UNITED STATES OF AMERICA BEFORE THE BOARD OF GOVERNORS OF THE FEDERAL RESERVE SYSTEM WASHINGTON, D.C. Docket Nos. 24-020-WA/RB-HC 24-020-WA/RB-SM WHEREAS, Customers Bancorp, Inc., West Reading, Pennsylvania (“Bancorp”), a bank holding company, owns and controls Customers Bank, Malvern, Pennsylvania (the “Bank,” and collectively with Bancorp, the “Organization”), a state-chartered bank that is a member of the Federal Reserve System; WHEREAS, the Board of Governors of the Federal Reserve System (the “Board of Governors”) is the appropriate federal supervisor of Bancorp and the Bank; WHEREAS, Bancorp has pursued a business strategy that involves offering banking services to digital asset customers (“digital asset strategy”), and also operates an instant payments platform that allows commercial clients to make tokenized payments over a distributed ledger technology system to other commercial clients of the Bank (“dollar token activities”); Written Agreement by and among CUSTOMERS BANCORP, INC. West Reading, Pennsylvania CUSTOMERS BANK Malvern, Pennsylvania and FEDERAL RESERVE BANK OF PHILADELPHIA Philadelphia, Pennsylvania

2 WHEREAS, the most recent examinations and inspection of the Organization conducted by the Federal Reserve Bank of Philadelphia (“Reserve Bank”) identified significant deficiencies related to the Bank’s risk management practices and compliance with the applicable laws, rules, and regulations relating to anti-money laundering (“AML”), including the Bank Secrecy Act (the “BSA”) (31 U.S.C. § 5311 et seq.), including the rules and regulations issued thereunder by the U.S. Department of the Treasury (31 C.F.R. Chapter X), and the AML requirements of Regulation H of the Board of Governors (12 C.F.R. §§ 208.62 and 208.63) (collectively, the “BSA/AML Requirements”); and the regulations issued by the Office of Foreign Assets Control of the United States Department of the Treasury (“OFAC”) (31 C.F.R. Chapter V) (the “OFAC Regulations”); WHEREAS, since that time, the Organization has begun to take measures to address the identified deficiencies in its BSA/AML compliance program; WHEREAS, it is the common goal of Bancorp, the Bank, and the Reserve Bank to improve the overall condition of Bancorp and the Bank, and to have Bancorp serve as a source of strength to the Bank; WHEREAS, Bancorp and the Bank and the Reserve Bank have mutually agreed to enter into this Written Agreement (the “Agreement”); and WHEREAS, the undersigned are authorized to enter into this Agreement on behalf of Bancorp and the Bank, respectively, and consent to compliance with each and every provision of this Agreement by Bancorp and the Bank. NOW, THEREFORE, Bancorp, the Bank, and the Reserve Bank agree as follows: Board Oversight

3 1. Within 60 days of the effective date of this Agreement, the board of directors of Bancorp shall submit a written plan to the Reserve Bank to strengthen board oversight of the management and operations of the Organization’s compliance with the BSA/AML Requirements and OFAC Regulations. The plan shall include the following three items: (a) actions that Bancorp’s board of directors will take to maintain effective control over and supervision of Bancorp’s major operations and activities; (b) measures to ensure that Bancorp’s board of directors monitors the adherence to approved policies and procedures, and applicable laws and regulations, including exceptions to approved policies and procedures, by the Organization’s management; and (c) steps to improve the management information systems reporting quality to Bancorp’s board of directors in their oversight of the Organization and its operations and management. 2. Within 60 days of the effective date of this Agreement, the board of directors of the Bank shall submit a written plan to the Reserve Bank to strengthen board oversight of the management and operations of the Bank’s compliance with the BSA/AML Requirements and OFAC Regulations. The plan shall include the following six items: (a) actions that the Bank’s board of directors will take to improve the Bank’s condition and maintain effective control over, and supervision of, the Bank’s major operations and activities, including its digital asset strategy; (b) measures to ensure that the individuals or groups at the Bank charged with the responsibility of overseeing the Bank’s compliance with the BSA/AML Requirements and the OFAC Regulations possess appropriate subject matter expertise and are actively involved in carrying out such responsibilities;

