First Bank, Upper Michigan

Privacy Policy

Reaffirmed 4/17/2025

STATEMENT OF NEED AND PURPOSE

The First Bank Board of Directors recognized that in the financial services industry there is a

common interest in protecting consumer data. The privacy of nonpublic personal information is a

significant concern when assessing internal controls, procedures, and security programs of First

Bank. To minimize privacy breaches, we need to ensure that consumers are aware of First

Bank’s privacy policies and practices and the general types of procedures used and that internal

controls and practices are periodically audited. Senior management and the Board of Directors

have adopted a specific privacy notice to communicate the data sharing policies of the bank and

to effectively meet specific regulatory requirements. The notice will assist consumers and

customers with relationships with our bank for understanding the risks of information privacy.

The specific privacy notice statement will also detail our consumers information protection

principles. The notice will also provide that each consumer with insights on our data sharing

methods, exclusively of what is permitted by law and/or regulation.

The purpose of this policy includes setting the institution’s privacy objectives and guidelines to

ensure that various banking activities are conducted in a controlled and successful manner to

protect consumer data.

GENERAL OBJECTIVES

The general objectives to this policy are to:

• Establish a formal and documented policy of First Bank’s data privacy and protection

standards. The adopted policy will serve as a specific guide for management and staff to use

in the establishment and maintenance of necessary procedures and controls to ensure the

protection of consumer data, and the control over data under the law as required, thereby

increasing the awareness of data privacy as a constant priority for all management and staff.

• Ensure that the privacy notices (initial and annual) are provided to customers about the

institution’s privacy policy and practices.

This policy is not designed to act as a substitute for sound risk analysis or judgment. The primary

objective of the policy is to serve as a reference and guide to bank management and staff involved

in administering First Bank products and services affected by consumer information.

SPECIFIC GOALS

The specific goals of the policy are to:

A. Establish privacy practices and procedures to protect the privacy of consumer

data.

B. Establish internal controls for proper consumer notice of compilation, storage,

retrieval, transmission, and release of consumer or customer information.

C. Ensure compliance with appropriate laws and regulations.

2

D. Provide alternative or secondary methods to further ensure that controls and

procedures are effective in protecting consumer data and privacy. Furthermore,

when creating new bank services that may be provided in person, by mail,

through voice communications or electronically (or result in electronic

transmissions), First Bank will ensure required procedures, controls, and backup

monitoring techniques are in place before introducing new products or services.

E. Institute consumer awareness of the bank’s commitment to consumer information

privacy principles.

F. Challenge bank management and staff to personally accept responsibility for

customer information privacy and, therefore, take the utmost care in processing,

storing, transmitting, releasing or destroying customer data.

Although the regulatory focus applies only to nonpublic personal information about consumers

who obtain financial products or services for personal, family, or household purposes, our

institution will also embrace these objectives and rules and provide similar support to those

companies or individuals who obtain financial products or services for business purposes.

DEFINITIONS

Definitions used in this policy are consistent with terms and information used in industry

documents and regulatory issuances related to customer data protection/privacy elements in the

financial services industry as well as electronic commerce. It is incumbent on directors and

management to understand these definitions and other related information elements to

successfully manage data protection/privacy in the historical banking channels (e.g., paper

transactions) and in forms of electronic banking related to customer information confidentiality.

SCOPE OF CONSUMER PRIVACY

The range of banking products and services and the types of delivery channels have significantly

expanded consumer options. The emerging electronic banking focus, for example, is a continually

changing environment. Each year, new banking options emerge, which represent a concern in

protecting a consumer’s privacy and protecting confidential personal and account information.

For example, electronic banking or electronic commerce (e-commerce) refers to the processing

and transmission of digitized data, including text, signals, sound, visual images, and unique file

formats.

The issue of privacy and protection of consumer information encompasses individual transactions

as well as the commercial information transactions that support general financial activities such

as financial settlement arrangements, paper or electronic fund movement, data exchanges, and

financial information related to national or global economic elements that affect commerce.

