Outsourcing

Supervisor of Banks: Proper Conduct of Banking Business [4] (09/21) Outsourcing Page 359A-1 Outsourcing Contents Chapter Page A General Remarks 2 Introduction 2 Application 3 Definitions 4 B Corporate Governance 5 Board of Directors 5 Senior Management 6 Internal Audit 6 C Restrictions on Outsourcing 7 Operations that May Not Be Outsourced 7 D Contracting with a Service Provider 8 Due-Diligence Check of a Service Provider 8 Outsourcing Contract 9 E Management of Outsourcing Risk 11 Outsourcing Management Plan 11 Business Continuity Plan 12 F Outsourcing of Special Activities 14 Contracting with Service Provider Who Works with Customers 14 Outsourcing of Internal Auditing Activity 14 Outsourcing Associated with Compliance and Prohibition of Money Laundering and Terror Financing 15 G Reporting to the Banking Supervision Department 16 Compulsory Reporting to the Supervisor of Banks 16 H Effective date and Transitional Provisions 17 Effective date and Transitional Provisions 17 Treatment of Existing Directives and Permits 17

Supervisor of Banks: Proper Conduct of Banking Business [4] (09/21) Outsourcing Page 359A-2 A. General Remarks Introduction

1. In recent years, banking corporations have seen major changes in their activity environment, causing them to reexamine the business model within which they operate. The changes originate, inter alia, in the accelerated pace of technological developments, the adoption of policies meant to enhance competition in banking and payment systems, the lowering of entrance barriers to new and digital players, and the Banking Supervision Department’s demand that banking corporations establish long-term operational efficiency plans.
2. These changes make it all the more necessary for banking corporations to resort to outsourcing in order to cut costs and attain strategic goals in various aspects of their activities, including credit, the capital market, and IT.
3. In addition, the entry of new or independent merchant acquirers (following the separation of two large credit-card companies from the banks) and the possibility of the establishment of a digital bank, make it necessary to allow financial entities that lack a network of branches and a broad operating infrastructure to operate by means of outsourcing.
4. Along with its advantages, outsourcing carries risks that banking corporations must take into account, such as:  difficulty in managing risks and monitoring compliance with legal and regulatory requirements;  difficulty in proving to the Supervisor of Banks that the banking corporation is taking appropriate measures to manage its risks and comply with the various directives to which it is subject;  concern about the eventuation of large-scale risks in the event of overreliance on a service provider to perform critical activities.
5. This Directive specifies the principles that banking corporations and merchant acquirers must uphold when they outsource various activities in order to mitigate their exposure to the potential risks that originate in this form of activity, including: the formulation of an outsourcing policy and an outsourcing-risk management plan, due-diligence checks for service providers, execution of outsourcing contracts, and development a business-continuity plan. The Directive is based on existing regulations that many countries, such as the United States, Canada, Hong Kong, and Australia, have introduced in recent years, and on a document that a Joint Forum headed by the Basel Committee has published.

Supervisor of Banks: Proper Conduct of Banking Business [4] (09/21) Outsourcing Page 359A-3 6. A major principle set forth in this Directive is that the outsourcing of a given activity shall not derogate from a banking corporation’s responsibility for complying with all laws and directives that apply to it. Application 7. In respect of the application of this Directive: (a) This Directive shall apply to all banking corporations (hereinafter in this Directive—“banking corporation”): (1) banking corporation; (2) auxiliary corporation; (3) a corporation as set forth in Sections 11(a)(3a) and 11(a)(3b); (4) a merchant acquirer as defined in Section 36(i) of the Banking (Licensing) Law. (b) When the service provider is a corporation in the banking group to which the banking corporation belongs, the requirements of this Directive shall accord with a risk assessment performed by the banking corporation. (c) When a service provider is a debit-card company as defined in the Increasing Competition and Reducing Concentration in the Banking Market Law, 5757- 2017, and the contract is executed for the purpose of operating the issue of debit cards that the bank provides its customers, this Directive shall apply mutatis mutandis. (d) Repealed.

