NYSE: CBU

As of December 31, 2024, the Bank operates 185 full-service branches and 11 drive-thru only locations throughout 42 counties of Upstate New York, six counties of Northeastern Pennsylvania, 12 counties of Vermont, and one county of Western Massachusetts, offering a range of commercial and retail banking services. The Bank owns the following operating subsidiaries: The Carta Group, Inc. (“Carta Group”), CBNA Preferred Funding Corporation (“PFC”), CBNA Treasury Management Corporation (“TMC”), Community Investment Services, Inc. (“CISI”), Nottingham Advisors, Inc. (“Nottingham”), OneGroup NY, Inc. (“OneGroup”), OneGroup Wealth Partners, Inc. (“Wealth Partners”) and Oneida Preferred Funding II LLC (“OPFC II”). OneGroup is a full-service insurance agency offering personal and commercial lines of insurance and other risk management products and services. PFC and OPFC II primarily act as investors in residential and commercial real estate activities. TMC provides cash management, investment, and treasury services to the Bank. CISI, Carta Group and Wealth Partners provide broker-dealer and investment advisory services. Nottingham provides asset management services to individuals, corporations, corporate pension and profit sharing plans, and foundations.

The Company maintains a website at cbna.com. Annual reports on Form 10-K, quarterly reports on Form 10-Q, current reports on Form 8-K, and amendments to those reports, are available on the Company’s website free of charge as soon as reasonably practicable after such reports or amendments are electronically filed with or furnished to the Securities and Exchange Commission (“SEC”). The information posted on the website is not incorporated into or a part of this filing. Copies of all documents filed with the SEC can also be obtained by visiting the SEC’s Public Reference Room at 100 F Street, NE, Washington, DC 20549, by calling the SEC at 1-800-SEC-0330 or by accessing the SEC’s website at https://www.sec.gov.

Acquisition History (2022-2024)

2024 – Insurance Agencies

During 2024, the Company, through its subsidiary OneGroup, completed acquisitions of three insurance agencies headquartered in New York and two insurance agencies headquartered in Florida. Total aggregate consideration for these acquisitions was $10.3 million, including $9.6 million in cash and contingent consideration with an estimated fair value of $0.7 million at acquisition date. Net assets acquired were $6.4 million, including $6.8 million of customer list intangible assets and the Company recorded goodwill of $3.9 million.

​

3

Table of Contents

2024 – Creative Plan Designs Limited

On February 1, 2024, the Company, through its subsidiary BPA, completed the acquisition of certain assets of Creative Plan Designs Limited (“CPD”), a financial services company that provides employee benefit plan design, administration and consulting services. Total consideration was $5.9 million in cash plus contingent consideration with an estimated fair value of $3.0 million at acquisition date. Net assets acquired were $4.5 million, including $5.5 million of customer list intangible assets, and the Company recorded $4.4 million of goodwill in conjunction with the acquisition.

2023 – Axiom Realty Group

On March 1, 2023, the Company, through its subsidiary CBNA, completed the acquisition of certain assets of Axiom Realty Group, which includes Axiom Capital Corp., Axiom Realty Management, LLC and Axiom Realty Advisors, LLC (collectively referred to as “Axiom”), a commercial real estate finance and advisory firm, for $1.8 million in cash. The Company recorded a $1.2 million customer list intangible and recognized $0.6 million of goodwill in conjunction with the acquisition.

​

2023 – Financial Services Companies

During 2023, the Company, through its subsidiaries OneGroup, Wealth Partners and BPAS, completed the acquisition of certain assets of financial services companies. The acquired companies provide insurance, wealth management and benefit plan recordkeeping services and are headquartered in New York, Pennsylvania and Florida. Total aggregate consideration for these acquisitions was $8.2 million, including $6.8 million in cash and $1.4 million in contingent consideration arrangements. Aggregate assets acquired were $5.2 million, including $5.0 million of customer list intangible assets, and the Company recorded goodwill of $3.0 million.

2022 – Elmira Savings Bank

On May 13, 2022, the Company completed its merger with Elmira Savings Bank (“Elmira”), a New York State chartered savings bank headquartered in Elmira, New York, for $82.2 million in cash. The merger enhanced the Company’s presence in five counties in New York’s Southern Tier and Finger Lakes regions. In connection with the merger, the Company added eight full-service offices to its branch service network and acquired approximately $583.6 million of identifiable assets, including $436.8 million of loans, $11.3 million of investment securities and $8.0 million of core deposit intangibles, as well as $522.3 million of deposits. Goodwill of $42.1 million was recognized as a result of the merger.

2022 – Financial Services Companies

During 2022, the Company, through its subsidiary OneGroup, completed acquisitions of certain assets of insurance agencies for an aggregate amount of $3.5 million in cash. The Company recorded a $2.9 million customer list intangible asset and a $0.1 million intangible asset for a noncompete agreement and recognized $0.5 million of goodwill in conjunction with the acquisitions.

Services

Banking

The Bank is a community bank committed to the philosophy of serving the financial needs of customers in local communities. The Bank’s branches are generally located in smaller towns and cities within its geographic market areas of Upstate New York, Northeastern Pennsylvania, Vermont and Western Massachusetts. The Bank is in the process of expanding its branch presence in new, more densely populated markets within its geographic footprint including the Albany, Buffalo, Rochester and Syracuse regions of New York, the Lehigh Valley region of Pennsylvania and Springfield, Massachusetts. The expansion will also include the Bank’s first physical branch in Southern New Hampshire. The Company believes that the local character of its business, knowledge of the customers and their needs, and its comprehensive retail and business products, together with responsive decision-making at the branch and regional levels and its digital banking service offerings, enable the Bank to compete effectively in its geographic market. The Bank is a member of the Federal Reserve System, the Federal Home Loan Bank of New York and the Federal Home Loan Bank of Boston (as a non-member bank) (collectively, referred to as “FHLB”), and its deposits are insured by the Federal Deposit Insurance Corporation (“FDIC”) up to applicable limits.

4

Table of Contents

Employee Benefit Services

Through BPAS and its subsidiaries, the Company operates a national practice that provides employee benefit trust, collective investment fund, retirement plan and health savings account administration, fund administration, transfer agency, actuarial, and health and welfare consulting services to a diverse array of clients spanning the United States and the Commonwealth of Puerto Rico.

Insurance Services

Through OneGroup, the Company offers personal and commercial lines of insurance and other risk management products and services. In addition, OneGroup offers employee benefit related services. OneGroup represents many leading and specialty insurance companies.

