Cash Management Administrator Self-Assessment

Section 1: Customer Information

Business Name: Tax ID: Date:

CM Administrator Name: CM Administrator Signature:

Section 2: Security 1. What types of ACH related information does your company store? Mark all that apply. Authorization forms Checks used as part of authorizations (including voided checks) E-mails or other electronic correspondence with entry information Electronic NACHA formatted files sent to your financial institution for processing Other reports containing entry information from accounting software or other programs

2. Where is information related to ACH entries stored? Mark all that apply. Home office of employees File cabinets Removable media sources (i.e. Flash drives, CDs, Backup tapes/drives) Desk drawers Binders Company website Work PC/laptop Mobile device Outsourced technology service provider

3. Who at your company has access to ACH related information? Mark all that apply. All employees, including any temporary workers Only those with ACH related job duties Managers/principals of the company Outside parties (cleaning companies, contractors, etc.)

4. Which of the following controls do you have in place for the physical security of data? Mark all that apply. Clean desk policy Office security systems or alarms Locked storage space (file cabinet, drawer) Locked storage for backup drives Key inventory to ensure limited staff access

5. Which of the following controls do you have in place for the digital security of data? Mark all that apply. Unique User IDs for each employee Password controls i. Strong password requirements (minimum length, character requirements, etc.) ii. Secure storage of passwords, including ensuring they are not posted at workstation iii. Required changes of passwords after days (insert number) iv. Lockout of user account after invalid attempts (insert number) v. Timeout or automatic locking of workstation after minutes (insert number) Restricted access to files on network by job duties Designated PC for any internet banking or funds transfer services, such as ACH Updated anti-virus and anti-malware programs Automatic software patches or upgrades, including operating system updates Restrictions on types of internet sites that can be used or usage of company e-mail BNC National Bank Page 1 Firewall for office network Secure e-mail for communications with customers/employees when sensitive information is being transmitted Encrypted or secured customer websites if used for accepting payment requests Encryption for laptops or other mobile devices “Self-destruct” or “remote clean” ability for lost or stole mobile devices Controls for remote connections to and from the company (e.g. Virtual Private Network [VPN] connection)

6. Are your company’s employees provided training on information security? Yes No If yes, are the following topics included? Mark all that apply. Password security Social engineering (e.g. phishing via e-mail or phone) Acceptable use policies for internet and e-mail Security of mobile devices/laptops when traveling

7. Do you work with outside service providers to help you with your technology and data security efforts? Yes No If yes, are the following topics considered before starting a new relationship with a service provider? Mark all that apply. Research of potential new companies (financial history, references, internet search) Contract review regarding data security practices and confidentiality How a service provider would notify you of a possible breach and action plan Other steps taken to review potential service providers:

8. How do you keep track of when documents can or should be destroyed?

9. How do you destroy physical information?

10. How do you destroy digital media sources that contain ACH information? (e.g. hard drives from computers and/or copiers, flash drives, copiers, CDs, backup tapes, etc.)

11. Do you have a plan of how to respond if there is a data breach at your company (physical or digital)? Yes No If yes, have you included steps to contact the following parties as needed? Financial institution Legal counsel Law enforcement Your customers/employees affected Service providers to help clean or repair affected devices

Section 3: ACH Limits 1. Brief description of ACH Origination use? Examples may include direct deposit of payroll, vendor payments, consumer payments, etc.