The financial services industry uses a wide range of devices and methods to deliver various

products and services; these may include:

• Interaction with customer representatives in face-to-face data gathering

• Credit bureau data reporting and information exchange

• Teller interaction (e.g., deposit transactions, information verification, new accounts)

• Automated teller machine (ATM)

• Information Transaction Machine (ITM)

• Personal computer (PC)

3

• Telephone access device (digital key recognition)

• Electronic branches and kiosk

• Automated clearinghouses (ACHs)

• Internet banking, including virtual banking sites

• Mobile devices

• Supporting department activities (e.g., safekeeping, trust activities, sale of retail

nondeposit investment products, insurance sales)

In addition, with the use of emerging technologies, new tools such as electronic commerce

devices, are available for services, such as making payments. However, these tools also create

data protection and privacy issues. The following types of devices are also considered part of the

data focus:

• Point-of-sale cards

• Credit cards

• Debit cards

• Apple Pay

These lists are not to be considered all-inclusive, but rather are intended to serve as a point of

reference to maintain continual awareness regarding data protection and privacy.

STATEMENT OF CONSUMER PRIVACY

To assist each First Bank customer (existing or potential) in understanding general banking and

specific electronic banking online security and privacy issues, a consumer privacy notice will be

created. This statement will reflect the bank’s consumer data protection and privacy principles.

The statement will address these basic concepts, at a minimum:

• Notice detailing for consumer our Institution’s information security and privacy

practices before any personal information is shared;

• Security and accuracy of consumer information collected, protecting against

unauthorized access of information, security to prevent unauthorized disclosure of

information, and protection against loss of information;

• Access for customers to information collected and a statement of their ability to

identify and correct errors and correct errors in a timely, inexpensive manner;

• Enforcement and consumer options to seek records to ensure compliance with

the privacy policy and information practices, and the means of recourse.

The consumer data protection/privacy notice should parallel the internal operational policies,

procedures, and controls of the bank. To the extent that First Bank maintains a website, and

offers e-banking services, the consumer data protection/privacy notice will also be available on

the site, with conspicuous directions on its availability.

Privacy Notice (Initial) Content

The privacy notice provided initially and in subsequent annual issuances, if required will contain

the following information:

• Insights regarding the information collected;

• Statement that we do not disclose any nonpublic personal information about

consumers or our customers to anyone, except as permitted by law;

4

• Statement that if a customer decides to close his/her account(s) or become an

inactive customer, the bank will adhere to the privacy policies and practices as

described in this notice;

• Details regarding the bank’s policies and practices with respect to protecting the

confidentiality, security, and integrity of nonpublic personal information.

A coordinated review with management will ensure that specific procedures, practices, controls,

and guidelines are in place to ensure the customer protection/privacy disclosures are followed and

documented.

LIMITATIONS

The bank will not be able to directly, or through any future affiliation, disclose any nonpublic

personal information about a consumer to a nonaffiliated third party unless:

• The bank has provided the consumer with an initial notice;

• The bank has provided to the consumer an opt-out notice;

• The bank has given the consumer a reasonable opportunity, deemed to be 30

days after the notice has been mailed, to opt out of the disclosure before the

bank discloses the information to the nonaffiliated party;

• The consumer does not opt out.

Until such time that First Bank has advised a consumer of changes in its privacy policy or

practices, it may not directly or through any affiliate disclose any nonpublic personal information

about the consumer to a nonaffiliated third party other than as detailed in the initial notice

provided by the institution to the consumer.

CHANGES IN THE TERMS OF THE PRIVACY POLICY AND PRACTICES

When a change occurs in First Bank’s policies and procedures, before the institution, directly or

through any affiliate, may disclose any nonpublic personal information about a consumer to a

nonaffiliated third party other than described in the initial notice, the bank will be required to

provide the consumer:

• A new notice that accurately describes the bank’s revised policies and practices

• A reasonable opportunity to opt out of the disclosure before the institution

discloses the information to the nonaffiliated third party

• The choice to opt out

First Bank will provide the revised notice of its policies and practices and the opt-out notice to the

consumer within a reasonable time, in an acceptable manner.