Wealth Management Services

Through the Bank’s Nottingham Trust division, CISI, Carta Group, Nottingham, and Wealth Partners, the Company provides wealth management, retirement planning, higher educational planning, fiduciary, risk management, trust services and personal financial planning services. The Company offers a range of investment products including stocks, bonds, exchange-traded funds, mutual funds, insurance and advisory products.

Segment Information

The Company has identified four reportable operating business segments: Banking and Corporate, Employee Benefit Services, Insurance Services and Wealth Management Services. Information about the Company’s reportable business segments is included in Note T of the “Notes to Consolidated Financial Statements” filed herewith in Part II.

Competition

The banking and financial services industry is highly competitive in the New York, Pennsylvania, Vermont, Massachusetts and New Hampshire markets. The Company competes actively for loans, deposits, and financial services relationships with other national and state banks, thrift institutions, credit unions, retail brokerage firms, mortgage bankers, finance companies, including, financial technology companies, insurance agencies, and other regulated and unregulated providers of financial services. In order to compete with other financial service providers, the Company stresses the community nature of its operations and the development of profitable customer relationships across all lines of business.

The Company’s employee benefits, trust and plan administration business competes on a national scale and provides geographic diversification for the Company. Certain lines of business are marketed primarily through unaffiliated financial advisors, while others are marketed directly to plan sponsors and fund companies. In order to compete with large national firms, the Company stresses its consultative approach to complex engagements.

The Company has established the Community Connect program, which is a joint initiative between the four operating business segments to facilitate cross-selling opportunities and connections with commercial clients between the functional areas of the business. The program intends to provide customers with interconnected solutions and enhance customer retention.

5

Table of Contents

Human Capital Resources

The Company’s employees are asked to embody the core values of integrity, excellence, teamwork and humility. These values are what makes the Company’s culture strong. As of December 31, 2024, the Company had 2,918 total employees, which included 2,730 full-time employees and 188 part-time and temporary employees. Of the Company’s 2,918 employees, 2,079 are in the Banking and Corporate segment (1,913 full-time employees and 166 part-time and temporary employees), 459 employees are in the Employee Benefit Services segment (448 full-time employees and 11 part-time and temporary employees), 267 are in the Insurance Services segment (256 full-time employees and 11 part-time and temporary employees), and 113 employees are in the Wealth Management Services segment (all are full-time employees). The Company’s employee base is concentrated in New York, Pennsylvania and New England where the Bank maintains its retail bank branch presence, with approximately 2,115 employees in New York, 279 in Pennsylvania, and 309 in Vermont, Massachusetts and New Hampshire. Approximately 215 of the Company’s employee base is located outside of its retail banking footprint.

The Company considers its relationship with its employees to be strong. None of the Company’s employees are represented by a labor union or are represented by a collective bargaining agreement.

Oversight

The Board of Directors (the “Board”) has ultimate responsibility for the strategy of the Company. The Board’s Compensation Committee is responsible for the oversight of executive compensation, company culture, diversity, and employee engagement. The Company proactively identifies potential human capital related risks, such as succession planning, labor market shortage, increased labor costs, and employee retention strategies to mitigate those risks. Strong human capital management is viewed as integral to the Company’s business strategy.

Compensation and Benefits

​

The success and growth of the Company’s business is largely dependent on its ability to attract, develop, and retain a population of skilled and high-performing employees with varied backgrounds and skill sets at all levels of the organization. Accordingly, the Company’s compensation philosophy includes elements that reinforce the Company’s core values, reward employees for their achievements and maximize continued performance with long-term retention. The Company employs benchmarking measures to ensure employees are paid fairly based on their job and performance. The Company conducts workforce planning sessions periodically across all business areas to ensure market competitive pay for employees and actions to support commitment to the professional development of employees.

​

Growth and Development

The Company continues to broaden the scope of its talent development initiatives across its widening geographically diverse footprint in order to sustain a value-driven and growth-oriented environment where employees can perform at their peak and the next generation of leaders are prepared to lead. The Company offers a wide range of learning and development programs, both internally and externally, that support a broad scope of the Company’s talent development initiatives making continuous learning a part of each employee’s relationship with the Company in a growth-oriented environment. In addition to learning and development programs, in 2024 the Company continued its performance management review process to provide enhanced tools and encourage ongoing and more frequent feedback. These dialogues are intended to achieve higher performance, engagement and commitment, improving outcomes and productivity.

Culture and Attracting a Talented Workforce

The Company is committed to fostering an inclusive environment where there is a sense of purpose, belonging, and work ownership driven by the Company’s core values and service to customers. The Company aspires to empower its workforce to achieve their full potential and enable the development of job-related skills and personal growth in a culture that prioritizes employees’ wellbeing and fosters inclusivity. Employees feel safe to share ideas, receive support, and take risks without the fear of judgment or retaliation. In 2023, the Company introduced the Culture & Diversity Strategic Pillars and initiatives. These strategic pillars support the Company’s commitment to knowing, respecting, and leveraging each person’s unique talents, which in turn drives impact within the organization.

6

Table of Contents

The goal of the Company’s recruitment efforts is to provide fair opportunity to all and to build a positive reputation internally and externally. To that end, leaders across the businesses and the Company’s human resource professionals have increased shared responsibility in recruitment and selection processes. In 2024, the Company continued to engage in partnership opportunities and provided resources in support of employment opportunities for Military and Veteran Military families. The Company also continued its partnership with organizations that expanded its sourcing efforts and helped to identify a more diverse slate of candidates for employment.

Engagement

The Company is committed to creating a top-tier workplace filled with highly satisfied and engaged employees. The Company believes that open and honest communication among employees, managers and executive leadership fosters an open and collaborative work environment where everyone can participate, develop, and thrive. In 2021, the Company launched the first company-wide employee engagement survey called “MyVoice”, in partnership with a global analytics and advisory firm. The Company continues to conduct a survey annually to maintain a feedback loop with employees. In 2023, the Company selected Engagement Champions whose role is to support leaders and managers in the ongoing engagement efforts and initiatives. In 2024, the CEO instituted a CFSI company-wide employee townhall to enhance communication and transparency relative to the Company’s strategy and priorities. The townhall included a Q&A segment where the CEO answered questions on a variety of topics. The intent is to conduct these townhalls twice a year.

Health and Safety

The health and safety of the Company’s employees is of utmost importance. The Company is committed to providing tools and resources to support employees’ overall health and wellbeing. This includes offering a variety of health and welfare benefits as well as a holistic wellbeing program.

