Common use of Third Party Risk Management Clause in Contracts

Third Party Risk Management. (1) Within sixty (60) days of the date of this Agreement, the Board shall adopt and Bank management shall implement and thereafter adhere to a written program to effectively assess and manage the risks posed by third-party fintech relationships (“Third-Party Risk Management Program”). Refer to OCC Bulletin 2013-29, “Third-Party Relationships” and OCC Bulletin 2020-10, “Third-Party Relationships: Frequently Asked Questions to Supplement OCC Bulletin 2013-29”; Refer to OCC Bulletin 2021-40, “Third-Party Relationships: Conducting Due Diligence on Financial Technology Companies: A Guide for Community Banks”. (2) The Third-Party Risk Management Program shall be commensurate with the level of risk and complexity of the Bank’s third-party fintech relationship partners and shall, at a minimum, address the following for the Bank’s third-party fintech relationship partners: (a) written policies, procedures, and processes governing the Bank’s third- party fintech relationship partners that, at a minimum: (i) address how the Bank identifies and assesses the inherent risks of the products, services, and activities performed by the third-parties, including but not limited to BSA, compliance, operational, liquidity, counterparty and credit risk as applicable; (ii) details how the Bank selects, assesses, and oversees third-parties; (iii) details the Bank’s strategic plan for providing necessary resources, infrastructure, technology controls, and organizational capabilities to manage the third-party fintech relationship partners in a safe and sound manner; and (iv) establishes criteria for Board review and approval of third-party fintech relationship partners; (b) an assessment of BSA risk for each third-party fintech relationship partner, including risk associated with money laundering, terrorist financing, and sanctions risk as well as the third-party’s processes for mitigating such risks and complying with applicable laws and regulations; (c) due diligence and risk assessment criteria for selecting and approving a third-party fintech relationship partner that is appropriate and unique to the particular products, services, and activities provided by the third-party; Refer to OCC Bulletin 2021-40, “Third-Party Relationships: Conducting Due Diligence on Financial Technology Companies: A Guide for Community Banks”; (d) an effective compliance oversight program for third-party fintech relationship partners to include: (i) evaluation of the products, services, and activities offered through the Bank’s third-party fintech relationship partners for compliance with applicable laws and regulations; (ii) an effective internal compliance monitoring program; and (iii) a process for addressing any third-party fintech relationship partner’s activities identified as non-compliant or in violation of applicable laws and regulations; (e) ongoing monitoring of third-party fintech relationship partner’s activities and performance; (f) contingency plans for terminating third-party fintech relationships in an effective manner; (g) documentation, management information systems (“MIS”), and reporting that facilitates Board and management oversight, accountability, monitoring, and risk management associated with third-party fintech relationships; (h) an audit plan for independent reviews by a qualified auditor who is independent of day-to-day operations that allows Bank management to assess whether the Bank’s risk management practices align with the Bank’s policies, procedures, and processes. The audit plan must provide for effective independent reviews to assess internal controls as well as IT, compliance, and operational risk associated with third-party fintech relationships; (i) a written assessment from a qualified, independent certified public accountant to ensure the accounting for transactions initiated through the fintech partnerships conform with GAAP and financial reporting is in line with contractual terms; and (j) evaluation and implementation of adequate staffing across the third-party fintech relationship line of businesses to ensure the oversight and management of the third-party fintech relationship line of businesses is properly staffed with personnel with the requisite expertise to oversee and manage the risks associated with the third-party fintech relationship line of businesses. (3) Prior to onboarding new third-party fintech relationship partners, signing a contract with a new fintech partner, or offering new products or services or conducting new activities with or through existing third-party fintech relationship partners, the Board shall obtain no supervisory objection from the OCC. At a minimum, the bank shall submit the due diligence package including supporting documentation, any proposed contract, and any management or board committee minutes approving the relationship. (4) The Board shall review the effectiveness of the Third-Party Risk Management Program at least annually, and more frequently if necessary or if required by the OCC in writing, and amend the Third-Party Risk Management Program as needed or directed by the OCC.

