Consent Order Regarding Tioga-Franklin Savings Bank

COMMONWEALTH OF PENNSYLVANIA DEPARTMENT OF BANKING AND SECURITIES : Commonwealth of Pennsylvania, : Docket No.: 24_0021 (ENF-ORD) Department of Banking and Securities, : Bureau of Bank Supervision : : v. : : Tioga-Franklin Savings Bank. : : CONSENT ORDER WHEREAS, Tioga-Franklin Savings Bank (the “Bank”) is a Pennsylvania state-chartered mutual savings bank and subject to regulation by the Commonwealth of Pennsylvania Department of Banking and Securities (the “Department”) and the Federal Deposit Insurance Corporation (“FDIC”); WHEREAS, the Bureau of Bank Supervision (the “Bureau”) is primarily responsible within the Department for the regulation and supervision of the Bank; WHEREAS, the Bank was the subject of an FDIC Report of Examination as of July 31, 2023 (the “ROE”); WHEREAS, the ROE gave the Bureau reason to believe that the Bank had engaged in unsafe or unsound banking practices; WHEREAS, as a result of the ROE, the Bureau is of the opinion that grounds exist for the entry of a Consent Order (the “Order”) against the Bank pursuant to Section 501.A of the Department of Banking Code, 71 P.S. § 733-501.A; and, WHEREAS, the Bank, by and through its duly elected and acting board of trustees (the “Board”), and without admitting or denying wrongdoing, agrees to the issuance of this Consent Order (the “Order”) by the Bureau; FILED 2024 APR 24 PM 4:50 PA DEPARTMENT OF BANKING AND SECURITIES

• 2 - IT IS HEREBY ORDERED, pursuant to Section 501.A of the Department of Banking and Securities Code, 71 P.S. § 733-501.A, that the Bank, its trustees, officers, employees, agents, and other “institution-affiliated parties,” as that term is defined in Section 3(u) of the FDIA, 12 U.S.C. § 1813(u), and its successors and assigns, shall take the following affirmative action: I. BOARD REQUIREMENTS A. Supervision, Direction, and Oversight. The Board must immediately increase, commensurate with the size of the Bank and the nature, scope, complexity, and risk of Bank activities, its supervision and direction of Bank management, and its oversight and monitoring of the Bank’s financial condition, risk profile, operations, including the adherence to the Bank’s written policies, procedures, processes, and/or practices (collectively, Bank Procedures). The Board must also appropriately address the oversight and supervision-related deficiencies and weaknesses identified in the FDIC’s July 31, 2023 Report of Examination (2023 ROE), and, at a minimum:

1. Officers. Ensure that the Bank has and maintains an appropriate number of Bank officers with the experience and expertise, sufficient authority, independence, and the resources necessary to enable them to satisfactorily oversee and manage Bank activities, operations, and associated risks; assure compliance with this Order and applicable laws and regulations; and adhere to Bank Procedures;
2. Information and Procedures. Ensure that Bank Procedures: (a) include provisions which: (i) provide the Board with the information and documentation necessary to fulfill its duties and responsibilities under this Order; (ii) enable the Board to monitor and regularly evaluate the adherence to and the effectiveness of Bank Procedures; and (iii) establish clear and measurable parameters and limits; and, (b) are appropriately revised in a timely manner to assure on-going and proactive compliance with applicable laws and regulations;