Supervision and Regulation

General

The banking industry is highly regulated with numerous statutory and regulatory requirements that are designed primarily for the protection of depositors and the financial system. Set forth below is a description of the material laws and regulations applicable to the Company and the Bank. This summary is not complete and the reader should refer to these laws and regulations for more detailed information. The Company’s and its subsidiaries’ failure to comply with applicable laws and regulations could result in a range of sanctions and administrative actions imposed upon the Company and/or its subsidiaries, including restrictions on merger and acquisition activity, the imposition of civil money penalties, formal agreements and cease and desist orders. New laws and regulations, more complex regulations, and changes in regulators’ interpretations and application of existing laws and regulations cannot be predicted and may have a material adverse effect on the Company’s businesses and results.

The Company and its subsidiaries are subject to the laws and regulations of the federal government and, where applicable, the states and jurisdictions in which they conduct business. The Company, as a financial holding company, is subject to extensive regulation and supervision by the Board of Governors of the Federal Reserve System (“FRB”) as its primary federal regulator. The Bank is a nationally-chartered bank and is subject to extensive regulation and supervision by the Office of the Comptroller of the Currency (“OCC”) as its primary federal regulator, and as to certain matters, the FRB, the Consumer Financial Protection Bureau (“CFPB”), and the FDIC. The Company expects the Trump administration will seek to implement a regulatory reform agenda that is significantly different from that of the Biden administration, impacting the rulemaking, supervision, examination and enforcement priorities of the federal banking agencies.

7

Table of Contents

The Company is also subject to the jurisdiction of the SEC and is subject to disclosure and regulatory requirements under the Securities Act of 1933, as amended, and the Securities Exchange Act of 1934, as amended. The Company’s common stock is listed on the New York Stock Exchange (“NYSE”) and it is subject to NYSE’s rules for listed companies. Affiliated entities, including BPAS, BPA, NRS, GTC, HB&T, HSI, BPAS Trust Company of Puerto Rico, FBD, Nottingham, CISI, OneGroup, Carta Group, and Wealth Partners are subject to the jurisdiction of certain state and federal regulators and self-regulatory organizations including, but not limited to, the SEC, the Texas Department of Banking, the State of Maine Bureau of Financial Institutions, the Financial Industry Regulatory Authority (“FINRA”), Puerto Rico Office of the Commissioner of Financial Institutions, the U.S. Department of Labor, and state securities and insurance regulators.

Federal Bank Holding Company Regulation

As the Company is classified as a financial holding company, the Company can affiliate with securities firms and insurance companies and engage in other activities that are “financial in nature” or “incidental” or “complementary” to activities that are financial in nature, as long as it continues to meet the eligibility requirements for financial holding companies (including requirements that the financial holding company and its depository institution subsidiary maintain their status as “well capitalized” and “well managed”).

Generally, FRB approval is not required for the Company to acquire a company (other than a bank holding company, bank or savings association) engaged in activities that are financial in nature or incidental to activities that are financial in nature, as determined by the FRB. Prior notice to the FRB may be required, however, if the company to be acquired has total consolidated assets of $10 billion or more. Prior FRB approval is required before the Company may acquire the beneficial ownership or control of more than 5% of the voting shares or substantially all of the assets of a bank holding company, bank or savings association.

As the Company is a financial holding company, if the Bank were to not maintain a Satisfactory or better rating under the Community Reinvestment Act of 1977, as amended (“CRA”), the Company would be prohibited, until the rating is raised to Satisfactory or better, from engaging in new activities or acquiring companies other than bank holding companies, banks or savings associations, except that the Company could engage in new activities, or acquire companies engaged in activities, that are considered “closely related to banking” under the Bank Holding Company Act of 1956, (the “BHC Act”). The Bank’s most recent CRA rating was “Satisfactory”. In addition, if the FRB determines that the Company or the Bank is not well capitalized or well managed, the Company would be required to enter into an agreement with the FRB to comply with all applicable capital and management requirements and may contain additional limitations or conditions. Until corrected, the Company could be prohibited from engaging in any new activity or acquiring companies engaged in activities that are not closely related to banking, absent prior FRB approval.

Federal Reserve System Regulation

As the Company is a financial holding company, it is subject to regulatory capital requirements. The Bank is under similar capital requirements administered by the OCC as discussed below. FRB policy has historically required a financial holding company to act as a source of financial and managerial strength to its subsidiary banks. The Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (the “Dodd-Frank Act”) codifies this historical policy as a statutory requirement. To the extent the Bank is in need of regulatory capital, the Company would be expected to provide additional capital, including borrowings from the FRB for such purpose. Both the Company and the Bank are subject to extensive supervision and regulation, which focus on, among other things, the protection of depositors’ funds.

The FRB also regulates the national supply of bank credit in order to influence general economic conditions. These policies have a significant influence on overall growth and distribution of loans, investments and deposits, and affect the interest rates charged on loans or paid for deposits.

Fluctuations in interest rates, which may result from government fiscal policies and the monetary policies of the FRB, have a strong impact on the income derived from loans and securities, and interest paid on deposits and borrowings. While the Company and the Bank strive to model various interest rate changes and adjust its strategies for such changes, the level of earnings can be materially affected by economic circumstances beyond its control.

8

Table of Contents

The Office of the Comptroller of the Currency Regulation (“OCC”)

The Bank is supervised by the OCC. OCC supervision consists of multiple examinations of the Bank’s activities over the course of its annual supervisory cycle. The various laws and regulations administered by the OCC affect the Company’s practices such as payment of dividends, incurring debt, and acquisition of financial institutions and other companies. It also affects the Bank’s business practices, such as payment of interest on deposits, the charging of interest on loans, types of business conducted and the location of its offices. The OCC generally prohibits a depository institution from making any capital distributions, including the payment of a dividend, or paying any management fee to its parent holding company if the depository institution would become undercapitalized due to the payment. Undercapitalized institutions are subject to growth limitations and are required to submit a capital restoration plan to the OCC. The OCC may take enforcement actions for a variety of supervisory concerns, including violations of laws, rules or regulations and unsafe and unsound practices. As a result, the OCC could also establish individual minimum capital ratios (“IMCR”) for the Bank that are higher than the regulatory minimums. This would impair the Bank’s ability to pay dividends to the Company. The Bank is well capitalized under regulatory standards administered by the OCC. For additional information on the Company’s capital requirements see “Management’s Discussion and Analysis of Financial Condition and Results of Operations – Shareholders’ Equity and Regulatory Capital” and Note O to the Financial Statements.