2. List SEC Codes being used for ACH Origination. PPD (direct deposit/consumer payments), CCD (vendor payments), CTS (vendor payments with invoice detail), WEB (consumer internet payments)

3. List average file amount for each SEC Code.

4. List ACH Origination frequency for each SEC Code (daily, weekly, bi-weekly, monthly, semi-monthly, etc.).

BNC National Bank Page 2 Section 4: NACHA Rules Awareness Information National Automated Clearing House Association Rules Awareness Information for ACH Originators

Each company (the “Company” or “Originator”) originating Automated Clearing House (ACH) entries must comply with the Operating Rules and Guidelines (the “Rules”) of the National Automated Clearing House Association (NACHA), the rule making body governing the ACH Network. NACHA updates these Rules on an annual basis. For your convenience, below, we have included a brief summary of Originator responsibilities as well as an explanation of the Rules updates for 2018-2019. Please note that capitalized terms not defined in this summary have the meanings ascribed to them in theRules . This document is not intended to be a replacement or substitution for the Rules. Annually, it is recommended that you purchase a copy of the updated Rules by visiting www.nacha.org. You may also obtain free limited access to the basic Rules in read-only format by visiting www.achrulesonline.org.

Data Security: All Non-Consumer Originators must establish, implement and update, as appropriate, security policies, procedures, and systems related to the initiation, processing and storage of Entries to (1) protect the confidentiality and integrity of Protected Information; (2) protect against anticipated threats or hazards to the security or integrity of Protected Information; and (3) protect against unauthorized use of Protected Information that could result in substantial harm to a natural person. The Rules define Protected Information as the non-public personal information, including financial information, of a natural person used to create, or contained within, an Entry and any related Addenda Record. All ACH transactions that involve the exchange or transmission of banking information must be either encrypted or transmitted using either commercially reasonable technology that provides a level of security at a minimum of 128-bit RC4 encryption. Please note that BNC National Bank’s online banking platform allows for the appropriate level of security; however, if the Originator sends Entries to BNC National Bank outside of this platform, the Originator will be solely responsible for any and all liability resulting from transmission of Entries via an Unsecured Electronic Network. In addition, the Company is responsible for the data security of its systems. In accordance with best business practices, the Company should implement safeguards to protect the integrity and confidentiality of its systems, including (1) ensuring updates are installed on a regular basis, (2) initiating ACH entries under dual control (e.g. one individual inputs the ACH debit and/or credit while another individual approves the debit and/or credit from another computer), (3) implementing a security policy that enforces no social networking sites be on the same computer on which the online banking platform is accessed, (4) monitoring and reconciling accounts daily, (5) implementing a procedure that enforces “red-flag” activity (e.g. the online banking platform’s color structure not looking the same as before, “system down” warnings), (6) educating staff, (7) taking reasonable steps to maintain the confidentiality and security of any passwords, codes, and other authentication devices, and (8) utilizing advanced malware and fraud protection systems.

Company Name Identification: The Originator is required to ensure there is clear identification of the source of anACH transaction. Specifically, the Rules require the Originator to populate the Company Name Field with the name by which it is known to and readily recognized by the Receiver of the Entry. As your Company name appears on the Receiver’s account statement, it should be easily recognized by the Receiver especially in those instances where the party initiating the payment is not the ultimate payee or payor of a transaction (e.g. where a Third-Party is involved in the origination of the payment). Specifically, for any ACH debit transaction in which the Originator is not the payee of the transaction (the party to which the payment is ultimately being directed), the Company Name Field must contain the name by which the payee is known and readily recognized by the Receiver. For any ACH credit transaction in which the Originator is not the payor of the transaction (the party from which payment is ultimately being directed), the Company Name Field must contain the name by which the payor is known and readily recognized by the Receiver. This requirement is consistent with Reg E which requires an RDFI to provide the name of any third party to or from whom funds were transferred on the consumer’s periodic statement.

Minimum Authorization Requirements/Proper Use of Standard Entry Class Code: The authorization requirements specified within the Rules address the minimum requirements needed for authorization of various types of ACH transactions. We allow our Originators to send PPD (Prearranged Payments and Deposits) for Entries hitting consumer accounts and CCD (Corporate Credits and Debits) for Entries hitting corporate accounts. Any other types of Standard Entry Class Codes would require approval from us prior to use.