• 3 -

3. Audit. Ensure internal and external audits of the Bank are completed on a timely basis and findings are promptly provided to Bank management, the Board, and/or the appropriate Board committee. The Board must also ensure that internal and external audit findings and recommendations are appropriately communicated and addressed in a timely manner; and
4. Meetings. Ensure that the minutes of meetings of the Board and Board and Bank committees are sufficiently detailed and reflect the discussion of and rationale for material decisions and any specific actions taken or to be taken by the Board and/or any requirements of or directions to Bank management as a result of the discussions. B. Corrective Action. The Board must also ensure that it and the Bank take all steps necessary, consistent with other provisions of this Order and safe and sound banking practices, to:
5. Banking Practices, Violations and Nonconformance. Correct, and prevent the unsafe or unsound banking practices, the violations of law or regulation, and nonconformance with Part 364 identified in the 2023 ROE and establish and maintain Bank Procedures to track, eliminate or correct, and prevent any unsafe or unsound banking practices, violations of law or regulation, or nonconformance with Part 364 identified in future reports of examination or visitation reports;
6. Deficiencies and Weaknesses. Appropriately address the deficiencies and weaknesses identified in the 2023 ROE and establish Bank Procedures to track and appropriately address any deficiencies or weaknesses identified in future reports of examination or visitation reports; and
7. Order Compliance. Fully comply with the provisions of this Order in a timely manner.

• 4 - II. AML/CFT PROGRAM Within 60 days from the effective date of this Order, the Board must ensure that the Bank’s written AML/CFT Program is reasonably designed to assure and monitor the Bank’s compliance with the BSA. At a minimum, the AML/CFT Program must (i) be commensurate with the Bank’s money laundering (ML), terrorist financing (TF), and other illicit financial activity risk profile (collectively, ML/TF Risk Profile); (ii) address the BSA related deficiencies and weaknesses identified in the 2023 ROE; (iii) comply with the requirements of this Order; (iv) include Bank Procedures for monitoring the performance of and adherence to the AML/CFT Program and documenting, tracking, and reporting such performance and adherence; and (v) include Bank Procedures for periodically, and on a risk basis, reviewing and revising the Bank’s ML/TF Risk Profile and the AML/CFT Program to ensure the AML/CFT Program is and continues to be reasonably designed to assure and monitor the Bank’s compliance with the BSA. A. Risk Assessments. The Board must ensure that the Bank’s written assessment of ML, TF, and other illicit financial activity risks (collectively, ML/TF Risk Assessment) includes quantitative factors to support the Bank’s current ML/TF Risk Profile and is updated in accordance with Bank Procedures; B. System of AML/CFT Internal Controls. The Board must ensure that the Bank has a system of internal controls in place that assures and monitors compliance with the BSA (AML/CFT Internal Controls). The AML/CFT Internal Controls must appropriately consider the Bank’s size, organizational structure and complexity; Bank activities and their respective complexity, scope, and volumes; ML/TF Risk Assessment; and ML/TF Risk Profile. The

• 5 - AML/CFT Internal Controls must also, at a minimum, include satisfactory Bank Procedures that require:

1. AML/CFT Resources Reviews. The performance of an initial and then periodic risk-based reviews and assessments of the adequacy and appropriateness of Bank’s AML/CFT related resources, both staffing and non-staff resources (AML/CFT Resources Review). An AML/CFT Resources Review must, at a minimum, appropriately consider the Bank’s size and growth plans, complexity and organizational structure, the ML/TF Risk Assessment, and ML/TF Risk Profile, and assess whether the Bank has the appropriate level and type of AML/CFT related resources to effectively mitigate ML/TF Risks and to ensure appropriate oversight and supervision of the AML/CFT Program and compliance with the BSA. An AML/CFT Resource Review must also be documented and identify any deficiencies, including those due to employee turnover, and/or additional AML/CFT resource needs with recommendations on how they should be addressed;
2. Monitoring and Reporting. The review and appropriate revision of Bank’s Procedures and systems for monitoring, detecting, and reporting activity conducted within or through the Bank to ensure the timely, accurate, and complete filing of all reports required by the BSA, including suspicious activity reports (SARs), currency transaction reports (CTRs), and reports regarding searches requested by the Financial Crimes Enforcement Network under 12 C.F.R. § 1010.520(b)(3) (FinCEN Searches), with an appropriate level of documentation, analysis, and support for monitoring and reporting process decisions;
3. Customer Due Diligence. The review and appropriate revision of the Bank Procedures related to customer due diligence (CDD) for new and existing customers (Customers) to, at a minimum:

• 6 - (a) ensure consistency with the ML/TF Risk Profile and ML/TF Risk Assessment and require an increased focus on Customers identified by the Bank as posing a heightened risk of ML, TF, or other illicit financial activities; (b) establish a standardized methodology designed to ensure the risk level of the Bank’s Customers is appropriately identified and assessed based on the potential for ML, TF, or other illicit financial activity posed by the Customer’s activities, with appropriate consideration given to the nature and purpose of the account, including the anticipated type and volume of account activity, types of products and services offered, and locations and markets served by the Customer; (c) ensure the Bank has sufficient information to understand the nature and purpose of Customer relationships for purposes of developing a Customer Risk Profile and address the means by which information will be requested and collected from Customers; (d) ensure an appropriate level of ongoing monitoring commensurate with Customer Risk Profiles to ensure that the Bank can accurately identify those Customers the Bank has reason to believe pose a heightened risk of ML, TF, or other illicit financial activities and require additional due diligence; (e) establish when, what, and how additional information will be collected for Customers the Bank has identified as posing a heightened risk of ML, TF, or other illicit financial activities, taking into account the Customer Risk Profile and the specific risks posed by the Customer; (f) establish whether and when Customer information, including information regarding the beneficial owner(s) of legal entity Customers, should be updated to ensure it is current and accurate;

• 7 - (g) establish standards for conducting and documenting analysis associated with the due diligence process, including guidance for resolving issues when insufficient or inaccurate information is obtained; and (h) establish specific staff responsibilities, including who is responsible for requesting and collecting Customer information determining whether collected Customer information is sufficient, and reviewing and/or authorizing changes to Customer Risk Profiles and/or CDD information. C. AML/CFT Officer. The Board must ensure that the Bank has a designated individual or individuals (AML/CFT Officer) with qualifications commensurate with the ML/TF Risk Assessment, ML/TF Risk Profile, size, and complexity of the Bank. The Board must, at a minimum, ensure that the Bank has:

1. Designated AML/CFT Officer. A designated AML/CFT Officer with the appropriate qualifications, requisite skills, sufficient delegated authority, and ability to effectively coordinate and monitor day-to-day compliance, and administer all aspects of the AML/CFT Program, including the Bank’s compliance with the BSA;
2. Reporting Procedures. Bank Procedures requiring the AML/CFT Officer to report directly to the Board and/or the Compliance Committee, as required and defined in Paragraph IX below, with regard to all matters related to the BSA; and
3. AML/CFT Action Plan Procedures. Bank Procedures requiring the AML/CFT Officer to periodically prepare and submit an action plan to address and correct all identified AML/CFT Program weaknesses and deficiencies (AML/CFT Action Plan) to the Compliance Committee and to Internal Audit. The AML/CFT Action Plan must, at a minimum: (a) list and describe in detail all identified weaknesses and deficiencies;

• 8 - (b) establish and describe in detail the means by which each identified weakness and deficiency will be addressed and corrected; (c) identify the parties responsible for implementing corrective action; (d) establish a timeframe for executing and completing each corrective action; (e) provide the status of any weakness or deficiency where corrective action has not been completed; and (f) establish the manner and process for testing the corrective action once completed to ensure it appropriately addressed the identified weakness or deficiency; D. AML/CFT Training. The Board must ensure all Bank Personnel, as defined below, are aware of, and can comply with, the requirements of the BSA applicable to the individual’s specific duties and responsibilities to assure the Bank’s compliance with the BSA. The Board must also ensure that the Bank implements effective training for the Board, Bank management, staff with assigned duties under the AML/CFT Program, and other Bank staff (collectively, Bank Personnel) regarding the BSA (AML/CFT Training Program). The AML/CFT Training Program must, at a minimum:

1. Tailored Training. Ensure training is tailored to address the specific duties and responsibilities of the Bank Personnel for which the training is being provided;
2. Initial and Periodic Training. Require initial and periodic tailored training, updated as appropriate; and
3. Documentation. Require full documentation of the AML/CFT Training Program and its implementation, including type of training, training materials, dates of the training sessions, and attendance records.