EXCEPTIONS TO NOTICE AND OPT-OUT REQUIREMENTS FOR PROCESSING

AND SERVICING TRANSACTIONS

Requirements of initial notice, opt-out provisions, and the service providers and/or joint

marketing exceptions do not apply if First Bank discloses nonpublic personal information:

• In the course of business to administer, enforce, or effect a transaction requested

or authorized by the consumer

5

• To service or process a financial product or service requested or authorized by the

consumer

• To maintain or service the consumer’s account with the institution or with another

entity as part of a private label credit card program or other extension of credit on

behalf of the entity

• In connection with a proposed or actual securitization, secondary market sale

(including sale of servicing rights), or similar transactions related to a transaction

of the consumer

Additional considerations regarding when the requirements of initial notice, opt-out provisions,

and the service providers and joint marketing exceptions do not apply if the bank discloses

nonpublic personal information include:

• Required or is one of the lawful or appropriate methods to enforce the

Institution’s rights or the rights of other persons engaged in conducting the

Financial transactions or providing the product or service;

• Required or is deemed usual, acceptable, or an appropriate method

to carry out a transaction or product or service business of which the transaction is

apart, and record, service, or maintain the consumer’s account in the ordinary course of

providing the financial service or product;

• To administer or service benefits or claims relating to the transaction or product or

service with which it is related;

• To provide confirmation, statement or record of the transaction, or information

on the status or value of the financial service or product, to the consumer or

Consumer’s agent or broker;

• To accrue or recognize incentives or bonuses associated with the transactions

that are provided by the institution or any other party;

• To underwrite insurance at the consumer’s request or for reinsurance purposes,

or for any other insurance-related administration purposes;

• In connection with the settlement of a transaction, including authorization,

billing, transfer of receivable, or the audit of debit, credit, or other payment

information.

Other exceptions to the notice and opt-out requirements, with respect to the initial notice to

consumers, the opt-out disclosure, and details on service providers and joint marketing include:

• With the consent or at the direction of the consumer, provided that the consumer

has not revoked the consent or direction;

• To protect the confidentiality or security of the bank’s records pertaining to the

consumer, service, product or transaction:

a. By protecting against or preventing actual or potential fraud, unauthorized

transactions, claims or other liability

b. For required information risk control or for resolving consumer disputes or

inquires with respect to persons holding a legal or beneficial interest

relating to the consumer; or to persons acting in a fiduciary or representative

capacity on behalf of the consumer

• To provide information to insurance rate advisory organizations, guaranty funds

or agencies that are rating the bank, persons who are assessing the bank’s

6

compliance with industry standards, and the bank’s attorneys, accountants, and

auditors;

• To the extent required or permitted per the provisions of the Right to Financial

Privacy Act, to law enforcement agencies;

• To consumer reporting agencies as permitted under the Fair Credit Reporting

Act, or from a consumer report reported by a consumer reporting agency;

• In connection with a proposed or actual sale, merger, transfer, or exchange of all or a

portion of a business or operating unit if the disclosure of nonpublic personal

information concerns solely consumers of such business unit;

● To comply with federal, state or local laws, and other applicable legal

requirements (e.g., investigation, subpoena, or summons by federal, state or

local authorities).

Communicating the Initial Privacy Notice

At the time a consumer obtains a product or service, opens an account, requests a loan, transacts a

banking service, or reestablishes a customer service, the initial consumer privacy notice will be

provided.

Method of Delivery

The establishment of a customer relationship occurs when the bank and consumer enter into a

continuing relationship. Accordingly, many consumers will establish an ongoing customer

relationship with First Bank, and the initial notice also must be provided. The bank, at that time,

will provide the required notice such that the consumer can reasonably be expected to receive

actual notice in writing or, if the consumer agrees, in electronic form. Therefore, First Bank may

reasonably expect a consumer has received actual notice of its privacy policies and procedures if

the detailed notice describing the policies and practices is:

• Handed in printed format to the consumer;

• Mailed to the consumer’s last known address;

• For consumers using electronic services, posted on the electronic site and, as part

of the activity, requires the consumer to acknowledge receipt of the notice;

• In isolated transaction situations, e.g., an ATM transaction, posted and requiring

the consumer to acknowledge receipt before the transaction is allowed.

