NASDAQ: TCBK

Tri Counties Bank

The Bank was organized in 1975 and had total assets of approximately $9.8 billion at December 31, 2025. Based in Chico, California, the Bank offers an extensive and competitive breadth of consumer, small business and commercial banking services through its network of stand-alone and in-store branches in communities throughout California. In addition to its California community bank network, the Bank provides advanced online and mobile banking, a shared nationwide network of over 40,000 surcharge-free ATMs, and bankers available by phone 7 days per week.

The Bank provides a breadth of personal, small business and commercial financial services including accepting demand, savings and time deposits and making small business, commercial, real estate, and consumer loans, as well as a range of treasury management services and other customary banking services including safe deposit boxes at some branches. Brokerage and wealth management services are provided at the Bank’s offices by Tri Counties Advisors through the Bank’s arrangement with Raymond James Financial Services, Inc., an independent financial services provider and broker-dealer.

The Bank offers a variety of banking and financial services to both personal, small business and commercial customers. In many instances the owners or stakeholders of the business and commercial customers are also personal customers. The industries that we serve are diverse in both number and type and include, but are not limited to, manufacturing, real estate development, retail, wholesale, transportation, agriculture, commerce, oil & gas, and professional services. The majority of the Bank’s loans are direct loans made to individuals and businesses in California where its branches or business lending centers are located. At December 31, 2025, the Bank’s consumer loans net of deferred fees outstanding were $1.3 billion (18.5%), commercial and industrial loans outstanding were $464.4 million (6.5%), real estate construction loans of $301.0 million (4.2%), and commercial real estate loans were $4.9 billion (68.3%) of total loans. The Bank takes real estate, listed and unlisted securities, savings and time deposits, automobiles, machinery, equipment, inventory, accounts receivable and notes receivable secured by property as collateral for loans.

Most of the Bank’s deposits are from individuals and business-related sources. No single person or group of persons provides a material portion of the Bank’s deposits, the loss of any one or more of which would have a materially adverse effect on the business of the Bank, nor is a material portion of the Bank’s loans concentrated within a single industry or group of related industries.

Human Capital Resources

At December 31, 2025, we employed 1,148 persons. Full-time equivalent employees numbered 1,135. Additionally, we at times will utilize temporary personnel to supplement our workforce. None of our employees are presently represented by a union or covered under a collective bargaining agreement. Management believes that its employee relations are good.

Our employees are critical to our success and competition for qualified banking personnel has historically been intense; therefore, our corporate culture is an important element of our board of directors' oversight of risk. Senior management is responsible for embodying, maintaining, and communicating our culture to employees. In that regard, our culture is designed to promote our commitment to improving

2 TriCo Bancshares 2025 10-K

Table of Contents

the livelihood of our employees and guides us in making decisions throughout the Company. Our culture adheres to TriCo’s values of trust, respect, integrity, communication and opportunity. We expect our people to treat each other and our customers with the highest level of honesty and respect and to do the right thing. We strive to be a force for good in everyday life. We dedicate resources to provide a safe and inclusive workplace; promoting diversity of thought and perspective, attracting and retaining diverse talent, and promoting our values by recognizing employees for both the results they deliver and how they achieve them. We offer professional growth opportunities through various training and development programs. We aim to engage our workforce through proactive listening, career conversations, performance discussions, and employee surveys.

We attract and retain employees by offering competitive compensation and benefit programs, considering the position’s location and responsibilities. Our benefits include employer subsidized health insurance, wellness initiatives, employee assistance programs, tuition reimbursement, a 401(k) retirement plan and an employee stock ownership plan. In addition, we offer a portfolio of additional services and tools to support our employees’ health and well-being.

We encourage our team members to share their talents in their communities through volunteer activities in education, economic development, human and health services, and community reinvestment. During 2025, our team members logged more than 10,100 volunteer hours, supporting more than 350 organizations, and approximately 4,500 of those hours were for the benefit of community development efforts to support programs and services to low- or moderate-income communities.