Authorization Requirements for Consumer Entries: For consumer entries (those entries where the Receiver’s account is a consumer account and not a business account), Originators must obtain the Receiver’s authorization to initiate Entries through the ACH Network to the Receiver’s account. The authorization must (1) be readily identifiable as an ACH authorization; (2) have clear and readily understandable terms; and (3) provide that the Receiver may revoke the authorization only by notifying the Originator in the manner specified in the authorization.

Originators of entries to consumer accounts must meet the following authorization requirements: (1) account numbers and routing numbers must be accurately stated; (2) the authorization should indicate what type of account is being debited or credited (demand deposit account, savings account); (3) obtain the consumer’s authorization for both credit and debit entries (for debit transactions, the authorization must be in writing; for credit entries the authorization may be in writing, or provided orally or by other non-written means); and (4) company identification is easily understandable. If a consumer Entry is not properly authorized it may be returned BNC National Bank Page 3 as unauthorized. An unauthorized debit Entry is an Entry in which (1) the authorization requirements have not been followed in accordance with the Rules or invalid under applicable legal requirements; (2) a transaction was initiated in an amount different than that authorized by the Receiver; or (3) a transaction was initiated for settlement earlier than authorized by the Receiver. In general, consumer debit entries must be returned by the RDFI in such time and manner that the return is made available to the ODFI no later than the opening of business on the banking day following the sixtieth (60) calendar day following the Settlement Date of the original Entry. This return deadline also applies to the return of debit entries for which the consumer Receiver had previously revoked his authorization.

Authorization Requirements for Corporate Entries: As with consumer entries, a business Receiver must authorize all ACH credits and debits to its account. An Originator must enter into an agreement with each business Receiver of CCD (Corporate Credit and Debit) and CTX (Corporate Trade Exchange) entries pursuant to which the Receiver has agreed to be bound by the Rules. As with consumer accounts, Originators can expect return of entries to business accounts that were not properly authorized or that were improperly originated. In general, an unauthorized debit Entry to a business account must be made available to the ODFI no later than the opening of business on the second (2nd) banking day following the Settlement Date of the original Entry.

Authorization Retention: The signed or similarly authenticated authorization must be retained by the Originator for a period of two (2) years following the termination or revocation of the authorization. In the case of a paper authorization that has been signed by the consumer, the Originator must retain either the original or a copy of the signed authorization. This authorization may be obtained in an electronic format that (1) accurately reflects the information in the record, and (2) is capable of being accurately reproduced for later reference, whether by transmission, printed or otherwise. At the request of the ODFI, the Originator must provide the original, copy or other accurate Record of the Receiver’s authorization to the ODFI in such time and manner as to enable the ODFI to deliver the authorization to a requesting RDFI within ten (10) banking days of the request.

Recurring Debits Change in Amount/Debiting Date: For recurring debits to a consumer account, when the debit amount varies, the Rules require the Originator to notify the Receiver in writing of the amount and the date on or after which the transfer will be debited at least ten (10) calendar days before the scheduled transfer date. If an Originator changes the date on or after which a recurring debit Entry is scheduled to debit the Receiver, the Originator must notify the Receiver in writing of the new date at least seven (7) calendar days before the first Entry to be affected by the change is scheduled to be debited to the Receiver’s account.

Prenotifications: Prenotifications are non-monetary entries generated to validate the account held at the RDFI. Use of the prenotification process by an Originator is optional, however if an Originator chooses to transmit a prenotification Entry, it may initiate a subsequent live dollar Entry no sooner than the third (3rd) Banking Day after the prenotification Settlement Date.

Notifications of Change: Notifications of Change (NOC) are non-monetary entries sent by an RDFI, through the ODFI, to alert the Originator that a prenotification or live dollar Entry contains incorrect information.The NOC identifies the Entry that has been received by the RDFI, pinpoints the specific information on that Entry that is incorrect and provides the correct information in a precise format so the Originator can make the change. Under the Rules, the Originator must investigate the incorrect data and make corrections within six (6) banking days of receipt of the NOC information or prior to initiating another Entry to the Receiver’s account, whichever is later. Originators should work with their ODFI to agree upon the method by which NOC information will be provided by the ODFI (e.g. via electronic media, paper format) and should ensure that they have a thorough understanding of how to interpret NOC information provided by their financial institution.