Supervisor of Banks: Proper Conduct of Banking Business [4] (09/21) Outsourcing Page 359A-4 Definitions 8. “Outsourcing” The use by a banking corporation of a third party to perform, on an ongoing basis, material activities included on the list of banking-corporation activities in Section 10 of the Banking (Licensing) Law, 5741-1981, in its name or on its behalf. Notwithstanding the foregoing, the definition of “outsourcing” shall not include contracting for activities such as installation of electrical, water, and communication infrastructure, catering services for staff, physical security services, and employment of staff via personnel companies. A material activity shall be determined by the banking corporation in accordance with the considerations specified in Section 27 of this Directive. “Service provider” An entity with which the banking corporation contracts for the provision of outsourcing services, be it located in Israel or elsewhere. “Secondary service provider” An entity which which a service provider contracts for the provision of outsourcing services. “Banking group” A banking corporation, a banking corporation that controls a banking corporation, and banking corporations controlled by either of these entities.

Supervisor of Banks: Proper Conduct of Banking Business [4] (09/21) Outsourcing Page 359A-5 B. Corporate Governance Board of Directors 9. The Board of Directors shall determine the risk appetite associated with outsourcing by the banking corporation in consideration of its overall starategy. The Board shall understand the material risks that pertain to said outsourcing and shall be responsible for having in place effective policies and procedures for the management of said risks. 10. The Board of Directors shall have overall responsibility for outsourcing and shall make sure that the outsourcing activity does not derogate from the discharge of the banking corporation’s obligation and responsibility to uphold any provision of law, including directives of the Supervisor of Banks, and specifically: (a) its responsibility to its customers, including transparency and full disclosure, telephone support for questions and inquiries, and handling of complaints; (b) its responsibility to ensure that the ability of the Supervisor of Banks to receive information and exercise h/her powers is not impaired. 11. The Board of Directors shall periodically discuss and approve a comprehensive outsourcing policy for the banking corporation that shall include, inter alia, instructions in the following matters: (a) types of activities that may be outsourced and the timing and circumstances under which said outsourcing may be implemented; (b) the total extent of the activities that the banking corporation is willing to outsource; (c) detection and treatment of main outsourcing risks; (d) due-diligence processes vis-à-vis service providers, as specified in the Directive; (e) main terms to be included in outsourcing contracts, as specified in this Directive, in order to ensure, inter alia, that said contracts do not encourage unnecessary risk-taking in the name of the banking corporation; (f) supervision and control of outsourced activities; (g) development of business-continuity plans. 12. The Board of Directors shall approve material outsourcing contracts and shall discuss them periodically.

Supervisor of Banks: Proper Conduct of Banking Business [4] (09/21) Outsourcing Page 359A-6 Senior management 13. Senior management is responsible for: (a) formulating an outsourcing policy and an outsourcing-risk management plan and presenting them to the Board of Directors for approval; (b) assimilating said policy and plan and establishing controls that will assure the management of outsourcing in accordance with the policy set forth; (c) periodic reportage to the Board of Directors about the development of exposure to outsourcing risks; (d) immediate reportage to the Board of Directors about the eventuation, or concern about the eventuation, of a material outsourcing risk. 14. The Chief Risk Officer shall act in respect of outsourcing activity as set forth in Proper Conduct of Banking Business Directive 310, “Risk Management,” and as specified in Chapter E of this Directive, “Management of Outsourcing Risk.” Internal audit 15. Internal audit shall include outsourcing activity within the scope of its activity as set forth in Section 29 of Proper Conduct of Banking Business Directive 307, “Internal Audit Function.” 16. The process to be invoked in outsourcing a material activity shall include the involvement of the internal-audit function in due-diligence processes in the earliest stages of the outsourcing assignment, in such a manner and on such a scale as it shall determine.

Supervisor of Banks: Proper Conduct of Banking Business [4] (09/21) Outsourcing Page 359A-7 C. Restrictions on Outsourcing Operations that May Not Be Outsourced 17. A banking corporation shall not outsource the following operations: (a) duties of the Board of Directors and senior management, particularly in determining strategies and policies, determining risk appetite, and control and supervision of risk-management processes; (b) a decision that requires the banking corporation to use discretion in the following matters: opening or closing a customer account; underwriting a loan, including follow-up and monitoring of the loan after it is created; and receiving a deposit. For the purposes of this Section, “underwriting” includes reviewing the overall financial condition of the loan applicant and deciding whether to create the loan, including the terms for said creation (amount, payback term, requisite collateral, terms and stipulations, interest rates, etc.); (c) Subsection (b) shall not apply to:

1. outsourcing within the banking group to which the banking corporation belongs;
2. underwriting a loan or receiving a deposit in the event that the service provider uses the bank’s model, where it has no discretion in the decision, and including opening an account solely for the purpose of creating the loan or receiving the deposit as aforesaid in this Subsection.