We strive to have a workforce that reflects the communities we serve and continue to promote diversity in leadership roles. We are dedicated to providing an inclusive, supportive, and discrimination-free workplace. We recognize employees based on their individual and departmental results, as well as overall Company results.

Competition

The banking business in California generally is highly competitive with respect to both loans and deposits. It is dominated by a relatively small number of national and regional banks with many offices operating over a wide geographic area, with the more metropolitan areas that we serve having a larger number of national and regional banks than the rest of our footprint. Among the advantages such major banks have over the Bank are their greater ability to finance investments in technology and marketing campaigns and to allocate their investment assets to regions of high yield and demand. By virtue of their greater total capitalization, such institutions also have substantially higher lending limits than the Bank.

In addition to competing with other banks, the Bank competes with savings institutions, credit unions, brokerage firms and the financial markets for funds. Yields on corporate and government debt securities and other commercial paper may be higher than on deposits, and therefore affect the ability of commercial banks to attract and hold deposits. We also compete for available funds with money market instruments and mutual funds. During periods of high or rising interest rates, money market funds have provided substantial competition to banks for deposits and they may continue to do so in the future. Mutual funds are also a major source of competition for savings dollars.

As the financial services industry becomes increasingly oriented toward technology-driven delivery systems, we face competition from banks and non-bank institutions without offices in our primary service area. We also increasingly compete with financial technology or “fintech” companies for loans and other financial services customers.

To compete effectively, the Bank relies substantially on local promotional activity, personal contacts by its officers, directors, employees and shareholders, extended hours, personalized service and its reputation in the communities it service.

Regulation and Supervision

General

The Company and the Bank are subject to extensive regulation under both federal and state law affecting most aspects of our operations. This regulation is intended primarily for the protection of customers, depositors, the FDIC deposit insurance fund and the banking system as a whole, and not for the protection of our shareholders. Set forth below is a summary description of the significant laws and regulations applicable to the Company and the Bank. The description is qualified in its entirety by reference to the applicable laws and regulations.

Regulatory Agencies

The Company is a legal entity separate and distinct from the Bank and its other subsidiaries. As a bank holding company, the Company is regulated under the BHC Act, and is subject to supervision, regulation and examination by the FRB. The Company is also under the jurisdiction of the SEC and is subject to the disclosure and regulatory requirements of the Securities Act of 1933 and the Securities Exchange Act of 1934, each administered by the SEC. The Company’s common stock is listed on the Nasdaq Global Select Market (“Nasdaq”) under the trading symbol “TCBK” and the Company is, therefore, subject to the rules of Nasdaq for listed companies.

The Bank is subject to regulation, supervision and periodic examination by the FDIC, which is the Bank’s primary federal regulator and the DFPI.

The Dodd-Frank Wall Street Reform and Consumer Protection Act (the “Dodd-Frank Act”) created the Consumer Financial Protection Bureau (the “CFPB”) as an independent entity with broad rulemaking, supervisory and enforcement authority over consumer financial products and services. In addition, the CFPB is authorized to investigate consumer complaints and enforce rules related to consumer financial products and services. CFPB regulations and guidance apply to all financial institutions, including the Bank. Banks with $10 billion

3 TriCo Bancshares 2025 10-K

Table of Contents

or more in assets are subject to examination by the CFPB, while banks with less than $10 billion in assets, including the Bank, continue to be examined for compliance with federal consumer laws by their primary federal banking agency. At December 31, 2025, the Company had $9.8 billion in total assets. See the Risk Factors section for a discussion of some of the risks the Bank will encounter when it exceeds $10 billion in assets as of a December 31 annual measurement date.

The Bank Holding Company Act

The Company is registered as a bank holding company under the BHC Act. In general, the BHC Act limits the business of bank holding companies to banking, managing or controlling banks and other activities that the FRB has determined to be so closely related to banking as to be a proper incident thereto. Qualified bank holding companies that elect to be financial holding companies may engage in any activity, or acquire and retain the shares of a company engaged in additional activities that are either (i) financial in nature or incidental to such financial activity or (ii) complementary to a financial activity, and do not pose a substantial risk to the safety and soundness of depository institutions or the financial system generally, as determined by the FRB. Activities that are financial in nature include securities underwriting and dealing, insurance underwriting and agency, and making merchant banking investments. The Company has not elected to become a financial holding company.

