Privacy Policy

Appendix V

Consumer Privacy Policy

This Appendix describes Emigrant Bank’s Privacy Policy, which explains how we use and protect customer information. We believe that protecting our customer’s privacy is an integral part of the customer service we provide.

At Emigrant Bank, we recognize that our relationship with our customers is based on trust, and the protection of private financial information merits the highest priority. That’s why we have taken stringent measures and established corporate-wide procedures that ensure the confidentiality of all of our customers’ confidential information, whether we have received it directly from the customer or from a third party.

This policy is provided to our customers annually as long as they maintain an ongoing relationship with us.

Emigrant Bank Family
The Emigrant Family offers both commercial and consumer-related financial services and includes: Emigrant Bank (providing a full range of banking products); Emigrant Mortgage Company, Inc., (offering residential mortgage loans), Emigrant Funding Corporation (offering small balance commercial mortgage loans), Emigrant Agency, Inc. doing business as Emigrant Financial Services (featuring insurance, annuity and mutual fund products), Personal Risk Management Solutions, (a division of Emigrant Bank providing insurance advisory services), New York Private Bank and Trust (a division of Emigrant Bank offering private banking and trust services), Sarasota Private Trust Company (a subsidiary of Emigrant Bank offering wealth management and trust services), Cleveland Private Trust Company (a subsidiary of Emigrant Bank offering wealth management and trust services), EmigrantDirect, DollarSavingsDirect, and MySavingsDirect (each a division of Emigrant Bank offering certain banking products and services via the Internet) and New York Private Finance (an affiliate of Emigrant Bank offering structured loans and financial advisory service to private clients) and Emigrant Venture Partners (a division of Emigrant Bank focused on early stage fintech investment, partnership, and new company incubation).

Our Business Practices
We collect only the information we need in order to serve our customers and conduct our business.

We treat all personal and financial information about our customers in a confidential manner. This information may be obtained directly from the customer or may be collected from other sources or may result from applications customers’ process with us.
We maintain physical, electronic and procedural safeguards to protect customer information. We utilize state-of-the art technology for this purpose and upgrade, when appropriate, to improve our privacy protection performance.
We limit access to our customers’ personal and financial information to those of our employees, agents and service providers that are required to have access to it in order to meet our customers’ financial needs or conduct our business.
All of our employees, agents and service providers are responsible for compliance with the policies and procedures we have established to safeguard our customers’ personal and financial information.
Our employees are governed by Emigrant’s Code of Conduct, which expressly requiresthe confidentiality of customer information, and our employees receive training in the importance of adhering to the procedures we’ve established to assure that confidentiality.
Our data processing and electronic operations are performed in a secure technical environment that is accessed only by authorized personnel to transact legitimate business operations.
We maintain electronic safeguards to protect customer privacy on our websites. This assures that when our customers conduct business with us from their home or office, the privacy of their relationship and the information they furnish us online is protected.
We carefully monitor our compliance with applicable laws and regulations and our internal security policies and procedures.
We collect and maintain customer information as part of servicing our customers’ accounts and our customers’ relationship with us. In the course of serving our customers, we collect information about the customer from a variety of sources, such as:
- Information they provide to us on applications or forms, such as their income and accounts with others.
- Information we receive from an outside company, such as a credit bureau, regarding their credit history or employment status.
- Information about their transactions or experiences with companies affiliated with Emigrant.

The customer information we collect is used to service our customers’ accounts and meet their financial needs. Information may be shared among the Emigrant Family of companies, as well as with authorized third parties, for a number of purposes, such as:

To protect our accounts from unauthorized access or identity theft.
To process our customer’s requests, such as loan applications.
To service our accounts by issuing checks and account statements.
To comply with legal and regulatory obligations.
To keep our customers informed about financial services that may be of interest to them.

We may disclose the information we collect, as described above, with nonaffiliated third parties that are acting on our behalf, including companies that provide support services for us, such as data processors, technical systems consultants and programmers, check printers or companies that help us market Emigrant Bank products and services to our customers. We may also share certain information with companies that help us conduct surveys or market research.

We may also disclose the customer information we collect to third parties as permitted or required by law. These third parties could include government entities, courts or other entities in response to subpoenas and other legal process or those with whom our customer has requested us to share information.

We may report information about our customers’ account(s) to credit bureaus and/or consumer reporting agencies. Late payments, missed payments or other defaults on our customers’ accounts may be reflected in their credit reports and/or consumer reports.