4 (c) adequate resources for the BSA/AML compliance officer, including sufficient staffing levels, and periodic re-evaluation of resources and staffing needs; (d) measures to ensure that the Bank’s board of directors monitors the adherence to approved policies and procedures, and applicable laws and regulations, including any exceptions to approved policies and procedures, by the Bank’s management; (e) measures to ensure that the Bank’s board of directors maintains oversight of the Bank’s compliance with the BSA/AML Requirements and the OFAC Regulations; and (f) measures to improve the quality, comprehensiveness, and granularity of the information and reports received and reviewed by the Bank’s board of directors in their oversight of the Bank and its operations, including information related to its digital asset strategy as well as proposed activities. Risk Management 3. Within 60 days of the effective date of this Agreement, the Organization shall submit a written plan to acceptable to the Reserve Bank to improve risk management practices with respect to the Organization’s digital asset strategy. The plan shall require the following six items: (a) enhanced written policies, procedures, and risk management standards, including regular training thereon, to identify, assess, manage, and monitor risk exposures, and facilitate compliance with applicable laws and regulations; (b) measures to ensure that the individuals or groups charged with the responsibility for the Organization’s digital asset strategy possess the appropriate subject matter expertise, stature, independence, and authority; have clearly defined roles and responsibilities; and are allocated adequate resources and staffing;

5 (c) steps to enable timely identification, measurement, assessment, and reporting of risk exposures associated with the digital asset strategy, including for existing and proposed partner, products, programs, services, business lines, or customers, and a common risk assessment and rating methodology that is regularly updated to account for changes in relevant risk factors; (d) the establishment of appropriate compensating controls to mitigate risks; (e) the provision of sufficient information, data, and reports to senior management and the boards of directors that enable proper identification and oversight of existing and developing risks; and (f) steps to ensure that the Bank has adequate controls in place to conduct its dollar token activities in a safe and sound manner. BSA/AML Compliance Program 4. Within 60 days of the effective date of this Agreement, the Bank shall submit a written revised BSA/AML compliance program acceptable to the Reserve Bank. The revised program shall include the following four items: (a) a system of internal controls reasonably designed to ensure ongoing compliance with the BSA/AML Requirements including, but not limited to, customer due diligence, beneficial ownership, and suspicious activity monitoring and reporting; (b) a comprehensive risk assessment that appropriately identifies and considers all products and services of the Bank, customer types, geographic locations, and transaction volumes, as appropriate, in determining inherent and residual risks; and (c) management of the BSA/AML compliance program by a qualified BSA/AML compliance officer, who is provided with adequate resources and training and is

6 responsible for implementing and maintaining a BSA/AML compliance program that is commensurate with the Bank’s size and risk profile; and (d) a mechanism to ensure noncompliance with the BSA/AML Requirements are appropriately tracked, escalated, and reviewed by the Bank’s senior management. Customer Due Diligence 5. Within 60 days of the effective date of this Agreement, the Bank shall submit a written revised customer due diligence program acceptable to the Reserve Bank. The revised program shall include the following five items: (a) policies, procedures, and controls to ensure that the Bank collects, analyzes, and retains complete and accurate information for all customers, including, but not limited to: (i) documentation necessary to verify the identity, source of wealth, and business activities of the customer; and (ii) documentation necessary to understand the normal and expected transactions of the customer; (b) a plan, with intermediate timelines and milestones, to remediate deficient due diligence for existing customers; (c) a methodology for assigning risk ratings to customers that considers factors such as type of customer, type of products and services, geographic location, and transaction type and volume; (d) a risk-focused assessment of the Bank’s customer base to: (i) identify customers whose transactions and banking activities are routine and usual;

