become due and could have an adverse effect on our business, financial condition, and results of operations. Although we have historically been able to replace maturing deposits and advances if desired, we may not be able to replace such funds in the future if our financial condition, the financial condition of the FHLB, or market conditions change. FHLB borrowings and other current sources of liquidity may not be available or, if available, may not be sufficient to provide adequate funding for operations and to support our continued growth. The unavailability of sufficient funding could have an adverse effect on our business, financial condition, and results of operations.