We do not share customer information with other non-affiliated companies for the purpose of marketing their products to our customers, unless our customer has provided express and documented consent, or unless the sharing is in connection with maintaining or servicing an account with us, or as part of a private label credit card program or offering life insurance-related products on behalf of such company, or with companies with whom we have joint marketing
arrangements or companies that perform advertising services on our behalf. Sharing information with these companies is permitted by law.

Together, the Emigrant Family of companies offers a wide range of banking, loan and other products. By sharing information about our customers’ transactions and accounts among our Emigrant Family members, or our other affiliates, we give our customers an opportunity to enjoy the integrated financial services available. This process improves their access to information about all of the account relationships they maintain, and makes it easier for them to conduct business with us. We may disclose all of the information we collect, as described above, within the Emigrant Family of companies and other affiliated Emigrant Bank companies, including our administrative and service units which, for example, service our customers’ accounts or prepare account statements; and Emigrant Bank companies that provide financial and other services, including, for example, mortgage lenders and investment advisors.

By law, information that helps us identify our customer or that is derived from our customers’ transactions and experiences with us may be shared among the Emigrant Family of companies: (a) for purposes other than direct marketing, and (b) unless the customer instructs us otherwise, for direct marketing purposes. At any time our customer can instruct us not to share other personal information about them with other Emigrant Bank companies by completing and submitting their preference on a form included in our Privacy Policy brochure. Please note that if our customer instructs us not to share such information with other Emigrant Bank companies, our customer may continue to receive marketing information by mail about their existing Emigrant Bank account(s) or receive survey calls. Marketing information may also be included in regular account mailings and statements delivered to our customers, and when they visit us online or at an ATM. We comply with all applicable federal, state and local laws and regulations regarding privacy, including the Gramm-Leach-Bliley Act on the federal level, and the recently effective New York privacy act in New York State. The policies and practices described in this disclosure are subject to change; however, we will communicate any significant changes to our customers as required by applicable law. The policies and practices described in this disclosure replace all previous notices or statements regarding this subject.

Appendix VI

Customer/Sensitive Bank Information Security Policy Statement

The Board of Emigrant Bancorp, Inc. and Emigrant Bank (“Emigrant” or “Bank”) establish this Information Security Policy addressing the “Interagency Guidelines Establishing Standards for Safeguarding Customer Information” pursuant to Section 501(b) of the Gramm-Leach-Bliley Act (“GLBA”), Customer Information not subject to GLBA, and Bank information (collectively “Sensitive Information”) and the requirements of the New York Privacy Act adopted by New York State and taking effect in March of 2020. The critical elements of the Policy are risk assessment, risk management and control, management accountability, board participation, ongoing testing and monitoring, planning for the future, contingency planning
and continuing training and education. In addition, special provisions are required to address the security of Sensitive Information being processed or maintained by service providers.

Risks to the Security of Customer Information
There are three types of qualitative risk associated with the security of Sensitive Information:

Unauthorized Disclosure – Unauthorized disclosure occurs when an individual who is not the customer or an employee, has not been authorized by the customer or the Bank, and is not authorized in connection with his/her job duties, has access to any record containing Sensitive Information. Possible access methods could range from technically sophisticated — e.g., “hacking” into a system, intercepting data during transmission- to very “low-tech” — e.g., making a copy of a customer signature card. Motives might range from mere curiosity, to copying the information for sale, to identity theft, to probing the system as a prelude to unauthorized modification.
Unauthorized Modification – Unauthorized modification occurs when an individual, as defined above, makes a change to a record containing Sensitive Information. Unauthorized modification frequently occurs in the context of an unauthorized transaction (e.g., balances transferred from a savings to a checking account, with a fraudulent ATM withdrawal and a change made to the customer address record on the system to re-route the periodic statement).
Lack of Availability – Lack of availability occurs when records containing Sensitive Information are not present (master data or transaction level data). Lack of availability may be total, as when a data center or a banking office is destroyed in a fire, or partial, as when certain computer files are erased or corrupted, or certain documents are misplaced. Lack of availability may also be temporary or permanent. Although lack of availability is most often thought of in the context of accidental occurrences, it may also be caused maliciously — e.g., purposeful erasure or corruption of files to destroy audit trails. In this case, it effectively becomes a form of unauthorized modification.

The Board of Emigrant Bank recognizes that, while the types of qualitative risk to the security of Sensitive Information do not change, specific threats may change quite rapidly. Specific threats may emerge due to changes in technology, new products or services being offered, changes in the type or mix of business being conducted by Emigrant Bank or a subsidiary, or even changes in the economy or society at large.

The Board of Emigrant Bank therefore directs senior management to identify risks to the security of Sensitive Information by a process of identifying, monitoring, and mitigating, to the extent possible, existing and potential threats to the Bank.