Supervisor of Banks: Proper Conduct of Banking Business [4] (09/21) Outsourcing Page 359A-8 D. Contracting with a Service Provider Due-Diligence Check of a Service Provider 18. A banking corporation shall perform a due-diligence check as set forth in Sections 20–21 below as part of the procedure for choosing a third party as a service provider. 19. A banking corporation shall establish criteria by which it may evaluate, in its due￾diligence check, the service provider’s ability to carry out the activities that will be outsourced to it effectively, reliably, and on a high standard, as well as the potential risks of contracting with the service provider. 20. Qualitative and quantitative due-diligence checks shall ensure, inter alia, that the service provider has: (a) the requisite skill and resources to perform the outsourced work, including the ability to respond to special requirements such as assuring the requisite geographical deployment of the service provided; (b) the financial ability to meet its obligations, including the financial ability of companies affiliated with it; (c) operating ability, including the existence of adequate information systems, adequate internal auditing, maintenance of information security including protection of records and privacy, staff training, and a business-continuity plan in the event of a failure; (d) insurance coverage commensurate with the activity to be assigned to it. 21. Before a service provider abroad is used, the following additional aspects shall be examined: (a) assessment of political, economic, legal, and regulatory conditions that may limit: (1) the service provider’s ability to perform the outsourced activity efficiently and without impairing the banking corporation’s ability to comply with all legal and regulatory provisions that apply to it; (2) the banking corporation’s ability to apply effective control to the service provider’s work and to carry out audits or receive audit reports about it as are produced by entities that operate under permits/licenses that they receive from recognized supervisory authorities in the relevant country and that perform the auditing work in accordance with accepted standards in the field being audited. (b) the ability to safeguard the powers of the Supervisor of Banks vis-à-vis the banking corporation, including the Supervisor’s ability to receive relevant information about the outsourced activity;

Supervisor of Banks: Proper Conduct of Banking Business [4] (09/21) Outsourcing Page 359A-9 (c) potential implications of the removal of databases to a country or several countries abroad, including the banking corporation’s ability to comply with laws and directives that apply to it in regard to the removal of databases, particularly the protection of customers’ privacy and the exposure of said databases to various authorities in said country or countries. Outsourcing Contract 22. A banking corporation’s relations with service providers shall be regularized by means of written contracts that shall be in effect for an adequate period of time and shall include clear reference to the material aspects of the outsourcing relationship, including all parties’ rights, responsibilities, and expectations. Said contracts shall not prevent the banking corporation from complying with any legal and regulatory provisions and shall ensure that the ability of the Supervisor of Banks to exercise h/her powers shall not be impaired. When a banking corporation does not include in the contract one or more of the matters set forth in Section 23, it shall ensure that said non-inclusion will not expose it to material risks. Notwithstanding this, the banking corporation must include the matters specified in Sections 23(i) and 23(l) in the contract. 23. A banking corporation shall consider the inclusion of the following in its outsourcing contracts: (a) definition of the activities to be outsourced, areas of responsibility, and adequate levels of performance and service in quantitative and qualitative terms (SLA); (b) the service provider’s responsibility to the banking corporation, including honoring the obligations set forth in the contract even if it uses a secondary service provider; (c) safeguarding the service provider’s operational ability and internal controls, including information security and the way it discharges its obligations in this regard, protection of privacy, and business-continuity plans; (d) assuring the banking corporation’s ability to receive relevant information in the service provider’s possession about the activities that the banking corporation has outsourced as well as its ability to review said informaiton or forward it to the Supervisor of Banks at the Supervisor’s request; (e) safeguarding the banking corporation’s ability to monitor and evaluate the service provider on an ongoing basis so that the banking corporation can take immediate corrective measures if necessary; (f) safeguarding the banking corporation’s ability to engage in auditing activity vis￾à-vis the service provider and/or to receive audit reports about the provider as are produced by an entity such as that specified in Section 21(a)(2);