As a bank holding company, TriCo is required to file reports with the FRB and the FRB periodically examines the Company. A bank holding company is required by law to serve as a source of financial and managerial strength to its subsidiary bank and, under appropriate circumstances, to commit resources to support the subsidiary bank.

Bank Acquisitions

We are required to obtain prior FRB approval before acquiring more than 5% of the voting shares, or substantially all of the assets, of a bank holding company, bank or savings association. In addition, the prior approval of the FDIC and DFPI is required for a California chartered bank to merge with another bank or purchase the assets or assume the deposits of another bank. In determining whether to approve a proposed bank acquisition, bank regulators will consider, among other factors, the effect of the acquisition on competition, the public benefits expected to be received from the acquisition, capital adequacy and the acquiring institution’s effectiveness in combating money laundering and its record of addressing the credit needs of the communities it serves, including the needs of low- and moderate-income neighborhoods under the Community Reinvestment Act of 1997, as amended ("CRA").

The standards by which mergers and acquisitions involving depository institutions or bank holding companies are evaluated by regulators continue to evolve. For example, the DOJ announced in September 2024 its withdrawal from the 1995 Bank Merger Guidelines to assess the competitive effects of bank merger transactions.

Safety and Soundness Standards

Under the Federal Deposit Insurance Corporation Improvement Act of 1991 (“FDICIA”), the federal bank regulatory agencies have established safety and soundness standards for insured depository institutions covering internal controls, information systems and internal audit systems; loan documentation; credit underwriting; interest rate exposure; asset growth; compensation (including executive compensation) fees and benefits; and asset quality, earnings and stock valuation.

If a federal bank regulatory agency determines that a depository institution fails to meet any standard established by the guidelines, the agency may require the institution to submit to the agency an acceptable plan to achieve compliance with the standard. The agencies may elect to initiate enforcement actions in certain cases rather than relying on a plan, particularly where an institution has failed to comply with an acceptable plan or where a failure to meet one or more of the standards could threaten the safe and sound operation of the institution.

In October 2025, the FDIC and Office of the Comptroller of the Currency (“OCC”) issued a proposed rule that would define the term “unsafe or unsound practice” for purposes of their enforcement powers under the Federal Deposit Insurance Act. The proposed definition would focus on whether the practice is likely to materially harm, or already has materially harmed, the financial condition of an institution. The FRB has not issued a similar proposal.

Dividends, Distributions and Stock Repurchases

A California corporation such as TriCo may make a distribution to its shareholders to the extent that either the corporation’s retained earnings meet or exceed the amount of the proposed distribution or the value of the corporation’s assets exceed the amount of its liabilities plus the amount of shareholders preferences, if any, and certain other conditions are met. It is the FRB’s policy that bank holding companies should generally pay dividends on common stock only out of income available over the past year, and only if prospective earnings retention is consistent with the organization’s expected future needs and financial condition. In addition, a bank holding company’s ability to pay dividends on its common stock may be limited if it fails to maintain an adequate capital conservation buffer under these capital rules. See “Regulatory Capital Requirements.”

In certain circumstances, the Company's repurchases of its common stock may be subject to a prior approval or notice requirement under other regulations, policies or supervisory expectations of the FRB.

In August 2022, the Inflation Reduction Act of 2022 (the “IRA”) was enacted. Among other things, the IRA imposes a new 1% excise tax on the fair market value of stock repurchased after December 31, 2022 by publicly traded U.S. corporations. With certain exceptions, the value of stock repurchased is determined net of stock issued in the year, including shares issued pursuant to compensatory arrangements.