• 9 - III. LOOK BACK REVIEW A. Engagement and Report. Within 30 days from the effective date of this Order, the Bank must submit either a proposed engagement letter or contract to retain a qualified firm or a letter identifying the Bank Personnel with their positions at the Bank, their qualifications, and a detailed description of the work to be performed by the Bank Personnel and a written protocol of such work (Bank Personnel Proposal) to conduct a review of all accounts and transaction activity for the time period beginning September 30, 2021, through the effective date of this Order to (i) perform and/or complete any outstanding FinCEN Searches; and (ii) determine whether reportable transactions, including CTRs, and suspicious activity involving any accounts or transactions within or through the Bank were properly identified and reported in accordance with the applicable reporting requirements (BSA Look Back Review) to the Bureau for review, and comment or non-objection in accordance with Paragraph XII of this Order. The engagement letter or contract must, at a minimum, (i) describe the work to be performed under the engagement letter or contract with a written protocol of such work; and (ii) provide for unrestricted access to work papers of the third party by the FDIC. The proposed firm’s engagement letter or contract or the Bank Personnel Proposal must require that the BSA Look Back Review and FinCEN Searches be completed and summarized in a written report reflecting the findings of the BSA Look Back Review (BSA Look Back/FinCEN Search Report) and delivered to the Compliance Committee within 90 days of the Bureau’s non-objection to the proposed engagement letter, contract, or Bank Personnel Proposal. B. Filings. The Board must ensure the Bank appropriately reports the findings of the FinCEN Searches to FinCEN and prepares and files any additional SARs, CTRs, or other BSA￾required reports necessary based upon the BSA Look Back Review and the BSA Look Back/FinCEN Search Report within 30 days of the delivery of the BSA Look Back/FinCEN

• 10 - Search Report to the Compliance Committee. The Board must also ensure the Bank includes a schedule of the BSA Identification Numbers assigned to such filings by Financial Crime Enforcement Network in the next Progress Report, as required and defined in Paragraph XI, submitted to the Bureau after filing such SARs, CTRs, or other BSA-required reports. IV. OFAC COMPLIANCE The Board must ensure that the Bank complies with the requirements of the laws and regulations administered by the Office of Foreign Assets Control (collectively, OFAC Requirements) and that the program established by the Bank (OFAC Compliance Program) appropriately assesses the risk associated with compliance with OFAC Requirements and satisfactorily enables the Bank to comply with the OFAC Requirements. Within 60 days of the effective date of the Consent Order, the Board should consider whether the OFAC Compliance Program (i) is commensurate with the Bank’s OFAC risk and appropriately considers the Bank’s products, services, customers, entities, transactions, geographic locations, and reliance on third parties to fulfill any of the Bank’s OFAC Requirements; (ii) is reviewed and appropriately updated as new products, services, business lines, geographic locations and third parties are added; and (iii) the OFAC related deficiencies and weaknesses identified in the 2023 ROE have been appropriately addressed. V. STRATEGIC PLAN A. Strategic Plan. Within 30 days from the effective date of this Order, the Board must appropriately revise the Bank’s written three-year strategic plan (Strategic Plan) to address the deficiencies and weaknesses identified in the 2023 ROE related to capital, asset growth, earnings, budgeting, and strategic direction and submit it to the Bureau Director for review, and comment or non-objection in accordance with Paragraph XII of this Order. B. Minimum Requirements. The Strategic Plan must, consistent with safe and sound

• 11 - banking practices, and appropriately taking into account the other requirements of this Order, at a minimum:

1. Financial Condition Assessment. Assess the Bank’s current financial condition, market area, and capital needs taking into account current and projected assets, liabilities, earnings, Bank activities, and any concentrations and stress testing results;
2. Goals and Performance Metrics. Establish specific goals and measurable performance metrics for returning the Bank to a satisfactory condition and profitability; managing earnings, liquidity, interest rate risk (IRR) exposure, growth, concentrations; and ensuring capital is commensurate with the size, financial condition, operations, strategic objections of the Bank, and the nature, scope, complexity, and risk of Bank activities;
3. Growth and Concentration Limits. Establish risk-based growth and concentration limits and metrics justified by well-supported analysis;
4. Capital Plans. Include detailed plans specifying the means by which the Bank will, after establishing an appropriate allowance for credit losses, achieve, by no later than December 31, 2024, and thereafter maintain a Leverage Ratio, as defined at 12 C.F.R. § 324.10(b)(4), equal to or greater than 9 percent and a Total Capital Ratio, as defined at 12 C.F.R. § 324.10(b)(3), equal to or greater than 12 percent which identifies the primary and contingent sources of capital through which the Bank will meet its capital needs with triggers for the contingent sources, and strategies for sale, merger, or liquidation in the event primary and contingent sources of capital are not available or are insufficient to maintain these required minimum capital levels;
5. Operating Budget. Include a comprehensive operating budget addressing all categories of income and expense with formal goals and strategies with a detailed description of the operating assumptions forming the basis for major projected income and expense

• 12 - components;

6. Asset and Liability Management Strategies. Establish pricing policies and asset/liability management strategies supported by well-documented analysis;
7. Asset Growth and Earnings Pro Forma Statements. Include pro forma statements for asset growth and earnings for each of the three years covered by the Strategic Plan; and
8. Performance Evaluations. Require periodic evaluations of actual performance in relation to the Strategic Plan and document the results of the evaluation and detail any action to be taken as a result of the evaluation with the results provided to the Compliance Committee. C. Updates. The Board must establish Bank Procedures requiring periodic risk￾based reviews and updating of the Strategic Plan as appropriate, and the preparation and submission of a three-year Strategic Plan to the Board for its review and approval by December 15 of every calendar year. VI. FUNDS MANAGEMENT PROGRAM A. Funds Management Program. Within 30 days from the effective date of this Order, the Board must ensure that the Bank Procedures and plans related to funds management and contingency funding (collectively, Funds Management Program) are appropriately revised to address the deficiencies and weaknesses related to funds management and contingency funding identified in the 2023 ROE and maintain adequate provisions to meet the Bank’s liquidity needs. The revised Funds Management Program must be included in the next Progress Report submitted to the Bureau after the required revisions are completed. B. Minimum Requirements. The Funds Management Program must, consistent with safe and sound banking practices, and appropriately taking into account the other requirements of

• 13 - this Order, at a minimum:

1. Liquidity Risk Identification. Identify and document the liquidity risks arising from the Bank’s key exposure and activities, reliance on noncore funding and/or any related concentrations;
2. Liquidity Needs and Plans. Include a detailed and well-supported statement and analysis of the Bank’s short-term and long-term liquidity needs and plans, including the retention of highly liquid assets in appropriate amounts, for ensuring that such needs are met appropriately taking into account available funding sources, liquidity risks, and the strategic objectives established in the Strategic Plan required by Paragraph V;
3. Periodic Deposit Structure Reviews. Require periodic risk-based reviews of the Bank’s deposit structure identifying any reliance on noncore funding sources and concentrations, and provide a detailed description of the Bank’s strategy for reducing any identified reliance and/or concentration risks;
4. Periodic Cash Flow Analysis and Stress Tests. Require periodic risk-based formal cash flow analysis and scenario-based liquidity stress tests relating to the bank-specific stresses, market-wide stresses, and a combination of both;
5. Early Warning Indicators. Establish and monitor early warning indicators with measurable metrics designed to recognize potential stress events and initiate contingency funding plans;
6. Minimum Liquidity Ratio. Establish and monitor a minimum liquidity ratio appropriately based on stress-testing results clearly defining how the ratio is to be calculated and compliance will be tracked;
7. Contingency Funding Plan. Establish a contingency funding plan with alternative plans to meet liquidity needs and that clearly identifies projected contingent funding