Supervisor of Banks: Proper Conduct of Banking Business [4] (09/21) Outsourcing Page 359A-10 (g) When granting the service provider access to proprietary information of the banking corporation or of its customersit shall: (1) define the information and the systems to which the service provider may receive access, including the operations that it is allowed to carry out; (2) enjoin the service provider and others authorized thereby against using or disclosing proprietary information of the banking corporation or of its customers, both during the term of the contract and afterwards, except where this is needed in order to deliver the service to the banking corporation or to comply with legal or regulatory requirements; (3) the manner in which information in the service provider’s possession shall be returned to the banking corporation and/or destroyed at the end of the contracting term or at the banking corporation’s request. (h) the way in which the contract may be discontinued, including the exit period that will make this possible, assuring continuity in the delivery of service, and, conversely, transferring the outsourcing activity to another service provider or returning it to the banking corporation itself within a reasonable period of time. The sections that deal with these matters shall include the following, inter alia: (1) possible terms for the discontinuation of the contract: insolvency of the service provider or other material change in its structure, noncompliance with legal and/or regulatory provisions that apply to the banking corporation due to action taken by the service provider, or a demand by the Supervisor of Banks; (2) clear determination of the ownership of information transferred to the service provider or accumulated during the term of the contract, including a procedure for its reversion to the banking corporation and its treatment in the service provider’s systems, as specified in Section (g) supra; (i) enjoining the service provider against charging a fee or any other payment from the customer for activity that it performs under an outsourcing contract, with the exception of such charging as is allowed by law; (j) establishing alternative plans that address the possibility of deterioration of the level of service and costs that will be incurred for this reason, and the manner in which the parties shall resolve disagreements; (k) indemnifying and compensating the banking corporation for claims caused by the service provider’s negligence; (l) immediate reporting to the banking corporation of any damage to or invasion of data of customers or of the banking corporation, and of any change that has a material effect on the continued delivery of service.

Supervisor of Banks: Proper Conduct of Banking Business [4] (09/21) Outsourcing Page 359A-11 E. Management of Outsourcing Risk Outsourcing Management Plan 24. A banking corporation shall assess the effect of outsourcing on its overall risk profile and its exposure to the various risks before it executes an outsourcing contract and shall update this assessment periodically. 25. Said assessment shall include, inter alia, reference to the following risks: (a) compliance risk that comes about when the service provider causes the banking corporation to violate legal and regulatory requirements; (b) concentration risk, caused when a small number of service providers delivers a range of products and services to the banking corporation or when several service providers are located in the same geographical area; (c) reputation risk occasioned by faulty performance on the part of the service provider; (d) country risk that arises when the service provider is located abroad and, for this reason, exposes the banking corporation to political, economic, social, legal, and regulatory events in the country in which he is located; (e) operating risk, occasioned by a failure on the part of the service provider, including information-security failure, infringement of customers’ privacy, and the eventuation of cyber risks; (f) legal risk and conduct risk, brought about when a service provider exposes the banking corporation to potential claims, e.g., claims by customers on grounds of unfair treatment. 26. A banking corporation shall prepare and periodically update a comprehensive plan for the management of the risks that originate in outsourcing. Said plan shall include a risk-minimization plan, monitoring and control of each outsourcing contract, including designating someone to be in charge, and guidelines for actions to be taken when certain events come to pass. In formulating said plan the extent and materiality of the outsourced activity and the quality of the service provider’s risk-management shall be borne in mind. 27. The level of materiality of an outsourced activity shall be determined, inter alia, on the basis of the following considerations: (a) the extent to which a failure on the service provider’s part will affect the financial condition, reputation, and operations of the banking corporation; (b) potential damage to customers of the banking corporation in the event of a failure on the service provider’s part;