7 (ii) identify customers who pose a heightened risk of conducting potentially illicit activities at or through the Bank; and (iii) determine the appropriate level of enhanced due diligence when required by law and additional due diligence necessary for those categories of customers that pose a heightened risk of conducting potentially illicit activities at or through the Bank; and (e) procedures to ensure that periodic reviews and evaluations of customer and account information are conducted and documented for all account holders. Suspicious Activity Monitoring and Reporting 6. Within 60 days of the effective date of this Agreement, the Bank shall submit a written revised program acceptable to the Reserve Bank to reasonably ensure the identification and timely, accurate, and complete reporting by the Bank of all known or suspected violations of law or suspicious transactions to law enforcement and supervisory authorities, as required by applicable suspicious activity reporting laws and regulations. The revised program shall include the following four items: (a) well-documented methodology for establishing monitoring rules and processes that take into consideration the Bank’s risk profile, type of customer, type of product or service, geographic location, and banking activities; (b) policies and procedures that provide for: (i) periodic review of the monitoring rules and thresholds; and (ii) identifying subjects of law enforcement requests, monitoring the transaction activity of those subjects when appropriate, identifying unusual or potentially suspicious activity related to those subjects, and filing, as appropriate, suspicious activity reports related to those subjects;

8 (c) enhanced monitoring and investigation criteria and procedures to ensure the timely detection, investigation, and reporting of all known or suspected violations of law and suspicious transactions, including: (i) effective monitoring of customer accounts and transactions; (ii) appropriate allocation of resources to manage alert and case inventory; (iii) adequate escalation of information about potentially suspicious activity through appropriate levels of management; and (iv) maintenance of sufficient documentation with respect to the investigation and analysis of potentially suspicious activity, including the resolution and escalation of concerns; and (d) measures to ensure that alert dispositions are supported with adequate rationale and documentation to evidence the research performed and the due diligence that was relied upon to arrive at the analyst’s conclusion. Transaction Review 7. (a) Within 60 days of the effective date of this Agreement, the Bank shall engage an independent third party acceptable to the Reserve Bank (the “Transaction Review Consultant”) to conduct a review of the Bank’s transaction monitoring activity from March 1, 2023, to August 31, 2023, to determine whether suspicious activity involving high risk customer or transactions at, by, or through the Bank was properly identified and reported in accordance with applicable suspicious activity reporting regulations (the “Transaction Review”) and to prepare a written report detailing the findings (the “Transaction Review Report”). (b) Within 10 days of the Reserve Bank’s approval of the Transaction

9 Monitoring System Consultant, the Bank shall submit an engagement letter to the Reserve Bank for approval. The engagement letter shall detail the methodology for conducting the Transaction Review, including any sampling procedures to be followed; the expertise and resources to be dedicated to the Transaction Review; and the anticipated date of completion of the Transaction Review and the Transaction Review Report. The engagement letter shall include a commitment that the Transaction Review Report will be provided to the Reserve Bank at the same time that it is provided to the Bank’s board of directors, and that all supporting materials associated with the final Transaction Review Report will be made available to the Reserve Bank upon request. (c) Based on the Reserve Bank’s evaluation of the results of the Transaction Review, the Reserve Bank may direct the Bank to conduct a review of the types of transactions described in paragraph 7(a) for additional time periods. (d) Throughout the Transaction Review, the Bank shall ensure that all matters or transactions required to be reported that have not previously been reported are reported in accordance with applicable rules and regulations. Office of Foreign Assets Control Compliance 8. Within 60 days of the effective date of this Agreement, the Bank shall submit a written plan acceptable to the Reserve Bank to enhance the Bank’s compliance with the OFAC Regulations, including, but not limited to, enhanced OFAC screening procedures, an improved methodology for assessing OFAC risks, training related to compliance with the OFAC Regulations appropriate to the employee’s job responsibilities that is provided on an ongoing, periodic basis, and enhanced policies and procedures including OFAC screening procedures. Notification of New Activities 9. Effective immediately, the Organization shall provide the Reserve Bank with