Federal Home Loan Bank (“FHLB”)

The Bank is a member of the FHLB, which provides a central credit facility primarily for member institutions for home mortgage and neighborhood lending. The Bank is subject to certain rules and requirements as a member institution of the FHLB, including the purchase of shares of FHLB activity-based stock in the amount of 4.5% of the dollar amount of outstanding advances and FHLB capital stock in an amount equal to the greater of $1,000 or the sum of 0.15% of the mortgage-related assets held by the Bank based upon the previous year-end financial information. The Bank was in compliance with the rules and requirements of the FHLB at December 31, 2024.

Deposit Insurance

Deposits of the Bank are insured up to the applicable limits by the Deposit Insurance Fund (“DIF”) and are subject to deposit insurance assessments to maintain the DIF. The Dodd-Frank Act permanently increased the maximum amount of deposit insurance to $250,000 per deposit category, per depositor, per institution. A depository institution’s DIF assessment is calculated by multiplying its assessment rate by the assessment base, which is defined as the average consolidated total assets less the average tangible equity of the depository institution. The Bank’s deposit insurance assessment is based on a large institution classification. For large insured depository institutions, generally defined as those with at least $10 billion in total assets, the FDIC uses capital and supervisory ratings (“CAMELS”) and financial measures from two scorecards to calculate assessment rates. Each scorecard has two components - a performance score and loss severity score, which are combined and converted to an initial assessment rate. The FDIC has the ability to adjust a large or highly complex insured depository institution’s total score by a maximum of 15 points, up or down, based upon significant risk factors that are not captured by the scorecard. Under the assessment rate schedule effective for 2024, the initial base assessment rate for large and highly complex insured depository institutions ranges from five to 32 basis points, and the total base assessment rate, after applying the unsecured debt and brokered deposit adjustments, ranges from two and one-half to 42 basis points. The Bank’s FDIC insurance for 2024 was based on assessment rates ranging between five and seven basis points compared to assessment rates ranging between five and six basis points for 2023.

On November 16, 2023, the FDIC issued a final rule to implement a special assessment to recover the loss to the DIF associated with protecting uninsured depositors following the closures of certain banks in the first quarter of 2023. As of December 31, 2024, the special assessment is anticipated to be collected over ten quarterly assessment periods that began in 2024 at an annual rate of approximately 13.4 basis points of uninsured deposits that exceeded $5 billion as of December 31, 2022 for the first eight quarterly assessment periods, and an annual rate of approximately 6.8 basis points of uninsured deposits that exceeded $5 billion as of December 31, 2022 for the last two quarterly assessment periods. As the estimated loss to the DIF will be periodically adjusted the FDIC could cease collection early, if the FDIC has collected enough to recover actual or estimated losses, extend the special assessment collection period one or more quarters beyond the initial collection period, if actual or estimated losses exceed the amounts collected, and impose a final shortfall special assessment on a one-time basis after certain receiverships terminate, if actual losses exceed the amounts collected. The Company recorded a $0.2 million and a $1.5 million expense accrual associated with this special assessment in 2024 and 2023, respectively. Excluding the expense accruals associated with the special assessment, FDIC insurance expense in 2024 totaled $8.9 million, compared to $8.0 million in 2023 and $5.5 million in 2022.

9

Table of Contents

Under the Federal Deposit Insurance Act (“FDIA”), if the FDIC finds that an institution has engaged in unsafe and unsound practices, is in an unsafe or unsound condition to continue operations, or has violated any applicable law, regulation, rule, order or condition imposed by the FDIC, the FDIC may determine that such violation or unsafe or unsound practice or condition require the termination of deposit insurance.

The FDIA requires federal bank regulatory agencies to prescribe, by regulation or guideline, operational and managerial standards for all insured depository institutions that relate to, among other things: (i) internal controls, information systems and audit systems; (ii) loan documentation; (iii) credit underwriting; (iv) interest rate exposure; (v) asset growth and quality; and (vi) compensation and benefits. Federal banking agencies have adopted regulations and Interagency Guidelines Prescribing Standards for Safety and Soundness to implement these requirements, which regulators use to identify and address problems at insured depository institutions before capital becomes impaired. If a regulator determines that a bank fails to meet any standards prescribed by the guidelines, the bank may be required to submit an acceptable plan to achieve compliance and agree to specific deadlines for the submission to and review by the regulator of reports confirming progress in implementing the safety and soundness compliance plan. Failure to implement such a plan may result in an enforcement action against the bank.

Enforcement actions against the Company, the Bank and their respective officers and directors may include the issuance of a written directive, the issuance of a cease-and-desist order that can be judicially enforced, the imposition of civil money penalties, the issuance of directives to increase capital, the issuance of formal and informal agreements, the issuance of removal and prohibition orders against officers or other institution-affiliated parties, the imposition of restrictions and sanctions under prompt corrective action regulations, the termination of deposit insurance (in the case of the Bank) and the appointment of a conservator or receiver for the Bank. Civil money penalties can be over $2 million for each day a violation continues.

Transactions with Affiliates and Insiders

The Bank is subject to Section 23A of the Federal Reserve Act, as amended (the "FRA") which places limits on, among other covered transactions, the amount of loans or extensions of credit to affiliates that may be made by the Bank. Extensions of credit to affiliates must be adequately collateralized by specified amounts and types of collateral. Section 23A also limits the amount of loans or advances made by the Bank to third party borrowers that are collateralized by securities or obligations of the Bank's affiliates. The Bank is also subject to Section 23B of the FRA, which, among other things, prohibits an institution from engaging in transactions with affiliates unless the transactions are on terms substantially the same, or at least as favorable to such institution or its subsidiaries, as those prevailing at the time for comparable transactions with non-affiliates.

The Company is subject to restrictions on extensions of credit to insiders (namely executive officers, directors, and 10% stockholders) and their related interests. These restrictions are contained in the FRA and Federal Reserve Regulation O and apply to all insured depository institutions as well as their subsidiaries and holding companies. These restrictions include limits on loans to any individual insider and such insider's related interests and certain conditions that must be met before such loans can be made. There is also an aggregate limitation on all loans to insiders and their related interests, which cannot exceed the institution's total unimpaired capital and surplus, unless the FDIC determines that a lesser amount is appropriate. Insiders are subject to enforcement actions for knowingly accepting loans in violation of applicable restrictions.

Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010

On July 21, 2010, the Dodd-Frank Act was signed into law, which resulted in significant changes to the banking industry. The Dodd-Frank Act contains numerous provisions that affect all banks and bank holding companies and impacts how the Company and the Bank handle their operations. The Dodd-Frank Act requires various federal agencies, including those that regulate the Company and the Bank, to promulgate rules and regulations and to conduct various studies and reports for Congress. The federal agencies have either completed or are in the process of completing these rules and regulations and have been given significant discretion in drafting such rules and regulations. Several of the provisions of the Dodd-Frank Act have the consequence of increasing the Bank’s expenses, decreasing its revenues, and changing the activities in which it chooses to engage. The specific impact of the Dodd-Frank Act on the Company’s current activities or new financial activities the Company may consider in the future, the Company’s financial performance, and the markets in which the Company operates depends on the manner in which the relevant agencies continue to develop and implement the required rules and regulations and the reaction of market participants to these regulatory developments.

10

Table of Contents

Pursuant to FRB regulations mandated by the Dodd-Frank Act, interchange fees on debit card transactions are limited to a maximum of $0.21 per transaction plus 5 basis points of the transaction amount. A debit card issuer may recover an additional one cent per transaction for fraud prevention purposes if the issuer complies with certain fraud-related requirements prescribed by the FRB. The FRB also adopted requirements in the final rule that issuers include two unaffiliated networks for routing debit transactions that are applicable to the Company and the Bank. On October 25, 2023, the FRB proposed to lower the maximum interchange fee that a large debit card issuer can receive for a debit card transaction. The proposal would also establish a regular process for updating the maximum amount every other year going forward. The Company continues to monitor the development of these proposed rule revisions.

The Dodd-Frank Act established the CFPB and empowered it to exercise broad rulemaking, supervision, and enforcement authority for a wide range of consumer protection laws. Because the Bank’s total consolidated assets exceed $10 billion, the Bank is subject to the direct supervision of the CFPB. The CFPB has issued numerous regulations and amendments under which the Company and the Bank may continue to incur additional expense in connection with its ongoing compliance obligations. Significant recent CFPB developments that may affect operations and compliance costs include:

●continued focus on fair lending, including promoting racial and economic equity for underserved, vulnerable and marginalized communities;

●focused efforts on enforcing certain compliance obligations the CFPB deems a priority, such as automobile loan servicing, debt collection, deposit, overdraft and other services fees, mortgage origination and servicing, and remittances, among others; and

●rulemaking plans concerning, among others, overdrafts, consumers’ access to their financial information and requirements for financial institutions to collect, and publicly report, certain demographic information concerning some business credit applicants, loan approvals, and denials.

​

The CFPB has broad powers to supervise and enforce consumer protection laws, including laws that apply to banks in order to prohibit unfair, deceptive or abusive acts or practices (“UDAAP”). The Dodd-Frank Act also clarified the federal preemption rules that are applicable to national banks and gives state attorney generals for the states certain powers to enforce federal consumer protection laws. A violation of the consumer protection and privacy laws, and in particular UDAAP, could have serious legal, financial, and reputational consequences.

​

The CFPB, FRB, and OCC are also authorized to collect fines and provide consumer restitution in the event of violations, engage in consumer financial education, track consumer complaints, request data and promote the availability of financial services to underserved consumers and communities. The CFPB is authorized to pursue administrative proceedings or litigation for violations of federal consumer financial laws. In these proceedings, the CFPB can obtain cease and desist orders (which can include orders for restitution or rescission of contracts, as well as other kinds of affirmative relief) and monetary penalties.

The final rules issued by the FRB, SEC, OCC, FDIC, and Commodity Futures Trading Commission implementing Section 619 of the Dodd-Frank Act (commonly known as the Volcker Rule) prohibit insured depository institutions and companies affiliated with insured depository institutions from (1) engaging in short-term proprietary trading of certain securities, derivatives, commodity futures and options on these instruments, for their own account and (2) sponsoring certain covered funds, subject to certain limited exceptions. The final rules of the Volcker Rule are not material to the Company’s investing and trading activities.

The Dodd-Frank Act requires U.S. financial regulators, including the FRB and the SEC, to adopt rules on incentive-based payment arrangements at specified regulated entities having at least $1 billion in total assets. In 2016, the federal banking regulators, the SEC, the Federal Housing Finance Agency and the National Credit Union Administration proposed revised rules on incentive-based compensation practices, which have not yet been finalized. If these or other regulations are adopted in a form similar to what has been proposed, they will impose limitations on the manner in which the Company may structure compensation for its employees, which could adversely affect the Company’s ability to hire, retain and motivate key employees.

11

Table of Contents

The ongoing effects of the Dodd-Frank Act, as well as the recent and possible future changes to the regulatory framework as a result of the Economic Growth Act and future proposals make it difficult to assess the overall financial impact of the Dodd-Frank Act and related regulatory developments on the Company and the banking industry. As a result, the Company cannot predict the ultimate impact of the Dodd-Frank Act on the Company or the Bank, including the extent to which it could increase costs or limit the Company’s ability to pursue business opportunities in an efficient manner, or otherwise adversely affect its business, financial condition and results of operations. Nor can the Company predict the impact or substance of other future legislation or regulation. However, it is expected that future legislation or regulation at a minimum will increase the Company’s and the Bank’s operating and compliance costs. As rules and regulations continue to be implemented or issued, the Company may need to dedicate additional resources to ensure compliance, which may increase its costs of operations and adversely impact the Company’s earnings.

Capital Requirements

The Company and the Bank are required to comply with applicable capital adequacy standards established by the federal banking agencies (the “Capital Rules”) which are based on the Basel Committee on Banking Supervision’s (the “Basel Committee”) 2010 final capital framework for strengthening international capital standards, referred to as “Basel III”.

The Capital Rules, among other things, impose a capital measure called “Common Equity Tier 1,” (“CET1”) to which most deductions/adjustments to regulatory capital measures are to be made. In addition, the Capital Rules specify that Tier 1 capital consists of CET1 and “Additional Tier 1 capital” instruments meeting certain specified requirements.