Supervisor of Banks: Proper Conduct of Banking Business [4] (09/21) Outsourcing Page 359A-12 (c) the effect of outsourcing on the banking corporation’s ability to comply with legal and regulatory requirements. (d) the costs of the outsourcing; (e) the alignment of the outsourced activities with other activities undertaken within the framework of the banking corporation; (f) the overall matrix of relations between the banking corporation, as well as with the banking group to which it belongs, and a service provider that is not part of the banking group, including its being a “related person” as defined in Proper Conduct of Banking Business Directive 312, “Business of a Banking. Corporation with Related Persons,” or the existence of a potential conflict of interest with the banking corporation; (g) the service provider is abroad or the banking corporation’s databases are sent or are stored abroad; (h) the service provider’s statutory status, including the level of supervision that applies to it; (i) the level of difficulty, including the costs of switching to another service provider, the time required to replace the service provider, the transfer of all activity back to the banking corporation, and the downscaling or even the discontinuation of activity, if necessary; (j) the level of complexity of the contract with service providers, including cases in which several service providers collaborate to provide outsourcing services in respect of a certain activity; (k) the banking corporation’s ability to maintain adequate internal controls and comply with supervisory requirements, particularly when problems with the service provider arise; (l) the overall potential impact on the banking corporation of a situation in which one service provider provides the same banking corporation with several services; (m)the existence of a new product or service in the outsourced activity. 28. The banking corporation shall establish methods for the measurement of the service provider’s performance and shall appoint staff that has enough expertise and status to supervise said level of performance and determine the frequency and scope of the administrative reports that will be used to monitor and evaluate the service provider. Business-Continuity Plan 29. A banking corporation must be prepared for scenarios that may cause it significant harm, as required under Proper Conduct of Banking Business Directive 355 on the topic of business continuity, and, in addition:

Supervisor of Banks: Proper Conduct of Banking Business [4] (09/21) Outsourcing Page 359A-13 (a) shall put together a business-continuity plan, including recovery from disaster, for each material outsourcing contract, and shall test it, inter alia, by means of periodic trials; (b) shall make sure that said business-continuity plan relates to alternative ways of carrying out the activity as well as their costs, e.g., replacing a service provider, returning all activity to the banking corporation, and downscaling and even discontinuing the activity; (c) shall determine appropriate steps with which to deal with the potential outcomes of disruption of business at the service provider’s fault; (d) shall make sure that the service provider has a business-continuity plan in place and shall coordinate this plan with its own; said plan shall include, inter alia, documentation of those responsible for dealing with and preparing for situations of recovery from disaster, both at the banking corporation and at the service provider, in accordance with the requirements of the Directive; (e) shall make sure that the business-continuity plan responds adequately to a failure of the service provider’s information systems that may impair the banking corporation’s information security.

Supervisor of Banks: Proper Conduct of Banking Business [4] (09/21) Outsourcing Page 359A-14 F. Outsourcing of Special Activities Contracting with Service Provider Who Works with Customers 30. When it contracts with a service provider who works with customers, a banking corporation shall: (a) establish controls and monitor the service provider’s activity in order to assure fairness, full disclosure, and transparency vis-à-vis customers, particularly in giving details of the banking corporation on whose behalf it operates, the actions that it is allowed to take in the name of or on behalf of the banking corporation, and the terms of the product, if they are communicated to customers by the service provider; (b) ensure that the service provider gives its staff adequate training before the activity begins, including how to approach customers and how to treat customers who are uninterested in receiving the service; (c) ensure that the remuneration mechanisms for the service provider or its staff take of fairness toward customers into account. (d) In addition, when the service provider refers a customer to the banking corporation for the receipt of credit, the following guidelines shall apply: (1) When reviewing the credit application, the banking corporation shall take reasonable measures to determine the suitability of the credit to the customer’s needs, the customer’s financial condition, including h/her total indebtedness and repayment ability. (2) Insofar as it is decided to issue credit pursuant to a referral from a service provider, the banking corporation shall mark the loan or the group of loans and shall subject them to more intensive follow-up including monitoring of irregularities. Outsourcing of Internal Auditing Activity 31. A banking corporation that wishes to outsource internal auditing activity shall act in compliance with the requirements set forth in Proper Conduct of Banking Business Directive 307, “Internal Audit Function,” including the following: (a) The Board of Directors shall weigh the effectiveness of the contracts for the outsourcing of internal auditing activities and its ability to rely on these activities as a third line of defense. (b) The internal auditor shall make sure that the use of service providers to carry out internal auditing activity shall not impair the independence and objectivity of the internal-audit function. For this purpose, the internal auditor must make sure, among other things, that a reasonable amount of time has passed between the time when the service provider advised the banking corporation and the time at

Supervisor of Banks: Proper Conduct of Banking Business [4] (09/21) Outsourcing Page 359A-15 which it audits the topic on which it advised, irrespective of which of these came first. (c) A banking corporation shall outsource internal auditing services to an external auditor only under the conditions specified in Section 3 of Appendix A of Proper Conduct of Banking Business Directive 302, “External Auditor of a Banking Corporation.” Outsourcing Associated with Compliance and Prohibition of Money Laundering and Terror Financing 32. A banking corporation that outsources the following activities shall act as follows: (a) When outsourcing certain activities of the compliance function, it shall act as set forth in Proper Conduct of Banking Business Directive 308, “Compliance and the Compliance Function at the Banking Corporation.” (b) When outsourcing banking activities, it shall make sure that all guidelines specified in law and in the relevant directives concerning prohibition of money laundering and terror financing are applied.