4 TriCo Bancshares 2025 10-K

Table of Contents

The primary source of funds for payment of dividends by TriCo to its shareholders has been and will be the receipt of dividends. TriCo’s ability to receive dividends from the Bank is limited by applicable state and federal law. Under the California Financial Code, funds available for cash dividend payments by a bank are restricted to the lesser of: (i) retained earnings or (ii) the bank’s net income for its last three fiscal years (less any distributions to shareholders made during such period). However, with the prior approval of the Commissioner of the DFPI, a bank may pay cash dividends in an amount not to exceed the greatest of the: (1) retained earnings of the bank; (2) net income of the bank for its last fiscal year; or (3) net income of the bank for its current fiscal year. However, if the DFPI finds that the shareholders’ equity of the bank is not adequate or that the payment of a dividend would be unsafe or unsound, the Commissioner may order the bank not to pay a dividend to shareholders.

In addition, the Bank’s ability to pay dividends may be limited if the Bank fails to maintain an adequate capital conservation buffer. See “Regulatory Capital Requirements.”

The FRB, FDIC and the DFPI have authority to prohibit a bank holding company or a bank from engaging in practices which are considered to be unsafe and unsound. Depending on the financial condition of TriCo and the Bank and other factors, our regulators could determine that payment of dividends or other payments or stock repurchases by TriCo or the Bank might constitute an unsafe or unsound practice.

The Community Reinvestment Act

The CRA requires the federal banking regulatory agencies to periodically assess a bank’s record of helping meet the credit needs of its entire community, including low- and moderate-income neighborhoods. The CRA also requires the agencies to consider a financial institution’s record of meeting its community credit when evaluating applications for, among other things, domestic branches and mergers or acquisitions. The federal banking agencies rate depository institutions’ compliance with the CRA. The ratings range from a high of “outstanding” to a low of “substantial noncompliance.” A less than “satisfactory” rating could result in the suspension of any growth of the Bank through acquisitions or opening de novo branches until the rating is improved.

In October 2023, the FRB, the FDIC, and the OCC issued a final rule amending the agencies’ CRA regulations. In July 2025, the federal banking agencies issued a joint Notice of Proposed Rulemaking, which, if finalized, would rescind the 2023 final rule and reinstate the CRA framework that existed prior to the issuance of that rule. Implementation of the October 2023 final rule, which was subject to an injunction and has not taken effect, would have materially changed the CRA framework, including imposing additional costs and changing how CRA performance would be assessed.

Consumer Protection Laws and Supervision

The Bank is subject to many federal consumer protection statutes and regulations, some of which are discussed below.

•The Equal Credit Opportunity Act generally prohibits discrimination in any credit transaction, whether for consumer or business purposes, on the basis of race, color, religion, national origin, sex, marital status, age (except in limited circumstances), receipt of income from public assistance programs, or good faith exercise of any rights under the Consumer Credit Protection Act.

•The Truth-in-Lending Act is designed to ensure that credit terms are disclosed in a meaningful way so that consumers may compare credit terms more readily and knowledgeably.

•The Fair Housing Act regulates many practices, including making it unlawful for any lender to discriminate in its housing-related lending activities against any person because of race, color, religion, national origin, sex, handicap or familial status.

•The Home Mortgage Disclosure Act, which includes a “fair lending” aspect, requires the collection and disclosure of data about applicant and borrower characteristics as a way of identifying possible discriminatory lending patterns and enforcing anti-discrimination statutes.

•The Real Estate Settlement Procedures Act requires lenders to provide borrowers with disclosures regarding the nature and cost of real estate settlements and prohibits certain abusive practices, such as kickbacks, and places limitations on the amount of escrow accounts.

The CFPB has broad rule making authority for a wide range of consumer financial laws that apply to all banks, including, among other things, laws relating to fair lending and the authority to prohibit “unfair, deceptive or abusive” acts and practices. The CFPB has promulgated many mortgage-related rules, including rules related to requirements for "qualified mortgages," standards by which lenders must satisfy themselves of a borrower's ability to repay a mortgage loan, mortgage servicing standards, disclosure requirements, loan originator compensation standards, high-cost mortgage requirements, HMDA requirements, and appraisal and escrow standards for higher priced mortgages. The mortgage-related rules issued by the CFPB have materially restructured the origination, servicing, and securitization of residential mortgages in the United States. The CFPB has also taken positions on fair lending, including applying the disparate impact theory in auto financing, which could make it harder for lenders, such as the Bank, to charge different rates or apply different terms to loans to different customers. The CFPB’s rules and policies have impacted, and will continue to impact, the business practices of mortgage lenders, including the Bank.