Under the Capital Rules, the minimum capital ratios are as follows:

●4.5% CET1 to total risk-weighted assets;

●6.0% Tier 1 capital (CET1 plus Additional Tier 1 capital) to total risk-weighted assets;

●8.0% Total capital (Tier 1 Capital plus Tier 2 capital) to total risk-weighted assets;

●4.0% Tier 1 capital to total adjusted quarterly average assets (known as “leverage ratio”)

​

The Capital Rules require the Company and the Bank to maintain a “capital conservation buffer” composed entirely of CET1. Banking organizations are required to maintain a minimum capital conservation buffer of 2.5% (CET1 to total risk-weighted assets), in addition to the minimum risk-based capital ratios. Therefore, to satisfy both the minimum risk-based capital ratios and the capital conservation buffer, a banking organization is required to maintain the following: (i) CET1 to total risk-weighted assets of at least 7%, (ii) Tier 1 capital to total risk-weighted assets of at least 8.5%, and (iii) Total capital (Tier 1 capital plus Tier 2 capital) to total risk-weighted assets of at least 10.5%. The capital conservation buffer is designed to absorb losses during periods of economic stress. Banking institutions that do not maintain a capital conservation buffer of 2.5% or more will face constraints on dividends, common share repurchases and incentive compensation based on the amount of the shortfall.

The Capital Rules provide for a number of deductions from and adjustments to CET1. These include, for example, the requirement that mortgage servicing rights, deferred tax assets dependent upon future taxable income and significant investments in non-consolidated financial entities be deducted from CET1 to the extent that any one such category exceeds 10% of CET1 or all such categories in the aggregate exceed 15% of CET1. Under the Capital Rules, the effects of certain accumulated other comprehensive income or loss items are not excluded for the purposes of determining regulatory capital; however, banks not using the advanced approach, including the Company and the Bank, were permitted to, and in the case of the Company and the Bank did, make a one-time permanent election to continue to exclude these items.

With respect to the Bank, the Capital Rules also revised the prompt corrective action (“PCA”) regulations established pursuant to Section 38 of the Federal Deposit Insurance Act, establishing the CET1 ratio at 6.5% for well-capitalized status and the Tier 1 capital ratio at 8.0% for well-capitalized status. The Capital Rules do not change the total risk-based PCA capital requirement for any capital category.

12

Table of Contents

The Capital Rules prescribe a standardized approach for risk weighted-assets that expands the risk-weight categories from the four Basel I-derived categories (0%, 20%, 50% and 100%) to a larger and more risk-sensitive number of categories, depending on the nature of the asset. The risk-weight categories generally range from 0% for U.S. government and agency securities, to 1,250% for certain securitized exposures, and result in higher risk weights for a variety of asset categories. The standardized approach requires financial institutions to transition assets that are 90 days or more past due or on nonaccrual from their original risk weight to 150 percent. Additionally, loans designated as high volatility commercial real estate (“HVCRE”) are assigned a risk-weighting of 150 percent.

Requirements to maintain higher levels of capital or to maintain higher levels of liquid assets could adversely impact the Company’s net income and return on equity. The current requirements and the Company’s actual capital levels are detailed in Note O of “Notes to Consolidated Financial Statements” filed in Part II, Item 8, “Financial Statements and Supplementary Data.”

Consumer Protection Laws

In connection with its banking activities, the Bank is subject to a number of federal and state laws designed to protect consumers and promote lending to various sectors of the economy. These laws include but are not limited to the Equal Credit Opportunity Act, the Gramm-Leach-Bliley Act (“GLB Act”), the Fair Credit Reporting Act (“FCRA”), the Fair and Accurate Credit Transactions Act of 2003 (“FACT Act”), the Electronic Funds Transfer Act, the Truth in Lending Act, the Home Mortgage Disclosure Act, the Dodd-Frank Act, the Real Estate Settlement Procedures Act, the Secure and Fair Enforcement for Mortgage Licensing Act (“SAFE”), the Servicemembers Civil Relief Act (“SCRA”), the Military Lending Act (“MLA”), and various state law counterparts. These laws and regulations mandate certain disclosure requirements and regulate the manner in which financial institutions must interact with clients when taking deposits, making loans, collecting and servicing loans and providing other services. The Company is subject to regulation by the CFPB, which is responsible for promoting fairness and transparency for mortgages, credit cards, deposit accounts and other consumer financial products and services and for interpreting and enforcing the federal consumer financial laws that govern the provision of such products and services. The CFPB is also authorized to prevent any institution under its authority from engaging in an unfair, deceptive, or abusive act or practice in connection with consumer financial products and services.

The GLB Act requires all financial institutions to adopt privacy policies, restrict the sharing of nonpublic customer data with nonaffiliated parties and establish procedures and practices to protect customer data from unauthorized access. The GLB Act also requires certain disclosures to consumers about information collection, sharing, and security practices and their right to “opt out” of the institution’s disclosure of their personal financial information to non-affiliated third-parties (with certain exceptions). In addition, the FCRA, as amended by the FACT Act, includes provisions affecting the Company, the Bank, and their affiliates, including provisions concerning obtaining consumer reports, furnishing information to consumer reporting agencies, maintaining a program to prevent identity theft, sharing of certain information among affiliated companies, and other provisions. The FACT Act requires persons subject to FCRA to notify their customers if they report negative information about them to a credit bureau or if they are granted credit on terms less favorable than those generally available. The FRB and the Federal Trade Commission have extensive rulemaking authority under the FACT Act, and the Company and the Bank are subject to the rules that have been created under the FACT Act, including rules regarding limitations on affiliate marketing and implementation of programs to identify, detect and mitigate certain identity theft red flags. The SCRA protects persons called to active military service and their dependents from undue hardship resulting from their military service, and the MLA extends specific protections if an accountholder, at the time of account opening, is a covered active duty member of the military or certain family members thereof. The SCRA applies to all debts incurred prior to the commencement of active duty and limits the amount of interest, including service and renewal charges and any other fees or charges (other than bona fide insurance) that are related to the obligation or liability. The MLA applies to certain consumer loans and extends specific protections if an accountholder, at the time of account opening, is a covered active duty member of the military or certain family members thereof. The Company and the Bank are also subject to data security standards and data breach notice requirements issued by various states, the OCC and other regulatory agencies. The Bank has created policies and procedures to comply with these consumer protection requirements.

13

Table of Contents

The CFPB has implemented the ability-to-repay and qualified mortgage (QM) provisions of the Truth in Lending Act (the “QM Rule”) and has taken steps to modify the QM Rule. The ability-to-repay provision requires creditors to make reasonable, good faith determinations that borrowers are able to repay their mortgages before extending credit based on a number of factors and consideration of financial information about the borrower derived from reasonably reliable third-party documents. Under the Dodd-Frank Act and the QM Rule, loans meeting the definition of “qualified mortgage” are entitled to a presumption that the lender satisfied the ability-to-repay requirements. The presumption is a conclusive presumption/safe harbor for loans meeting the QM requirements, and a rebuttable presumption for higher-priced loans meeting the QM requirements. The Bank has created policies and procedures to comply with these consumer protection requirements and continues to monitor developments relative to future changes to the QM Rule.

