Vendor Code of Conduct

Last updated: June 21, 2023

Citizens Business Bank’s Vendor Code of Conduct is a set of standards for business practice and regulatory compliance established to ensure our vendor relationships align with our commitment to integrity, and are in full compliance with the laws and regulations that govern our business activities.

If you are a vendor of Citizens Business Bank and/or CVB Financial Corp., we kindly request that you please read our Vendor Code of Conduct.

At Citizens Business Bank (CBB) we are committed to running our business in a manner that benefits our customers, clients, shareholders, and communities. Doing business predominantly in California and nearly exclusively with US-based vendors, we firmly believe our vendors and representatives and their actions are an extension of our own actions and reputation and we expect each to demonstrate strong values and ethical practices.

As a publicly traded bank, it is important to CBB that our vendors comply with all applicable federal, state and local laws and regulations, contract terms, and this Vendor Code of Conduct. It is the responsibility of each vendor to ensure its employees, subcontractors and representatives maintain a thorough understanding of our expectations as set forth in this document.

Legal and Regulatory Compliance Requirements

CBB is a regulated financial institution and our customers rely on us to safeguard their information. Vendors must understand the requirements and restrictions related to non-public information. The following provisions regarding the use of this sensitive and non-public information will survive the termination of our vendor’s service and our vendors will remain liable for any unauthorized disclosure of such information (including for any unauthorized disclosure caused by a data security breach).

• Confidentiality

Vendors have a duty to protect confidential information and to comply with all laws and regulations governing the protection, use, and disclosure of CBB proprietary, confidential and personal information. Breach of that duty may result in termination of the vendor contract with CBB and other potential indemnification remedies against the vendors. Vendors may only use confidential CBB information to perform work on behalf of CBB and may not disclose this unless it is already in the public domain.

• Privacy

Vendors must be aware of and follow the local laws and regulations regarding the privacy of individuals, employees, and customers, and as set forth in the California Consumer Privacy Act. Personal information should never be disclosed to anyone outside of CBB except as required by legal or regulatory processes and as permitted by the vendor contract.

• Consumer Protections Laws

Vendors must comply with all applicable federal and state consumer protection laws as deemed applicable for the services provided to CBB. Vendors must ensure that they monitor all updates and guidance relating to such consumer protection laws. Vendor’s employees and subcontractors must also be trained annually on all such protection laws in order to ensure vendor compliance with those laws in providing services to CBB.

• Bribery and Anti-Corruption

CBB does not tolerate bribery or corruption in any form. Vendors and those acting on their behalf may not directly or indirectly offer, promise, authorize/recommend or give anything of material value to anyone if it is intended, or could appear as intended to induce or reward improper action or to obtain or retain an improper advantage for CBB, the vendor, or a third party.

Anything of material value may include gifts (including cash and cash equivalents), business hospitality (including travel and related expenses, meals, entertainment), training and conferences, contributions to a charitable or political organization on behalf of another, honoraria and speaker fees, visa letters, offers of employment or other work experience whether paid or unpaid, sponsorships, perks, or discounts.

Vendors are also responsible for knowing and complying with the anti-corruption and bribery laws in the jurisdictions where the vendor operates.

• Conflicts of Interest

Conflicts of interest affect objectivity and impair proper decision-making. The existence of potential conflicts may also undermine credibility and good judgment.

In order to address such questions, Vendors must disclose all actual or potential conflicts of interest due to either personal or business relationships with customers, vendors, business associates, competitors of CBB, or CBB employees or directors. If the vendor discovers a potential conflict of interest, it must be reported to the vendor manager responsible for reporting to CBB.

• Antitrust and Competition Laws

Most jurisdictions have antitrust or competition regulations which prohibit anti-competitive agreements or abuse of a dominant position. This may include activities such as price-fixing, bid rigging, allocation agreements, the unlawful exchange of competitively sensitive information, and certain types of predatory or exclusionary conduct. Vendors are required to be aware of and comply with these antitrust and competition regulations in the regions where vendor conducts business with or on behalf of CBB.

• Workplace Environment

CBB believes that employees are one of the most valuable assets a company can have. A safe and healthy workplace environment that fosters respect and inclusiveness ensures their well-being. In addition, in case of an unprecedented event (natural disaster, pandemic, etc..) CBB understands that many vendor employees and its subcontractors may work remotely. But please be advised that notwithstanding such remote work, CBB expects that vendors (along with its employees and subcontractors) will maintain the same level of confidentiality, privacy, and data security standards as if they were working and physically present in the offices and operating on in-office computer equipment.

• Non-Discrimination, Non-Retaliation, Diversity, and Labor and Human Rights

CBB encourages an inclusive and supportive working environment free from harassment and intimidation, where all employees are valued and empowered to succeed. Vendors must comply with all applicable laws relating to non-discrimination in hiring, employment practices, harassment and retaliation.