Supervisor of Banks: Proper Conduct of Banking Business [4] (09/21) Outsourcing Page 359A-16 G. Reporting to the Banking Supervision Department Compulsory Reporting to the Supervisor of Banks 33. Outsourcing of material activity shall take place in the following way: (a) The banking corporation shall serve the Supervisor of Banks with prior explanation of the rationale of said outsourcing as soon as possible after the decision is made at the senior-management level. (b) The Supervisor may advise the banking corporation, within twenty-one days, of his or her intention of examining the outsourcing activity or not; (c) If the Supervisor decides to examine the activity, the results of the examination, including conditions for the approval of the activity, shall be presented to the banking corporation no later than ninety days after all requisite information for the examination is received from the banking corporation. 34. A banking corporation that has outsourced a material activity shall apprise the Supervisor of Banks of any development that has a material effect on the service provider and on the banking corporation’s ability to honor its obligations to its customers or to the Supervisor.

Supervisor of Banks: Proper Conduct of Banking Business [4] (09/21) Outsourcing Page 359A-17 H. Effective Date and Transitional Provisions Effective Date and Transitional Provisions 35. The contents of this Directive shall go into effect on September 30, 2020. 36. In respect of contracts executed before this Directive is promulgated—on the date of the next renewal of the contract, and no later than 3.5 years from the effective date (five years in all), the banking corporation shall align the contracts with the Directive to whatever extent necessary. 37. A banking corporation may apply the Directive en bloc before the effective date, and on said date the provisions specified in Section 40 shall be nullified. 38. Notwithstanding the aforesaid in Section 35 supra, a deliberate approach to households for the purpose of referring them to the banking corporation for receipt of credit shall be permitted only after the Credit Data System is activated and the banking corporation’s completion of the implementation of the requirements relating to consumer credit marketing in Proper Conduct of Banking Business Directive no. 311A on “Consumer credit management”. Until said date, households may be approached if one of the following conditions is present: (a) the service-provider receives no remuneration or other benefit, direct or indirect, from the banking corporation; (b) the service provider is a member of the banking group to which the banking corporation belongs; (c) the approach is made as part of an approach by the customer for the purchase of a product or service (e.g., automobile agencies). Notwithstanding the foregoing in this Subsection, a banking corporation that is a credit-card company shall be allowed to approach households, as aforesaid, from the effective date of this Directive as set forth in Section 35 or Section 37. 39. In addition to the contents of Section 33, if a contract is executed for the purpose of referring households to the banking corporation to receive credit, the banking corporation shall also report the existence of a non-material contract, and this, for a period of two years following the promulgation of this Directive. Treatment of Existing Directives and Authorizations 40. On the effective date of this Directive, the following directives and permits shall be nullified: (a) Proper Conduct of Banking Business Directive 359, “Banking Corporations' Ties with Intermediaries.”

Supervisor of Banks: Proper Conduct of Banking Business [4] (09/21) Outsourcing Page 359A-18 (b) Proper Conduct of Banking Business Directive 357, “Information Technology Management,” Sections 17–18 (Chapter F, “Outsourcing”) and Section 30(a)(3). 41. Authorizations issued by the Supervisor or someone acting on h/her behalf under Section 30(a)(3) of Directive 357, and additional authorizations in areas included in the incidence of the Directive, shall remain in effect. However, if said authorization includes terms or stipulations that do not square with the principles of the Directive, the banking corporation shall approach the Supervisor for the purpose of reviewing them, and this, by the effective date of this Directive as stated in Section 35.

---

Updates Circular 06 no. Version Details Date 2571 1 Original circular October 8, 2018 2616 2 Update July 7, 2020 2660 3 Update June 21, 2021 2669 4 Update September 30, 2021