Among other provisions, the federal banking rule under the Electronic Fund Transfer Act prohibits financial institutions from charging consumers fees for paying overdrafts on automated teller machines and one-time debit card transactions, unless a consumer consents, or opts in, to the overdraft service for those types of transactions. The rule does not govern overdraft fees on the payment of checks and certain other forms of bill payments.

In May 2024, the SEC finalized amendments to require broker-dealers, investment companies and investment advisers registered with the SEC to adopt written policies and procedures for incident response programs to address unauthorized access to or use of customer information. The amendments also require covered entities to notify, within 30 days, individuals affected by an incident involving sensitive customer information and provide them with details about the incident and other information intended to help affected individuals respond appropriately. Compliance with these amendments may begin on December 3, 2025.

In October 2024, the CFPB issued a rule aimed to enhance consumer control and competition in financial services requiring banks and payment providers to give consumers free access to certain financial data upon request. With consumer authorization, they must also share this data with third parties via secure interfaces to facilitate financial services. Required data includes transaction information, account balance, account and routing numbers, terms and conditions, upcoming bill information, and certain account verification data. The rule may take effect on April 1, 2027, however the compliance timeline is subject to change due to the outcome of pending litigation challenging the rule. While the impact of the rule will depend upon a number of factors, including consumer behavior and the actions of data providers and recipients, open banking initiatives like this final rule have the potential to change the competitive landscape, presenting challenges to the Company’s business model.

In December 2024, the CFPB amended the rules implementing the Truth in Lending Act. The new regulation expanded the application of the regulation to consumer transaction account overdrafts at financial institutions with over $10 billion in assets. Overdraft fees must align with actual costs or a $5 benchmark; otherwise, they qualify as covered credit, requiring clear disclosures of borrowing costs and interest rates. Covered overdraft credits must be in a separate credit account rather than as a negative checking balance. The rule may take effect on October 1, 2025.

The Bank Secrecy Act

The Bank Secrecy Act (“BSA”) requires all financial institutions, including banks and securities broker-dealers, to, among other things, establish a risk-based system of internal controls reasonably designed to prevent money laundering and the financing of terrorism. The BSA includes a variety of recordkeeping and reporting requirements (such as currency transaction and suspicious activity reporting), as well as due diligence/know-your-customer documentation requirements. The Company has established a BSA/anti-money laundering program and taken other appropriate measures in order to comply with BSA requirements.

Anti-Money Laundering Act of 2020

The Anti-Money Laundering Act of 2020 (“AMLA”) amends the BSA and was enacted in January 2021. The AMLA was intended to reform and modernize U.S. bank secrecy and anti-money laundering laws. The Company has and will continue to review and monitor its anti-money laundering program to ensure it complies with the provisions of the AMLA.

14

Table of Contents

In July 2024, the federal banking agencies, including the Federal Reserve and OCC, proposed amendments to update the requirements for supervised institutions to establish, implement and maintain effective, risk-based and reasonably designed AML and countering the financing of terrorism ("CFT") programs. The proposed amendments would require supervised institutions to identify, evaluate and document the regulated institution's money laundering, terrorist financing and other illicit finance activity risks, as well as consider, as appropriate, the U.S. Department of the Treasury's Financial Crimes Enforcement Network's ("FinCEN") published national AML/CFT priorities.

​

In August 2024, the Financial Crimes Enforcement Network (“FinCEN”), which drafts regulations implementing anti-money laundering legislation, adopted a rule extending anti-money laundering obligations, including maintenance of an anti-money laundering program and filing certain reports with FinCEN, to registered investment advisers, like certain of the Company’s subsidiaries. Compliance with these requirements may begin on January 1, 2026.

​

USA Patriot Act

The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (“USA Patriot Act”) imposes obligations on U.S. financial institutions, including banks and broker-dealer subsidiaries, to implement policies, procedures and controls which are reasonably designed to detect and report instances of money laundering and the financing of terrorism. In addition, provisions of the USA Patriot Act require the federal financial institution regulatory agencies to consider the effectiveness of a financial institution’s anti-money laundering activities when reviewing bank mergers and bank holding company acquisitions. The USA Patriot Act also encourages information-sharing among financial institutions, regulators, and law enforcement authorities by providing an exemption from the privacy provisions of the GLB Act for financial institutions that comply with the provision of the Act. Failure of a financial institution to maintain and implement adequate programs to combat money laundering and terrorist financing, or to comply with all of the relevant laws or regulations, could have serious legal, financial and reputational consequences for the institution. The Company has approved policies and procedures that are designed to comply with the USA Patriot Act and its regulations.

Office of Foreign Assets Control Regulation

The United States has imposed economic sanctions that affect transactions with designated foreign countries, nationals and others administrated by the Treasury’s Office of Foreign Assets Control (“OFAC”). The OFAC administered sanctions can take many different forms; however, they generally contain one or more of the following elements: (i) restrictions on trade with or investment in a sanctioned country, entity or individual, including prohibitions against direct or indirect imports and exports and prohibitions on “U.S. persons” engaging in financial transactions relating to making investments, or providing investment related advice or assistance; and (ii) a blocking of assets in which the government or specially designated nationals have an interest, by prohibiting transfers of property subject to U.S. jurisdiction (including property in the possession or control of U.S. persons). Blocked assets (e.g., property and bank deposits) cannot be paid out, withdrawn, set off or transferred in any manner without a license from OFAC. Failure to comply with these sanctions could have serious legal, financial, and reputational consequences. The Company has approved policies and procedures that are designed to comply with OFAC and its regulations.

Sarbanes-Oxley Act of 2002

The Sarbanes-Oxley Act of 2002 (“Sarbanes-Oxley Act”) implemented a broad range of corporate governance, accounting and reporting reforms for companies that have securities registered under the Securities Exchange Act of 1934, as amended. In particular, the Sarbanes-Oxley Act established, among other things: (i) requirements for audit and other key Board of Directors committees involving independence, expertise levels, and specified responsibilities; (ii) responsibilities regarding the oversight of financial statements by the Chief Executive Officer and Chief Financial Officer of the reporting company; (iii) an independent accounting oversight board for the accounting industry; (iv) standards for auditors and the regulation of audits, including independence provisions which restrict non-audit services that accountants may provide to their audit clients; (v) increased disclosure and reporting obligations for the reporting company and its directors and executive officers including accelerated reporting of company stock transactions; (vi) a prohibition of personal loans to directors and officers, except certain loans made by insured financial institutions on non-preferential terms and in compliance with other bank regulator requirements; and (vii) a range of new and increased civil and criminal penalties for fraud and other violations of the securities laws. The Company has approved policies and procedures that are designed to comply with the Sarbanes-Oxley Act and its regulations.