Oral description of the notice is not deemed adequate. Accordingly, First Bank staff may not

provide the initial notice required per the regulations, including explanation of specific privacy

policy and procedures requirements, by orally explaining the details, either in person or over the

telephone.

Time Requirements

Initial notices, under certain circumstances, may be provided within a reasonable timeframe after

the institution has established a customer relationship if:

• Establishing a customer relationship is not at the customer’s election; or

• Providing the notice no later than when establishing a customer relationship would

substantially delay the customer’s transaction and the customer agrees to receive the

notice at a later time.

7

The notice also must be delivered within a reasonable time period after First Bank establishes a

customer relationship if:

• The bank purchases a loan (including service rights) or assumes a deposit liability from

another financial institution and the customer of that loan or deposit account

does not have a choice about the institution’s purchase or assumption.

• The bank and consumer orally agree via telephone to enter into a customer

relationship and the consumer agrees to receive the notice thereafter.

Failure to acknowledge receipt of the notice or an unwillingness to provide a choice of data

sharing may result in the bank’s refusal to provide the consumer’s requested banking product or

service.

An initial notice from the institution to the consumer is not required if:

• The institution does not have a customer relationship with the consumer; and

• The institution does not disclose any nonpublic personal information about the

consumer to any nonaffiliated third party, other than as authorized per exceptions

detailed in the privacy regulation.

PROVIDING ANNUAL PRIVACY NOTICE

The Bank must provide a clear and conspicuous notice to customers that accurately reflects the

Bank’s privacy policies and practices not less than annually during the continuation of the

customer relationship.

Exception to Annual Privacy Notice Requirement:

The Bank is not required to deliver an annual privacy notice if:

• The Bank does not provide nonpublic personal information to nonaffiliated

third parties for which a customer can opt-out; and

• The Bank has not changed policies and procedures with regard to disclosing

nonpublic personal information.

LIMITATIONS ON REDISCLOSURE AND/OR REUSE OF INFORMATION

First Bank does not disclose nonpublic personal information about its customers or former

customers to anyone, except as permitted by law.

First Bank, which may receive nonpublic personal information about a consumer from a

nonaffiliated financial institution, may not directly disclose the information to any other person

not affiliated with either the bank or the other financial institution, unless the disclosure would be

permitted by exceptions per the privacy regulation or other law.

First Bank may use nonpublic personal information about a consumer that it receives from a

nonaffiliated institution in accordance with the exceptions, as previously detailed in this policy.

JOINT ACCOUNT HOLDERS

The Privacy of Consumer Financial Information regulation provides for specific handling of

notice distribution as well as opt-out provisions for multiple customers authorized on an account.

Management will review these requirements and, accordingly, ensure internal procedures and

8

practices as well as systems support provide the appropriate compliance levels with the

regulation.

MANAGEMENT AND STAFF

Management and staff, according to the existing information security policy, have been assigned

password and identified codes that provide for levels of information access. Employees of First

Bank have a need to work with information but are not granted free access to all types of personal

information outside the “need to know to do their job” requirements.

An employee of First Bank who has violated information security or privacy codes will be

referred to the supervisor with a copy of the referral to the human resources department and

information security office. Security breaches are not acceptable. Depending on the severity of

the security breach and the related issues, an employee may receive an initial warning, be placed

on probation, or be terminated immediately. Each situation will be judged on a case-by-case

basis.

CONSUMER REQUESTS TO SEE ACCOUNT INFORMATION

As provided by First Bank’s privacy notice, a customer will have the opportunity to access

collected information and review it for potential errors in a timely, inexpensive manner. Data

accuracy is important not only for each customer, but also in reducing reputation and strategic

risks arising from reporting erroneous data about customers. In addition to the usual regulatory

compliance requirements for error resolution or error correction procedures, each functional area

or banking department also will use First Bank’s customer data accuracy tracking system, already

used by departments covered by Regulation E.