On October 22, 2024, the CFPB finalized a new rule that requires a provider of payment accounts or products, such as a bank, to make data available to consumers upon request regarding the products or services they obtain from the provider. Any such data provider also has to make such data available to third parties, with the consumer’s express authorization and through an interface that satisfies formatting, performance and security standards, for the purpose of such third parties providing the consumer with financial products or services requested by the consumer. Data required to be made available under the rule includes transaction information, account balance, account

5 TriCo Bancshares 2025 10-K

Table of Contents

and routing numbers, terms and conditions, upcoming bill information, and certain account verification data. The rule is intended to give consumers control over their financial data, including with whom it is shared, and encourage competition in the provision of consumer financial products or services. For banks with at least $10 billion and less than $250 billion in total assets, compliance with the rule’s requirements is required beginning on April 1, 2027. However, the rule is the subject of litigation, which is currently stayed while the CFPB considers revisions to the rule and it is possible the rule will be substantially re-written or rescinded.

During 2025, the CFPB significantly reduced its staff. The reduction in force is the subject of litigation, and the staffing cuts are currently stayed pending the federal circuit court's rehearing of the case. The impact of these developments on banking organizations subject to CFPB regulation and supervision, including the Company in the event we exceed $10 billion in total assets, is uncertain. In addition, there is continued uncertainty about the CFPB’s priorities under the current U.S. administration. For example, in February 2025, the Acting Director of the CFPB instructed agency staff to pause most activity, including supervision and enforcement. While it is presently unclear when and to what extent the CFPB will resume its activities, other governmental authorities, including state attorneys general or banking regulators, may seek to increase their regulation, supervision, and enforcement of providers of consumer financial products and services in response to changes at the CFPB. Moreover, changes at the CFPB may lead to federal legislative efforts to alter the framework for consumer financial services regulation.

We are also subject to certain state consumer protection laws and state attorneys general and other state officials are empowered to enforce certain federal consumer protection laws and regulations. State authorities have increased their focus on and enforcement of consumer protection rules. These federal and state consumer protection laws apply to a broad range of our activities and to various aspects of our business and include laws relating to interest rates, fair lending, disclosures of credit terms and estimated transaction costs to consumer borrowers, debt collection practices, the use of and the provision of information to consumer reporting agencies, and the prohibition of unfair, deceptive, or abusive acts or practices in connection with the offer, sale, or provision of consumer financial products and services.

Penalties for violations of the above laws may include fines, reimbursements, injunctive relief and other penalties. Failure to comply with consumer protection requirements may also result in our failure to obtain any required bank regulatory approval for merger or acquisition transactions we may wish to pursue or our prohibition from engaging in such transactions even if approval is not required.

Privacy and Data Protection

We are subject to a number of U.S. federal, state, local and foreign laws and regulations relating to consumer privacy and data protection. Under privacy protection provisions of the Gramm-Leach-Bliley Act of 1999 ("GLBA") and its implementing regulations and guidance, we are limited in our ability to disclose certain non-public information about consumers to non-affiliated third parties. Financial institutions, such as the Bank, are required by statute and regulation to notify consumers of their privacy policies and practices and, in some circumstances, allow consumers to prevent disclosure of certain personal information to a non-affiliated third party. In addition, such financial institutions must appropriately safeguard their customers’ nonpublic, personal information.

Like other lenders, the Bank uses credit bureau data in their underwriting activities. Use of such data is regulated under the Fair Credit Reporting Act (“FCRA”), and the FCRA also regulates reporting information to credit bureaus, prescreening individuals for credit offers, sharing of information between affiliates, and using affiliate data for marketing purposes. Similar state laws may impose additional requirements on the Company and the Bank.