15

Table of Contents

Community Reinvestment Act of 1977

Under the CRA, the Bank is required to help meet the credit needs of its communities, including low- and moderate-income neighborhoods. Although the Bank must follow the requirements of CRA, it does not limit the Bank’s discretion to develop products and services that are suitable for a particular community or establish lending requirements or programs. In addition, the Equal Credit Opportunity Act and the Fair Housing Act prohibits discrimination in lending practices. The Bank’s failure to comply with the provisions of the CRA could, at a minimum, result in regulatory restrictions on its activities and the activities of the Company. The Bank’s failure to comply with the Equal Credit Opportunity Act and the Fair Housing Act could result in enforcement actions against it by its regulators as well as other federal regulatory agencies and the Department of Justice. The Bank’s most recent CRA rating was “Satisfactory”.

On October 24, 2023, the FRB, FDIC and OCC jointly issued a final rule to strengthen and modernize regulations implementing the CRA to encourage banks to expand access to credit, investment, and banking services in low- and moderate-income communities, adapt to changes in the banking industry, including internet and mobile banking, provide greater clarity and consistency in the application of the CRA regulations and tailor CRA evaluations and data collection to bank size and type. Most of the rule’s requirements may begin January 1, 2026 while the remaining requirements, including the data reporting requirements, may be applicable on January 1, 2027. Whether the final rule will ultimately be implemented and any related compliance requirements remains uncertain.

Cyber Security

The federal bank regulators have adopted rules providing for new notification requirements for banking organizations and their service providers for significant cybersecurity incidents. Specifically, the new rules require a banking organization to notify its primary federal regulator as soon as possible, and no later than 36 hours after, the banking organization determines that a "computer-security incident" rising to the level of a "notification incident" has occurred. Notification is required for incidents that have materially affected or are reasonably likely to materially affect the viability of a banking organization's operations, its ability to deliver banking products and services, or the stability of the financial sector. Service providers are required under the rule to notify affected banking organization customers as soon as possible when the provider determines that it has experienced a computer-security incident that has materially affected or is reasonably likely to materially affect the banking organization's customers for four or more hours.

​

Guidance for Third-Party Relationships

On June 9, 2023, the Federal Reserve, OCC, and FDIC issued final interagency guidance on risk management of third-party relationships. The interagency guidance is based, in part, on the regulators’ previously existing third-party risk management guidance from 2013 and seeks to, among other things, promote consistency in third-party risk management and provide sound risk management guidance for third-party relationships commensurate with a bank's risk profile and complexity as well as the criticality of the activity. The final interagency guidance replaces each agency's existing guidance on this topic and is directed to all banking organizations supervised by the Federal Reserve, OCC, and FDIC. Additionally, third party relationship risk management and banking-as-a-service arrangements (including with respect to deposit products and services) have been topics of focus for federal bank regulators in 2024 and further rulemaking activity or guidance may be forthcoming.

​

Future Legislation and Regulation

Laws, regulations and policies are continually under review by Congress and state legislatures and federal and state regulatory agencies. In addition to the specific legislation and regulations described above, future legislation and regulations or changes to existing statutes, regulations or regulatory policies applicable to the Company and its subsidiaries may affect the business, financial condition and results of operations in adverse and unpredictable ways and increase reporting requirements and compliance costs. The substance or impact of pending or future legislation or regulation, or the application thereof, cannot be predicted.

​

16

Table of Contents

Information about Our Executive Officers

The executive officers of the Company and the Bank who are elected by the Board of Directors are as follows:

Name

Age

Position

Dimitar A. Karaivanov

​

43

​

Director, President and Chief Executive Officer. Mr. Karaivanov assumed his current position on January 1, 2024. He previously served as Executive Vice President and Chief Operating Officer from October 2022 to December 2023 and Executive Vice President of Financial Services and Corporate Development from June 2021 to September 2022. Prior to joining the Company, he was the Managing Director of Lazard Middle Market’s Financial Institutions Group from June 2018 through June 2021. Prior to Lazard, he was the Managing Director of RBC Capital Markets’ Financial Institutions Group from April 2011 through June 2018.

Joseph E. Sutaris

​

57

​

Executive Vice President and Chief Financial Officer. Mr. Sutaris assumed his current position in June 2018. He served as Senior Vice President, Finance and Accounting from November 2017 to June 2018, as the Bank’s Director of Municipal Banking from September 2016 to November 2017 and as the Senior Vice President of the Central Region of the Bank from April 2011 to September 2016. Mr. Sutaris joined the Company in April 2011 as part of the acquisition of Wilber National Bank where he served as the Executive Vice President, Chief Financial Officer, Treasurer and Secretary. On November 7, 2024, Mr. Sutaris notified the Company of his intention to retire, effective in or around the third quarter of 2025, as Executive Vice President and Chief Financial Officer of the Company and the Bank.

Maureen Gillan-Myer

​

57

​

Executive Vice President and Chief Administration and Human Resources Officer. Ms. Gillan-Myer assumed her current position in October 1, 2024. She joined the Company as Executive Vice President and Chief Human Resources Officer on October 1, 2021. Prior to joining the Company, she served as the Chief Human Resources Officer of HSBC US from February 2016 through September 2021 and as its Senior Vice President - Talent Acquisition from May 2009 through February 2016.

Michael N. Abdo

​

47

​

Executive Vice President and General Counsel. Mr. Abdo assumed his current position in July 2022. He served as Associate General Counsel from 2013 to 2020 and as Senior Vice President and Senior Associate General Counsel from January 2020 to July 2022. Prior to joining the Company in 2013, he was an associate with Cadwalader Wickersham & Taft.

Jeffrey M. Levy

​

63

​

Senior Vice President and Chief Banking Officer. Mr. Levy assumed his current position on January 1, 2024. He served as the Bank’s President of Commercial Banking from January 2022 to December 2023, Senior Vice President, Commercial Banking Sales Executive from June 2021 to December 2021, Senior Vice President, Regional President of Capital Region from June 2019 to June 2021, and Senior Vice President, Commercial Banking Team Leader from January 2018 to June 2019. Prior to joining the Bank, he served as the Executive Vice President and President of Commercial Banking at NBT Bank, N.A. from December 2006 to August 2016.

​