Division and subsidiary heads will develop a risk assessment for their divisions/subsidiaries. These assessments will take due regard of the “Elements of the Information Security Plan” included below, and will be updated at least annually. The results of the risk assessment shall be aggregated and presented to the Risk Committee.

The Board further directs the Internal Audit Department to conduct reviews of all areas that process or maintain Information, to verify adherence to the requirements of this Policy. These assessments are incorporated into each individual audit conducted.

Elements of the Sensitive Information Security Plan

Risk Assessment
Each division/subsidiary head will complete a risk assessment survey for his/her area that identifies internal and external threats to the security of Sensitive Information. This assessment will generally be updated at least annually.

Risk Management and Control
The “Sensitive Information Security Program” is a listing of specific steps for managing and controlling risks identified in the Division/Subsidiary risk assessments. Risk management and control involves the following three related types of controls:

Physical Controls – Assure that business is conducted in, and Sensitive Information records maintained and disposed of in, such a way as to protect against unauthorized entry and exit and reasonably foreseeable mishaps, e.g., fire. Examples of spaces which require physical control are banking offices in general, with possibly more stringent controls required for, e.g., the safe deposit area; data centers; and headquarters offices. Physical control is the most basic control, without which no other control can be fully effective.
Technical Controls – Refers to the capabilities of a computer system upon which Sensitive Information is processed, stored, or communicated. Basic required capabilities include the ability to identify and authenticate users, and grant or deny access to information based on the identity of the user; and the ability to identify and record unauthorized access attempts. Additional capabilities might include encryption, expanded ability to respond to intrusion attempts, etc.
Administrative Controls – Refers to policies and related procedures, which define how specific functions are performed, including the interaction with any relevant computer system and any special physical security requirements. Important administrative controls include those which enforce segregation of duties and those which permit access to Information only on an “as required for job duties” basis.

An effective Sensitive Information security program requires coordinated use of all three types of controls, adapted to the nature and scope of the operations being performed.

Responses to Unauthorized Access
An incident of unauthorized access to Sensitive Information requires:

An assessment of the scope of the incident identifying the Sensitive Information system(s) and the types of Sensitive Information accessed or misused.
Notification of state and federal regulators, as applicable under governing law.
Filing of a Suspicious Activity Report.
Actions to contain and control the incident to prevent further unauthorized access or use of Sensitive Information.
Notification of customers.

Management Accountability
The head of each division and subsidiary of the Bank is accountable for the security of all Sensitive Information processed or maintained and/or disposed of by the division or subsidiary.

Each manager of each department within the Bank and subsidiaries is accountable for the security of all Sensitive Information processed or maintained by his/her department/subsidiary.

All division/subsidiary heads and department managers are required to participate actively in the process of assessing risk and developing appropriate procedures to comply with this policy.

Executive management may, from time to time, share sensitive information with outside professionals and seek their advice in its efforts to assess potential transactions. In these instances, executive management should exercise the appropriate level of due diligence to ensure that such information is properly protected.

Board Participation
The Board of Emigrant Bank, through its Risk Committee, reviews summaries of the risk assessments and Sensitive Information security through the compilation of the Sensitive Information surveys completed for each division/subsidiary noted within this report.

The Risk Committee receives annual reports from the Chief Risk Officer regarding the overall status of Emigrant Bank’s Sensitive Information security efforts.

Ongoing Testing and Monitoring
The Sensitive Information Security Program must include provision for regular testing of the controls being used.

The Internal Audit Department performs the testing and documents the test plans and test results and the documentation is retained for review by other appropriate parties. The documentation is available through the Internal Audit Department’s electronic work paper platform Pentana, and the work performed is summarized in the final audit reports.

Planning for the Future
Division/subsidiary and department management are expected to be alert to evolving or emerging threats and to make timely and appropriate changes to internal controls to properly safeguard Sensitive Information. Annually, management will review this Policy and update as necessary. Changes will be approved by the Board of Directors.

Contingency Planning
All departments/subsidiaries processing or maintaining Sensitive Information must participate in Emigrant Bank’s Emergency Preparedness Planning (“EPP”) process.

Continuing Training and Education
All personnel must be trained in the need to adhere to control standards. In addition, all personnel must be trained both in the operation of the relevant controls and in the operation of any systems or equipment in use. Supplemental or refresher training must be provided as required to assure continued proficiency.

Service Providers
For purposes of this policy, a “service provider” is an entity, not directly managed by Emigrant Bank, or an Emigrant Bank division or subsidiary, that processes or maintains on behalf of Emigrant Bank or an Emigrant Bank division or subsidiary, non-public personal information or personally identifiable financial information on individual customers of Emigrant Bank or an Emigrant Bank division or subsidiary.