10 written notice thirty days prior to engaging in: (a) any new strategic initiative, product, service, or relationship with third parties related to the digital asset strategy; (b) the formation of any new subsidiary or restructuring of existing subsidiaries of the Organization; or (c) the creation, testing, or launching of a new intra- or inter-bank instant payments platform or network other than the existing Customers Bank Instant Token (“CBIT”) network. 10. Submission of the written notice pursuant to paragraph 9 of this Agreement shall not be construed as a request by the Bank for permission from the Board of Governors to cause or permit a change in the general character of its business or in the scope of the corporate powers it exercised at the time of admission to membership, as required by Regulation H of the Board of Governors (12 CFR § 208.3(d)(2)). Progress Reports 11. Within 45 days after the end of each calendar quarter following the date of this Agreement, the boards of directors of Bancorp and the Bank, as applicable, shall submit to the Reserve Bank written progress reports detailing the form and manner of all actions taken to secure compliance with this Agreement and the results thereof. Approval and Implementation of Plans and Programs 12. (a) Bancorp or the Bank, as applicable, shall submit the written plans and programs that are acceptable to the Reserve bank within the applicable time periods set forth in paragraphs 1, 2, 3, 4, 5, 6, and 8 of this Agreement. Each plan and program shall contain a

11 timeline for full implementation of the plan or program with specific deadlines for the completion of each component of the plan or program. An independent third party acceptable to the Reserve Bank shall be retained in accordance with the Reserve Bank’s requirements by the Bank within the time period set forth in paragraph 7(a) of this Agreement. The engagement letter shall be submitted to the Reserve Bank within the time period set forth in paragraph 7(b) of this Agreement. (b) Within 10 days of approval by the Reserve Bank, Bancorp or the Bank, as applicable, shall adopt the approved plans and programs. Upon adoption Bancorp or the Bank, as applicable, shall promptly implement the approved plans or program and thereafter fully comply with them. (c) During the term of this Agreement, the approved plans, programs, and engagement letter shall not be amended or rescinded without the prior written approval of the Reserve Bank. Communications 13. All communications regarding this Agreement shall be sent to: (a) Mr. James W. Corkery, Jr. Assistant Vice President Federal Reserve bank of Philadelphia Ten Independence Mall Philadelphia, PA 19106 (b) Mr. Jay S. Sidhu Chief Executive Officer, Customers Bancorp, Inc. Executive Chairman, Customers Bank 701 Reading Avenue West Reading, PA 19611 Miscellaneous

12 14. Notwithstanding any provision of this Agreement, the Reserve Bank may in its sole discretion, grant written extensions of time to Bancorp or the Bank to comply with any provision of this Agreement. 15. The provisions of this Agreement shall be binding upon Bancorp, the Bank, and their institution-affiliated parties, as defined in sections 3(u) and 8(b)(3) of the Federal Deposit Insurance Act (the “FDI Act”) (12 U.S.C. §§1813(u) and 1818(b)(3)), in their capacities as such, and their successors and assigns. 16. Each provision of this Agreement shall remain effective and enforceable until stayed, modified, terminated, or suspended in writing by the Reserve Bank. 17. The provisions of this Agreement shall not bar, estop, or otherwise prevent the Board of Governors, the Reserve Bank, or any other federal or state agency from taking any other action affecting Bancorp or the Bank, or any of their current or former institution-affiliated parties and their successors and assigns. 18. Pursuant to section 50 of the FDI Act (12 U.S.C. § 1831aa), this Agreement is enforceable by the Board of Governors under section 8 of the FDI Act (12 U.S.C. § 1818).

13 IN WITNESS WHEREOF, the parties have caused this Agreement to be executed as of the 5th day of August, 2024. CUSTOMERS BANCORP, INC. FEDERAL RESERVE BANK OF PHILADELPHIA By: /s/ Jay S. Sidhu By: /s/ James W. Corkery, Jr. Jay S. Sidhu James W. Corkery, Jr. Chief Executive Officer Assistant Vice President CUSTOMERS BANK By: /s/ Jay S. Sidhu Jay S. Sidhu Executive Chairman