2021 Annual Report

plan, or fails in any material respect to implement a compliance plan that has been accepted by its primary federal regulator, the regulator is required to issue an order directing the institution to cure the deficiency. Until the deficiency cited in the regulator’s order is cured, the regulator may restrict the FDIC-insured institution’s rate of growth, require the FDIC-insured institution to increase its capital, restrict the rates that the institution pays on deposits or require the institution to take any action that the regulator deems appropriate under the circumstances. Operating in an unsafe or unsound manner will also constitute grounds for other enforcement action by the federal bank regulatory agencies, including cease and desist orders and civil money penalty assessments. During the past decade, the bank regulatory agencies have increasingly emphasized the importance of sound risk management processes and strong internal controls when evaluating the activities of the FDIC-insured institutions that they supervise. Properly managing risks has been identified as critical to the conduct of safe and sound banking activities and has become even more important as new technologies, product innovation, and the size and speed of financial transactions have changed the nature of banking markets. The agencies have identified a spectrum of risks facing a banking institution including, but not limited to, credit, market, liquidity, operational, legal and reputational risk. The key risk themes identified for 2022 are discussed under “—Risk Factors.” The Bank is expected to have active board and senior management oversight; adequate policies, procedures and limits; adequate risk measurement, monitoring and management information systems; and comprehensive internal controls. Privacy and Cybersecurity . The Bank is subject to many U.S. federal and state laws and regulations governing requirements for maintaining policies and procedures to protect non-public confidential information of their customers. These laws require the Bank to periodically disclose its privacy policies and practices relating to sharing such information and permit consumers to opt out of their ability to share information with unaffiliated third parties under certain circumstances. They also impact the Bank’s ability to share certain information with affiliates and non-affiliates for marketing and/or non-marketing purposes, or to contact customers with marketing offers. In addition, as a part of its operational risk mitigation, the Bank is required to implement a comprehensive information security program that includes administrative, technical, and physical safeguards to ensure the security and confidentiality of customer records and information and to require the same of its service providers. These security and privacy policies and procedures are in effect across all business lines and geographic locations. Branching Authority . Minnesota banks, such as the Bank, have the authority under Minnesota law to establish branches anywhere in the State of Minnesota, subject to receipt of all required regulatory approvals. The Dodd-Frank Act permits well-capitalized and well-managed banks to establish new interstate branches or acquire individual branches of a bank in another state (rather than the acquisition of an out-of-state bank in its entirety) without impediments. Federal law permits state and national banks to merge with banks in other states subject to: (i) regulatory approval; (ii) federal and state deposit concentration limits; and (iii) state law limitations requiring the merging bank to have been in existence for a minimum period of time (not to exceed five years) prior to the merger. Transaction Account Reserves. Federal law requires FDIC-insured institutions to maintain reserves against their transaction accounts (primarily NOW and regular checking accounts) to provide liquidity. The amount of reserves is established by the Federal Reserve based on tranches of zero, three and ten percent of a bank’s transaction account deposits. However, in March 2020, in an unprecedented move, the Federal Reserve announced that the banking system had ample reserves, and, as reserve requirements no longer played a significant role in this regime, it reduced all reserve tranches to zero percent, thereby freeing banks from the legally mandated reserve maintenance requirement. The action permits the Bank to loan or invest funds that were previously unavailable. The Federal Reserve has indicated that it expects to continue to operate in an ample reserves regime for the foreseeable future. Community Reinvestment Act Requirements. The CRA requires the Bank to have a continuing and affirmative obligation in a safe and sound manner to help meet the credit needs of the entire community, including low- and moderate-income neighborhoods. Federal regulators regularly assess the Bank’s record of meeting the credit needs of its communities. Applications for acquisitions would be affected by the evaluation of the Bank’s effectiveness in meeting its CRA requirements. In a joint statement responding to the COVID-19 pandemic, the bank regulatory agencies announced favorable CRA consideration for banks providing retail banking services and lending activities in their

18