Receiving ACH Returns and Reinitiation of Entries: The Rules state that any Entry, other than a RCK Entry, that was previously returned may be reinitiated if: (a) the Entry was returned for insufficient or uncollected funds; (b) the Entry was returned for stopped payment and reinitiation has been separately authorized by the Receiver after the Originator or ODFI (BNC National Bank) receives the Return Entry, or (c) the Originator or ODFI (BNC National Bank) has taken corrective action to remedy the reason for the return. As a corporate customer, any returns received should be resolved immediately and no reinitiation of the same Entry should be transmitted unless one of the three reasons above has occurred.

Stop Payments Made by Consumer: Originators may receive entries that are returned because the Receiver has placed a stop payment order on the Entry. A stop payment order may be for one, several or all future entries. As the Originator cannot determine the Receiver’s intent based upon the return reason code, the Originator should contact the Receiver for information. A returned Entry may not be reinitiated into the system until the reason for the return is resolved.

Reversing an ACH File: An Originator may reverse a file if the file is a duplicate or an erroneous file in which substantially all of the Entries were incorrect. The Originator must initiate the reversing file so that it can be transmitted to the RDFI within five (5) banking days after the Settlement Date for the entries within the duplicate or erroneous file and within 24 hours of discovery of the error. The word “REVERSAL” must be placed in the Company Batch Header Field and if the file is reversing an erroneous file, the Originator must initiate a correcting file with the reversing file.

BNC National Bank Page 4 Reversing an ACH Entry: An Originator may reverse an erroneous Entry if the Entry is (1) a duplicate of an Entry previously initiated by the Originator or ODFI, (2) orders payment to or from a Receiver different than the Receiver intended to be credited or debited by the Originator, or (3) orders payment in an amount different than was intended by the Originator. The reversing Entry must be transmitted to and made available to the RDFI by midnight of the fifth (5th) banking date following the Settlement Date of the erroneous Entry and within 24 hours of discovery of the error. Only an Originator may reverse an Entry and the reversal must be for the full amount (no partial reversals are allowed). Originator must make a reasonable attempt to notify the Receiver of the reversing Entry and reason of the reversing Entry no later than the Settlement Date of the reversing Entry. The word “REVERSAL” must be placed in the Company Batch Header Field.

International ACH Transactions (IAT): BNC National Bank does not allow the origination of International ACH Transactions (“IAT”). An IAT is an Entry that is part of a payment transaction involving a financial agency’s office that is not located in the territorial jurisdiction of the United States.

Laws and Regulations: Originators are required to comply with all applicable laws and regulations of the United States including, but not limited to, Regulation GG (Unlawful Internet Gambling Enforcement Act), sanction laws administered by the Office of Foreign Assets Control (OFAC), and programs administered by the Financial Crimes Enforcement Network (FinCEN). Failure by an Originator to comply with its legal obligations could result in the imposition of both civil and criminal penalties, as well as monetary fines and penalties. The Company shall be charged for any fines or penalties that may be assessed against BNC National Bank as a result of the Company’s actions or inactions.

Third-Party Senders: A Third-Party Sender is a type of Third-Party Service Provider that acts as an intermediary in transmitting Entries between an Originator (your customer) and an ODFI (BNC National Bank), and acts on behalf of an Originator or another Third-Party Sender. Third-Party Senders are subject to certain additional obligations and liabilities with respect to the transmission of ACH Entries including conducting an annual audit of the Third Party Sender’s compliance with the Rules no later than December 31 of each year. Documentation supporting the completion of an audit must be retained for a period of six (6) years from the date of the audit, and provided upon request. It is important that Third-Party Senders understand their rights and responsibilities under the Rules and implement appropriate risk management practices. Please refer to the Rules for complete information regarding the rights and responsibilities of Third-Party Senders.