The following standards apply to relationships with service providers:

Contracts

All relationships with service providers must be documented by written contract.

Contract Provisions

All contracts shall obligate the service provider to implement appropriate measures to ensure the security of Emigrant Bank customer information from receipt through disposal, including notification procedures when unauthorized access to customer information has been detected by the service provider.
All contracts shall prohibit the service provider from sharing Emigrant Bank customer information with any other party.
All current provider contracts lacking either of the above provisions must be modified upon renewal or extension to include both provisions.

Due Diligence
Prior to entering into a contract with a service provider, management shall determine the adequacy of the provider’s systems for assuring the security of customer information. This determination should normally include a review of the provider’s external or internal audit reports. In the event that such audit reports are not available, management may, in its discretion, consider alternative means of determination.

The Bank implemented a Third Party Vendor Management Policy that establishes and provides direction and guidance for the selection, risk management, monitoring and assessment of third party vendors.

Interpretations and Questions
Anyone having questions about the meaning or applicability of this Policy should be directed to the Bank’s Chief Risk Officer or Chief Compliance Officer.

Appendix IV

Confidentiality Statement

General Policies Concerning Confidentiality
Emigrant Bank’s Code of Conduct sets forth employees' responsibilities for maintaining the confidentiality of information concerning Emigrant Bank, its business, its investments or plans for investments, its customers, clients and suppliers.

All information about any of our clients or customers and all information received from clients or customers should be presumed to be confidential.

Confidentiality in Context of Securities Trading and Investment
In the context of the anti-fraud provisions of the securities laws, the duty not to disclose confidential information has far reaching implications. For example, one of the primary theories for prosecution under the anti-fraud provisions of the Securities Exchange Act of 1934, as amended imposes upon sellers or buyers of securities who are in possession of material, non-public information an affirmative duty either to disclose before trading or abstain from trading. When the buyer or seller is a corporate insider, who has a duty not to disclose, the only option is not to trade.

The law also imposes "tipper" liability upon anyone who discloses, for other than a corporate purpose, confidential information to an outsider who either utilizes that information to effect changes in an investment portfolio or passes the information along to someone else who effects such changes, even though the tipper does not profit.

Dissemination of Confidential Information for Specific Corporate Purposes to Accountants, Lawyers and Similar Outside Consultants

When an employee reveals material, non-public information for a corporate purpose, the information must be specifically designated as confidential. For example, material, non-public information which is given to an investment banker retained to assist in an acquisition is confidential information which may legitimately be given to the investment banker. It is, in other words, for "a corporate purpose." However, to avoid tipper liability, the employee involved must
make it clear that the information is confidential. In some instances counsel may recommend the use of a written confidentiality agreement.

Definitions

“Confidential or Material, Non-Public Information”: Any information, written or oral, which is not generally available to the public and because of its nature, might affect the value of a corporation’s securities. Information may typically be considered generally available to the public two business days after it is first disclosed to the public.
“Insider”: For the purposes of these Guidelines and the provisions of the securities laws upon which they are based (primarily section 10(b) of the Securities Exchange Act of 1934, as amended), any employee, officer or director of Emigrant Bank or any Emigrant Bank subsidiary or affiliate, is a potential insider of Emigrant Bank. Emigrant Bank, its subsidiaries and affiliates, and their respective employees are also potential insiders of the institutions with which they do business due to special access to company information intended to be utilized for a corporate purpose, such as the extension of credit. Spouses, immediate families, family trusts and close associates may also be insiders.
Examples of an Insider
- An executive of Company X who received confidential information about Company Y from Company Y's CEO, a long-time friend and business associate, was held to be a "temporary insider" of Company Y.
- A secretary who prepares documents relating to a pending takeover is an insider of both parties to the takeover.
“Securities”: The term includes both equity and debt issues, and both voting or non-voting.
“Employee”: An employee, exempt or non-exempt, paid on a salaried, hourly, or commission basis.
“Tipper”: One who discloses confidential information, other than for a corporate purpose, to a third party who then either effects beneficial changes in an investment portfolio or passes the information along to someone else who effects such changes.
Example of a Tipper
- An Emigrant Bank employee casually mentions to his tennis partner that XYZ, a large bank customer, has made late interest payments for the past two months. The tennis partner sells his stock in XYZ at $40 per share. Two weeks later, XYZ makes its earnings report public which reflects a substantial reduction in earnings. XYZ stock thereafter drops to $20 per share. The employee in this example is the tipper and the tennis partner is the tippee.
“Tippee”: One who receives and acts upon confidential information received from a tipper.