Third Party Risk Management. (1) Within sixty thirty (6030) days of the date of this Agreement, the Board Bank shall adopt submit to the Assistant Deputy Comptroller for review and Bank management shall implement and thereafter adhere to a prior written determination of no supervisory objection an acceptable written program to effectively assess and manage the risks posed by third-party fintech relationships (“Third-Party Risk Management Program”). The term “third-party relationship” in this Agreement includes the Bank’s merchant processing partnerships and prepaid card partnerships. Refer to OCC Bulletin 20132023-29, “Third-Party Relationships” and OCC Bulletin 2020-1017, “Third-Party Relationships: Frequently Asked Questions to Supplement OCC Bulletin 2013-29”; Refer to OCC Bulletin 2021-40, “Third-Party Relationships: Conducting Due Diligence Interagency Guidance on Financial Technology Companies: A Guide Risk Management,” for Community Banks”related safe and sound principles. (2) The Third-Party Risk Management Program shall be commensurate with the level of risk and complexity of the Bank’s third-party fintech relationship partners relationships and shall, at a minimum, address the following for the Bank’s third-party fintech relationship partnersfollowing: (a) written policies, procedures, and processes governing plans that outline the Bank’s third- strategy for third-party fintech relationship partners thatrelationships, at a minimum: (i) address how the Bank identifies and assesses identify the inherent risks of the products, services, and activities performed by the third-third parties, including but not limited to BSA/AML compliance risk, compliance, operational, liquidity, counterparty and credit risk as applicable; (ii) details detail how the Bank selects, assesses, and oversees third-third parties; (iii) details the Bank’s strategic plan for providing necessary resources, infrastructure, technology controls, and organizational capabilities to manage the third-party fintech relationship partners in a safe and sound manner; and (iv) establishes criteria for Board review and approval of third-party fintech relationship partners; (b) an assessment of BSA risk for each third-party fintech relationship partnerrelationship, including risk associated with BSA compliance, money laundering, terrorist financing, and sanctions risk risk, as well as the each third-partyparty relationship’s processes for mitigating such risks and complying with applicable laws and regulations. Refer to FFIEC Bank Secrecy Act/Anti-Money Laundering Examination Manual: “Third Party Payment Processors” (Rev. February 2015) and “Prepaid Access” (Rev. February 2015) for guidance; (c) due diligence and risk assessment criteria for selecting and approving a each third-party fintech relationship partner that is appropriate and unique to the particular products, services, and activities provided by the third-party; Refer to OCC Bulletin 2021-40, “Third-Party Relationships: Conducting Due Diligence on Financial Technology Companies: A Guide for Community Banks”party relationship; (d) an effective compliance oversight program for third-party fintech relationship partners to include: (i) evaluation written contracts that outline the rights and responsibilities of the products, services, and activities offered through the Bank’s third-party fintech relationship partners for compliance with applicable laws and regulations; (ii) an effective internal compliance monitoring program; and (iii) a process for addressing any third-party fintech relationship partner’s activities identified as non-compliant or in violation of applicable laws and regulationsall parties; (e) ongoing monitoring of third-party fintech relationship partner’s activities and performance; (f) contingency plans for terminating third-party fintech relationships in an effective manner; (g) documentationclear roles and responsibilities for overseeing and managing third-party relationships and risk management; (h) evaluation and implementation of adequate staffing to manage third-party relationships, management information systems including personnel with the requisite expertise to oversee and manage the risks associated with each third-party relationship; (“MIS”), i) documentation and reporting that facilitates Board and management oversight, accountability, monitoring, and risk management associated with third-party fintech relationships;; and (hj) an audit plan for independent reviews by a qualified auditor who is independent of day-to-day operations that allows allow Bank management to assess whether the Bank’s risk management practices align process aligns with the Bank’s policies, procedures, its strategy and processes. The audit plan must provide for effective independent reviews to assess internal controls as well as IT, compliance, and operational risk effectively manages risks associated with third-party fintech relationships; (i) a written assessment from a qualified, independent certified public accountant to ensure the accounting for transactions initiated through the fintech partnerships conform with GAAP and financial reporting is in line with contractual terms; and (j) evaluation and implementation of adequate staffing across the third-party fintech relationship line of businesses to ensure the oversight and management of the third-party fintech relationship line of businesses is properly staffed with personnel with the requisite expertise to oversee and manage the risks associated with the third-party fintech relationship line of businesses. (3) Prior Upon receipt of the Assistant Deputy Comptroller’s written determination of no supervisory objection to onboarding new thirdthe Third-party fintech relationship partners, signing a contract with a new fintech partner, Party Risk Management Program or offering new products or services or conducting new activities with or through existing thirdany subsequent amendment to the Third-party fintech relationship partnersParty Risk Management Program, the Board shall obtain no supervisory objection from adopt and Bank management, subject to Board review and ongoing monitoring, shall immediately implement and thereafter ensure adherence to the OCCThird-Party Risk Management Program. At a minimum, the bank shall submit the due diligence package including supporting documentation, any proposed contract, and any management or board committee minutes approving the relationship. (4) The Board shall review the effectiveness of the Third-Party Risk Management Program at least annually, and more frequently if necessary or if required by the OCC in writing, and amend the Third-Party Risk Management Program as needed or directed by the OCC. Any amendment to the Third- Party Risk Management Program must be submitted to the Assistant Deputy Comptroller for review and prior written determination of no supervisory objection. (4) Effective immediately, the Bank shall cease adding (i) new merchant processing partnerships, (ii) prepaid card partnerships, or (iii) additional merchants to a merchant processing partnership until the Bank has received no supervisory objection from the Assistant Deputy Comptroller for such additional merchant(s) or partnership. Any request for supervisory nonobjection shall include: (a) documentation demonstrating efforts the Bank has taken to implement and independently validate a BSA/AML Internal Control Program pursuant to Article (IV) of this Agreement and a Third-Party Risk Management Program pursuant to this Article (IX); and (b) documentation demonstrating efforts the Bank has taken to adequately address its BSA/AML risk with respect to merchant processing relationships and prepaid card issuer relationships, along with supporting documentation. (5) Upon receiving no supervisory objection to resume adding new relationships under paragraph (4) of this Article, the Bank shall submit to the Board a monthly report detailing the volumes of such new relationships and provide a copy to the Assistant Deputy Comptroller.