For each customer request to see account information pertaining to potential errors, researching

lost data, and/or opportunities for customers to review data profiles for a specific product or

service, data confidentiality and assurance of customer identity must be achieved. Bank

management and staff must verify the identity of the individual or customer requesting data

information.

CONSUMER COMPLAINTS AND RESOLUTIONS

Using procedures similar to those adopted for Electronic Funds Transfer, Regulation E, any

complaint, exception, or security violation will be developed and followed up, with detailed

documentation retained.

Legal Requirements

The banking environment encompasses a number of existing regulations, laws and regulatory

issuances directly or indirectly addressing data security and privacy. The compliance officer has

oversight responsibility for the compliance structure of the entire bank.

For each new banking activity, transaction or consumer information communication, the initiating

functional area or department will work with data processing staff to take necessary steps to

comply with all federal and state banking laws. Care will be taken to address those situations that

affect consumer data security/privacy considerations. If an activity or change will affect existing

data controls or data privacy protection, including data sharing with nonaffiliated third parties,

9

specific review and decision will be made regarding advising the bank’s consumer and/or

customer base, changing opt-out notices, or addressing changes in other areas of the bank’s

privacy program and/or practices.

DOCUMENTATION AND RECORDS

Supporting documentation of internal product and service reviews and other institution activities

to address customer privacy will be referenced and maintained. If a complaint has been received

or a request submitted by a customer to review account information for data integrity and/or

privacy, the incident and resolution also will be documented and correlated to the specific

account.

Special focus will be directed to electronic banking, in part by its nature, eliminates a great deal

of what historically has been detailed documentation retained in banking records. Accordingly,

management and the data administration and operations management and staff are challenged to

assure that adequate documentation and records are available to ensure that a record of customer

information or transactions is readily available for review and audit. Different methods are

available in structuring and accounting for electronic banking transactions.

Record Retention Information

Retained information that pertains to consumer privacy activities or transmissions must comply

with various regulatory requirements. Accordingly, the bank will retain paper, electronic imaging

and/or electronic transmission support data and other documentation in acceptable filing format

for retrieval per regulatory guidelines and/or requirements.

Information destruction for all data types representing different banking activities will follow

accepted regulatory/industry standards for disposal of banking information. The privacy of

customer and consumer information is of utmost importance to the bank.

VENDORS AND OTHER THIRD PARTIES

Vendors and other independent third parties that provide support or services in conjunction with

First Bank’s banking activities will be required to review and sign a formal data confidentiality

agreement. This agreement will bind these parties to the same standards and level of data

confidentiality and controls as those instituted by First Bank. A copy of the signed confidentiality

agreement will be placed on file. This file will set out the scope of services provided, agreement

of support, levels of data access or transmission and other related support materials. Each vendor

or third party that provides support services will be asked to provide proof of bonding or

insurance.

TRAINING

Management and staff will receive training pertaining to the privacy policy. Annually, this

training will be provided as a refresher to all management and staff. It is critical that all new hires

receive this training before having access to any consumer and customer information. Training

schedules will be established and monitored.

10

OTHER COMPLIANCE CONSIDERATIONS

First Bank must not, directly or indirectly, disclose, other than to a consumer reporting agency, an

account number or similar form of access number or access code for a credit card account,

deposit account, or transaction account to a nonaffiliated third party that intends to use the

information for telemarketing, direct mail marketing, or other marketing through electronic mail

to the consumer.

No part of the privacy regulations should be construed, however, to modify, limit or supersede the

operation of the Fair Credit Reporting Act.

State laws that are not inconsistent with the provisions of this regulation and that may provide

greater protection to consumers may take precedent.

AUDIT AND INTERNAL COMPLIANCE

First Bank will hire an internal auditor to perform an audit based on risk. As part of this audit

scope, specific procedures will address consumer data protection and privacy.

Audit reports will be issued to the President & CEO of First Bank and the Audit Committee of

First Bank’s Board of Directors.

First Bank’s Compliance Officer will maintain a regulatory compliance system regarding

customer privacy.

Adopted by First Bank: January 1, 2001