• 14 - sources and includes the amount, ability, and speed of access for each;

8. Periodic Reporting. Require periodic reporting regarding cash flow analysis, liquidity stress testing, early warning indicators, adherence to the minimum liquidity ratio and/or any other funds management related Bank Procedures to the Board’s Asset/Liability Committee; and
9. Updates. Require periodic risk-based reviews and updating of the Funds Management Program. VII. INTEREST RATE RISK MANAGEMENT A. IRR Management Plan. Within 30 days from the effective date of this Order, the Board must ensure the Bank prepares a plan to address the deficiencies and weaknesses related to IRR management identified in the 2023 ROE and appropriately manage interest rate risk (IRR Management Plan). The IRR Management Plan must be included in the next Progress Report submitted to the Bureau after completion. B. Minimum Requirements. The IRR Management Plan must, consistent with safe and sound banking practices, and appropriately take into account the other requirements of this Order, at a minimum, detail the actions the Bank will take to:
10. IRR Measurement and Modeling System. Establish an IRR measurement and modeling system, including the assumptions forming the basis of the modeling, appropriate for the Bank’s size, and the nature, scope, and complexity and risk of Bank activities, and related Bank Procedures requiring periodic, risk-based IRR modeling and sensitivity testing, back￾testing, model validation and appropriate reporting;
11. Independent Review. Ensure appropriate risk-based independent reviews of the Bank’s asset liability management function and appropriate reporting of findings; and

• 15 -

3. Monitoring and Reporting. Establish Bank Procedures for monitoring and reporting risk exposures to the Board and for addressing exposures outside of established risk limits. VIII. CREDIT ADMINISTRATION A. Credit Administration Procedures. Within 30 days from the effective date of this Order, the Board must ensure the Bank Procedures related to credit administration (Credit Administration Procedures) are appropriately revised to address the deficiencies and weaknesses related to credit administration identified in the 2023 ROE and ensure that credit￾related risk is appropriately identified, monitored, and mitigated. The revised Credit Administration Procedures must be included in the next Progress Report submitted to the Bureauafter the revisions are completed. B. Minimum Requirements. Credit Administration Procedures must, consistent with safe and sound banking practices, and appropriately take into account the other requirements of this Order, at a minimum:
4. Specific Bank Procedures and Risk Limits. Ensure Bank Procedures are specific to the Bank, and establish risk limits, including concentration limits, appropriate for the Bank that are consistent with Board established risk parameters;
5. Periodic Loan Reviews. Ensure loan reviews are conducted periodically and loans are appropriately risk-rated based on current financial statements; and
6. Monitoring and Reporting. Require the monitoring and reporting of noncompliance with established risk limits and credit-related Bank Procedures, including those related to nonaccrual treatment, to the Board along with proposed actions to address such non￾compliance.

• 16 - IX. TRUSTEES’ COMPLIANCE COMMITTEE A. Compliance Committee. Within 7 days from the effective date of this Order, the Board’s Compliance Committee must be composed of a majority of Trustees who are independent of management and who are not now, and have not previously been, involved in the daily operations of the Bank and are acceptable to the Bureau. Nothing herein diminishes the responsibility of the entire Board to ensure full compliance with the provisions of this Order in a timely manner. B. Compliance Committee Plan. Within 30 days from the effective date of this Order, the Compliance Committee must submit a written plan detailing how the Board will ensure the requirements of this Order are met in a timely manner and the specific steps the Board and/or Bank management will take to address the deficiencies and weaknesses identified in the 2023 ROE with timelines for completion (Compliance Committee Plan) to the Bureau for review, and comment or non­objection in accordance with Paragraph XII. The Compliance Committee Plan must, at a minimum:

1. Corrective Action Description. Describe the specific corrective actions to be taken to meet the requirements of each provision this Order (Corrective Actions);
2. Completion Date. Establish the date by which each Corrective Action will be taken;
3. Responsible Parties. Identify the person(s) responsible for the completion of each Corrective Action; and
4. Monitoring. Establish the means by which the Compliance Committee will monitor the status of each Corrective Action and ensure timely compliance with this Order. C. Compliance Committee Report. The Compliance Committee must submit a written report (Compliance Committee Report) detailing the status of all Corrective Actions

• 17 - required in connection with this Order to the Board for consideration at each regularly scheduled Board meeting occurring after the effective date of this Order. The Compliance Committee Report and any discussion related to it or this Order must be included in the minutes of the corresponding Board meeting. The Compliance Committee Report and Board meeting minutes must be submitted to the Bureau as part of the progress reports required by Paragraph X of this Order. X. PROGRESS REPORTS Within 45 days of the end of each calendar quarter following the effective date of this Order, the Board must furnish to the Deputy Regional Director of the FDIC’s New York Regional Office and to the Bureau written progress reports detailing the form, manner, and results of any actions taken to secure compliance with this Order. All progress reports and other written responses to this Order must be reviewed and approved by the Board and be made a part of the Board minutes. XI. MISCELLANEOUS A. Required Reports. All reports required to be submitted to the Bureau under this Order are special reports being required under Section 403 of the Department of Banking and Securities Code, 71 P.S. § 733-403, and shall be submitted to the Bureau in accordance with Section 403.B of the Department of Banking and Securities Code, 71 P.S. § 733-403.B. B. Other Actions

1. If at any time the Department shall deem it appropriate in fulfilling the responsibilities placed upon the Department under applicable law to undertake any further action affecting the Bank, nothing in this Order shall in any way inhibit, estop, bar or otherwise prevent the Department from doing so.
2. Nothing herein shall preclude any proceedings brought by the Department to

• 18 - enforce the terms of this Order, and that nothing herein constitutes, nor shall the Bank contend that it constitutes, a waiver of any right, power or authority of any other representatives of the United States, departments or agencies thereof, Department of Justice, or any other representatives of the Commonwealth of Pennsylvania or any other departments or agencies thereof, including any prosecutorial agency, to bring other actions deemed appropriate. C. Binding Nature. The provisions of this Order including the recital paragraphs shall be binding upon the Bank and all of their institution-affiliated parties, in their capacities as such, and their successors and assigns. D. Effective Date. The effective date of this Order shall be the date upon which this Order has been executed by the Bureau. Each provision of this Order shall remain effective and enforceable, jointly and severally, until stayed, modified, terminated or suspended by the Bureau. E. Titles. The titles used to identify the paragraphs of this document are for the convenience of reference only and do not control the interpretation of this document. XII. NON-OBJECTION, IMPLEMENTATION, AND ADHERENCE A. Review, Non-objection and Communications: When a provision of this Order requires the Bank to submit a matter to the Bureau for review and non-objection, or engage in any other communications with the Bureau, the Bank will make the submission (which may be by electronic mail) to: Robert C. Lopez, Director Bureau of Bank Supervision Commonwealth of Pennsylvania Department of Banking and Securities 17 North Second Street, Suite 1300 Harrisburg, Pennsylvania 17101 rolopez@pa.gov

• 19 - B. Adoption, Implementation, and Adherence: For submitted matters receiving the written non-objection of the Bureau, the Board will, at its next regularly scheduled meeting, formally adopt the submitted matter as non-objected to by the Bureau. For any matter required by this Order but not requiring the written non-objection of the Bureau must be adopted by the Board within the time frame required for such action in this Order. These actions must be appropriately reflected in the Board minutes. Thereafter, the Board must ensure that the Bank fully implements and adheres to the matter as adopted and enforce full and complete compliance with it. SO ORDERED 4/24/24 ____ Date Robert C. Lopez, Director Bureau of Bank Supervision Commonwealth of Pennsylvania Department of Banking and Securities 17 North Second Street, Suite 1300 Harrisburg, PA 17101 Redacted