Data privacy and data protection are areas of increasing state legislative focus. For example, the California Consumer Privacy Act ("CCPA"), which became effective on January 1, 2020, applies to for-profit businesses that conduct business in California and meet certain revenue or data collection thresholds. The CCPA gives consumers the right to request disclosure of information collected about them, and whether that information has been sold or shared with others, the right to request deletion of personal information (subject to certain exceptions), the right to opt out of the sale of the consumer’s personal information, and the right not to be discriminated against for exercising these rights. In addition, the California Privacy Rights Act (“CPRA”), which took effect on January 1, 2023, significantly modified the CCPA, including imposing additional obligations on covered companies and expanding California consumers’ rights with respect to certain sensitive personal information. The CCPA and CPRA do not provide a blanket exemption for financial institutions, but instead contain a partial exemption for information collected by financial institutions where the information is itself subject to the GLBA (e.g., information about individuals who have obtained personal financial products from the institution). Such information is exempt from the privacy requirements of the CCPA, but, is not exempt from the private right of action conferred if a business fails to implement and maintain reasonable security to protect certain categories of information. In California, the CCPA, the CPRA, and their implementing regulations may be interpreted or applied in a manner inconsistent with our understanding.

State regulators have been increasingly active in implementing privacy and cybersecurity standards and regulations. Recently, several states have adopted regulations requiring certain financial institutions to implement cybersecurity programs and many states, including California, have recently implemented or modified their data breach notification, information security and data privacy requirements. We expect this trend of state-level activity in those areas to continue and are continually monitoring developments in the states in which our customers are located.

Cybersecurity

The federal banking regulators regularly issue new guidance and standards, and update existing guidance and standards, regarding cybersecurity intended to enhance cyber risk management among financial institutions. Financial institutions are expected to comply with

6 TriCo Bancshares 2025 10-K

Table of Contents

such guidance and standards and to accordingly develop appropriate security controls and risk management processes. If we fail to observe such regulatory guidance or standards, we could be subject to various regulatory sanctions, including financial penalties. In 2023, the SEC issued a final rule that requires disclosure of material cybersecurity incidents, as well as cybersecurity risk management, strategy and governance. Under this rule, SEC registrants must generally disclose information about a material cybersecurity incident within four business days of determining it is material with periodic updates as to the status of the incident in subsequent filings, as necessary.

Banking organizations are required to notify their primary banking regulator within 36 hours of determining that a “computer-security incident” has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, the banking organization’s ability to carry out banking operations or deliver banking products and services to a material portion of its customer base, its businesses and operations that would result in material loss, or its operations that would impact the stability of the United States. Banks' service providers are required to notify any affected bank to or on behalf of which the service provider provides services "as soon as possible" after determining that it has experienced an incident that materially disrupts or degrades, or is reasonably likely to materially disrupt or degrade, covered services provided to such bank for as much as four hours.

Recent cyberattacks against banks and other financial institutions that resulted in unauthorized access to confidential customer information have prompted the federal banking regulators to issue guidance on cybersecurity. Among other things, financial institutions are expected to design multiple layers of security controls to establish lines of defense and ensure that their risk management processes address the risks posed by compromised customer credentials, including security measures to authenticate customers accessing internet-based services. A financial institution also should have a robust business continuity program to recover from a cyberattack and procedures for monitoring the security of third-party service providers that may have access to nonpublic data at the institution. Further, our service providers have obligations to safeguard their systems and sensitive information and we may be bound contractually and/or by regulation to comply with the same requirements. If the Company or its service providers fail to comply with applicable regulations and contractual requirements, we could be exposed to lawsuits, governmental proceedings or the imposition of fines, among other consequences.

Risks and exposures related to cybersecurity attacks, including litigation and enforcement risks, are expected to be elevated for the foreseeable future due to the rapidly evolving nature and sophistication of these threats, as well as due to the expanding use of Internet banking, mobile banking and other technology-based products and services by us and our customers.

See "