American Business Bank recognizes that customer information is confidential and personal. As an organization, the Directors and the management team take specific steps to ensure the privacy of information about customers and their accounts is protected. As an organization in the financial services industry, the Bank recognizes that privacy is critical, and the sensitivity to protecting information is continually growing with the expansion of electronic commerce. As a Bank policy we will protect customer information with a high level of security and appropriate discretion.

American Business Bank will not sell, share, transfer or otherwise disclose nonpublic personal information to or with any nonaffiliated third parties without the explicit prior consent of the consumer account to whom the nonpublic personal information relates except as noted below. In the course of providing services to customers, the bank collects, retains, and utilizes information about its customers where management deems it useful (and permitted by law) to further our business efforts. Information about our customers, for example, beyond the need to complete transactions or service an account, assists our staff in developing new or enhancing existing products and services, and thereafter, offering them to customers.

The Bank has established security standards and procedures that we feel will guard and protect customer information against unauthorized access. These controls and procedures are periodically reviewed to ensure that these practices protect confidential information. Further, management and staff are able to access personal confidential customer information only if and when they have a business reason to do so.

On certain occasions, customer information may be provided to a non-affiliated third-party which has provided an appropriate reason to request such information. The third party receiving such information must adhere to the privacy principles that cover such information regarding confidentiality. Information disclosures to an independent third party regarding personal, confidential information or other personally identifiable data for that entity’s specific usage is not allowed except where the exchange occurs with a reputable information reporting agency and the disclosure falls within the exceptions stated by the FDIC at 12 CFR332.14. Information exchanges with reporting agencies is deemed important to maximize the accuracy and detail of specific databases used in the financial industry. In certain situations, information is provided to others as detailed in the following specific situations:

• Customer requests it;
• Data is provided to help complete a customer-approved transaction;
• Disclosure is required by/per law or regulation (e.g., court order, investigation, or fraudulent investigation);

We will follow the personal data protection principals outlined below:

• We will only collect information which is necessary for performing bank business on behalf of our customers.
• When and where practical, we will collect personal information directly from the Bank’s customers.
• We shall only use or disclose information about customers that is consistent with the customers directions and expectations, or is in the public interest (general banking loan and/or account relationship(s) and their performance per pre-agreed upon terms and/or conditions).
• We will ensure that information about customers is accurate when we collect or use it, to the best of our capabilities.
• We will keep information confidential.
• We will properly dispose of consumer reports and any information that was compiled from these reports by shredding the paper documents.
• We will discipline staff members who violate this policy.

New California regulations require that any breech of our systems that results in confidential customer information being obtained by an unauthorized customer must be reported to the public. Additionally, the new California Financial Privacy Act (SB1) has been adopted that will add to the legal requirements required of the bank. The bank may not share a consumer’s nonpublic personal information with an affiliate unless the bank has clearly and conspicuously notified the consumer annually in writing that the personal information may be disclosed, and the consumer has not directed that the personal information not be disclosed (“opted out”). If the consumer provides the bank with an opt-out notice it would prohibit the bank from disclosing the consumer’s personal information to its affiliates. The bank will not share any information during the required 45-day waiting period after sending an opt out notice. The statutory form opt out notice is attached as Exhibit A. The Bank’s Gram-Leach-Bliley notice is included as Exhibit B. The bank will provide consumer accounts the current Gram-Leach-Bliley Act notice and the California Financial Privacy “opt out” notices at the time the new account or new loan is opened and annually in January thereafter, the notices will be included within the monthly checking, money market, savings or now account statement or within the loan billing statement. A manual mailing will occur if a monthly billing statement is not generated within the loan system.

The Bank will develop privacy related training to be performed in conjunction with Bank Secrecy Act training. Employee training is a key component of this privacy program. Management will ensure that all employees and officers understand the importance of protecting the confidentiality of customer information, and be familiar with the procedures they are expected to follow when accessing, handling and storing customer’s personal information.

It will be made clear to employees that significant disciplinary actions will be taken against anyone violating the Bank’s privacy procedures. To help staff in this regard, supervisors will be trained to appreciate the importance of limiting access to customer records and the problems that could be caused by failure to maintain that protection.

Employee training will be enhanced by seminars using the Bankers Compliance Group, group meetings, individual instruction and on-the–job training. The following tips for safeguarding customer information have been communicated to the staff via an Operations Bulletin:

• Log off- Employees should not leave sensitive customer information on their desk or on their computer screen unattended. They will log off the core processing system if they need to leave their area unless their PC reverts to a password-protected screensaver prior to their leaving the area.
• Shred- Foil “dumpster divers” by shredding any documents-such as account statements and applications-before discarding them.
• Securely Store- Keep all documents and reports safe by locking file cabinets.
• Put Away Documents- When employees are finished helping one customer, they should put away any documents containing that customer’s personal information before helping the next customer.
• Authenticate – Staff should never give customer information or their computer passwords or PIN over the phone unless they have initiated the call and have followed the appropriate identification procedures, or they are familiar with an incoming caller known to be the correct party.
• Follow Procedures- Make sure all identification provided is legitimate and meets the Bank’s criteria.
• Scrutinize- Carefully scrutinize all requests for account related information or change of address. Emphasize proper identification.
• Resist Intimidation- Don’t be intimidated by requests for information from someone claiming to be with the government or a law enforcement agency. The Bank is not required to provide such information without a subpoena.
• Report Suspicious Activity- Refer suspicious calls or requests to the Supervisor. Tell the Department Manager about any suspicious change of address or wire transfer requests, such as someone who cannot provide critical identifying information. Chances are good that the same person will try again with another bank employee. This is especially important if an immediate transfer of funds is contemplated.
• Confidentiality- Employees are guardians of sensitive customer information and are the first line of defense against improper disclosure or potential fraud.

The responsibility for training the staff regarding this program will be assigned to the Vice President and Cashier.

The Bank has developed a response program that would take appropriate measures in researching any incidents and notifying customers if required. The following components are included in the response program:

• Assess nature and scope of incident
• Notify primary federal regulator in all cases
• Notify law enforcement and file SAR
• Take actions to contain and control incident
• If required, notify customers

The Bank will comply with requirements to notify customers if an incident causing unauthorized access has occurred involving sensitive customer information. If the Bank determines that customer’s sensitive information has been comprised which would involve a customer’s name, address or telephone number in addition to the customer’s social security number, drivers license number, account number, or a PIN or password that would permit account access, the customers involved would be notified. The notification would include the following:

• Description of incident
• Type of information subject to unauthorized access
• Measures taken to protect customers from further unauthorized access
• Telephone number to call for assistance
• Reminder to report any identification theft to the bank

The Bank may include the following in the customer notice:

• Recommendation to review account statements
• Description of fraud alerts and how to place one
• Recommendation to obtain and review credit reports
• How to obtain a free credit report