RECENT UPDATES AND REVISIONS TO THE NACHA RULES

Effective September 23, 2016 - Same Day ACH: Moving Payments Faster (Phase 1)

This Rule enables same-day processing of ACH payments providing Originators the ability to send a same-day ACH transaction for up to $25,000 to an account at any RDFI. All RDFI’s would be required to receive same-day ACH payments, thereby giving Originators the certainty of being able to send same-day ACH payments to accounts at all RDFIs. The Rule includes a “Same Day Fee” on each same day ACH transaction so that RDFIs would recover, on average, their costs for enabling and supporting same day ACH. ODFIs would be able to submit files of same-day ACH payments through two new clearing windows provided by the ACH Operators (NOTE: The actual ACH Operator schedules are not determined by the Rules, and the inclusion of ACH Operator schedules and other functions in this Rule should not be interpreted as an endorsement by either ACH Operator.): • A morning submission deadline at 10:30 AM ET, with settlement occurring at 1:00 PM. • An afternoon submission deadline at 3:00 PM ET, with settlement occurring at 5:00 PM. Virtually all types of ACH payments, including both credits and debits, would be eligible for same-day processing. Only IATs and high-value transactions above $25,000.00 would not be eligible. To ease the implementation effort, these new capabilities are being implemented in a three-phased approach beginning in September 2016.

Effective October 03, 2016 - Improving ACH Network Quality – Unauthorized Entry Fee This Rule change is intended to improve ACH Network quality by reducing the incidence of ACH debits that are returned as unauthorized. Under this Rule, an ODFI would pay a fee to the RDFI for each ACH debit that is returned as unauthorized (return reason codes R05, R07, R10, R29, and R51). Under the Rule, ODFIs will have an economic incentive to improve the quality of the ACH transactions they originate. RDFIs will be compensated for a portion of the costs they bear for handling unauthorized transactions. The Rule will become effective beginning with applicable return entries that have a Settlement Date of October 3, 2016. IMPACT TO CORPORATE USERS: ODFI’s will likely pass all or part of these costs on to Originators. Originators should begin to implement systems, tools and processes to reduce unauthorized returns so as to avoid increased fees resulting from these Entries.

Effective July 15, 2017 - Same Day ACH: Moving Payments Faster (Phase 2) New capabilities of Same Day ACH become effective over phases to allow financial institutions and businesses to acclimate to a faster processing environment, as well as to ease the implementation effort.

BNC National Bank Page 5 Effective September 29, 2017 - Third-Party Sender Registration DEADLINE for initial registration is March 1, 2018. This rule requires Originating Depository Financial Institutions (ODFIs) to identify and register their Third-Party Sender customers. The registration process promotes consistent customer due diligence among all ODFIs, and serves as a tool to support NACHA’s continuing efforts to maintain ACH Network quality.

Effective March 16, 2018 - Same Day ACH: Moving Payments Faster (Phase 3) New capabilities of Same Day ACH become effective over phases to allow financial institutions and businesses to acclimate to a faster processing environment, as well as to ease the implementation effort.

Upcoming Change - Expanding Same Day ACH Three new rules have been approved to expand the capabilities of Same Day ACH for all financial institutions and their customers. The first expands access to Same Day ACH by allowing Same Day ACH transactions to be submitted to the ACH Network for an additional two hours every business day. The second increases the Same Day ACH per-transaction dollar limit to $100,000. The third increases the speed of funds availability for certain Same Day ACH and next-day ACH credits. The three new rules have different effective dates. The faster funds availability rule will become effective on Sept. 20, 2019; the increase in the per-transaction dollar limit will become effective on March 20, 2020; and the new Same Day ACH processing window with expanded hours will go into effect on Sept. 18, 2020.

BNC National Bank Page 6