CBB actively encourages vendors to embrace diversity in their own business practices by documenting a diversity and inclusion approach that includes ways to identify, measure and improve inclusion and embedding accessibility standards that go beyond minimum compliance.

CBB expects our vendors and their subcontractors to abide by labor laws and regulations where they conduct business including those that address child labor, forced labor, human trafficking, equal pay, and nondiscrimination in their workforce and not to engage in any practice that could reasonably be considered as employing or encouraging child labor, forced labor or human trafficking.

Vendors must employ only those workers in accordance with applicable labor laws who meet applicable minimum age requirements in the jurisdiction. Vendors must also comply with all applicable wage and hour labor laws and regulations governing employee compensation, reimbursements, taxes, and working hours.

• Working Conditions, Health and Safety

Vendors must comply with all applicable safety and health laws and regulations in the jurisdictions where the vendor operates.

Vendors must provide a non-violent, safe work environment, free of threats or intimidation, or physical harm that also supports accident prevention and minimizes exposure to health risks.

Vendor Obligations to CBB

Vendors must follow the obligations and requirements set forth below.

• Communications about or on behalf of CBB

Vendors must not communicate publicly about CBB business unless specifically authorized to do so in writing by CBB and per the vendor contract. Vendors may not make public announcements on the provision of goods or services to CBB, share information regarding CBB assignments, or circulate pictures or descriptions of CBB facilities or external work events, which also includes discussing any of CBB’s products, services, or programs on social media.

Vendors should not post or seek recommendations or referrals by CBB employees, customers, or service providers unless without prior written CBB approval.

• Protecting IP and CBB Assets

Vendors must properly safeguard and protect CBB assets from theft, waste, cyber-related attack, or other types of loss. Technology assets, office equipment and supplies, email systems, information assets such as intellectual property, and CBB brand and customer relationships are the property of CBB and should be used for CBB-related business purposes only.

Vendors must have a robust data security program in place that meets commercially reasonable standards designed to protect CBB data and information (and those of its customers), which includes, among others, ensuring CBB data and information must not be (i) forwarded to an external email address for any non-business purpose, including any vendor personal email accounts, for any reason, (ii) used for any non-business purpose, other than for the designated business purpose set forth in the vendor contract, (iii) sold for any purpose, or (iv) disclosed for any purpose outside of the direct business relationship between vendor and CBB as set forth in the vendor contract.

• Accurate Records/Record Maintenance and Retention Requirements

Vendors are responsible for maintaining accurate and complete books and records and complying with all required controls and procedures for records created as a result of business activities conducted on behalf of CBB. Vendors must be fully aware and apprised of, and comply with, the legal and regulatory retention requirements that relate to the services being provided to CBB.

• Knowing your Workforce Members

Vendors are responsible for the quality, background, and expertise of their employees who are designated or deployed to provide services to or to otherwise assist or support CBB. This includes, among other things, ensuring that (i) recent and timely criminal and (where appropriate) credit background checks have been run on all such employees, (ii) such employees possess and maintain the necessary expertise and diligence in order to properly and efficiently perform the tasks required or requested under such vendor’s respective contract or engagement with CBB, and (iii) such employees receive regular and comprehensive training and reinforcement of requisite skills and all specific requirements imposed by CBB under this Policy and such vendor’s respective contract or engagement with CBB.

No Creation of Third-Party Rights

This Vendor Code of Conduct does not confer, nor shall it be deemed to confer, any rights on the part of third parties, including any third-party beneficiary rights. For example, no employees or subcontractors of any vendor shall have any rights against CBB by virtue of this Vendor Code of Conduct, nor shall such employees or subcontractors have any rights to cause CBB to enforce any provisions of this Vendor Code of Conduct, the decision with respect to any such actions being reserved by CBB in its sole discretion.

Vendor Due Diligence

The vendor shall comply with CBB’s reasonable requests for any due diligence information regarding the vendor and its vendor services to evaluate such vendor services and their risk profile to CBB. The vendor is to provide CBB with any requested information and documentation as requested in order to complete such due diligence review. Such review is conducted on a frequency commensurate to the level of risk associated with the vendor, and CBB shall be authorized to share such information and documentation with any of its regulators, which are responsible for CBB’s oversight.

Questions About The Vendor Code of Conduct

If you have any questions about this Vendor Code of Conduct, including questions regarding a possible violation of this Vendor Code of Conduct, CBB has a variety of resources available to assist you. You are encouraged to work with your primary CBB contact in resolving a business practice or compliance concern. However, CBB recognizes that there may be times when this is not possible or appropriate. In such instances, please contact our Vice President of Vendor Management, at VendorMgmt@cbbank.com, or report any violations to CBB’s Hotline at 877.778.5463 (with an option to remain anonymous).

CBB will not tolerate any retribution or retaliation taken against any individual who has in good faith sought out advice or has reported questionable behavior or a possible violation.

We thank you for your compliance with this important Vendor Code of Conduct and look forward to a mutually beneficial relationship with all of our vendors based on the highest levels of ethical behavior.