COMMONWEALTH OF PENNSYLVANIA DEPARTMENT OF BANKING AND SECURITIES : Commonwealth of Pennsylvania, : Docket No.: 240037 (ENF-ORD) Department of Banking and Securities, : Bureau of Bank Supervision : : v. : : Customers Bank : : CONSENT ORDER WHEREAS, Customers Bancorp, Inc., West Reading, Pennsylvania (“Bancorp”), a bank holding company, owns and controls Customers Bank, Malvern, Pennsylvania (the “Bank,” and collectively with Bancorp, the “Organization”), a state-chartered bank that is a member of the Federal Reserve System; WHEREAS, the Bureau of Bank Supervision (the “Bureau”) is primarily responsible within the Department for the regulation and supervision of the Bank; WHEREAS, Bancorp has pursued a business strategy that involves offering banking services to digital asset customers (“digital asset strategy”), and also operates an instant payments platform that allows commercial clients to make tokenized payments over a distributed ledger technology system to other commercial clients of the Bank (“dollar token activities”); WHEREAS, the most recent joint examinations and inspection of the Organization conducted by the Federal Reserve Bank of Philadelphia (“Reserve Bank”) and the Bureau identified significant deficiencies related to the Bank’s risk management practices and compliance with the applicable laws, rules, and regulations relating to anti-money laundering (“AML”), including the Bank Secrecy Act (the “BSA”) (31 U.S.C. § 5311 et seq.), including the rules and regulations issued thereunder by the U.S. Department of the Treasury (31 C.F.R.

- 2 - Chapter X), and the AML requirements of Regulation H of the Board of Governors (12 C.F.R. §§ 208.62 and 208.63) (collectively, the “BSA/AML Requirements”); and the regulations issued by the Office of Foreign Assets Control of the United States Department of the Treasury (“OFAC”) (31 C.F.R. Chapter V) (the “OFAC Regulations”); WHEREAS, these deficiencies gave the Bureau reason to believe that the Bank had engaged in unsafe or unsound banking practices relating to BSA/AML Requirements; WHEREAS, as a result of the joint examinations and inspection, the Bureau is of the opinion that grounds exist for the entry of a Consent Order (the “Order”) against the Bank pursuant to Section 501.A of the Department of Banking Code, 71 P.S. § 733-501.A; WHEREAS, since that time, the Organization has begun to take measures to address the identified deficiencies in its BSA/AML compliance program; WHEREAS, it is the common goal of the Bank and the Bureau to improve the overall condition of the Bank; and WHEREAS, the Bank, by and through its duly elected and acting board of directors, without admitting or denying wrongdoing, agrees to the issuance of this Consent Order (the “Order”) by the Bureau; IT IS HEREBY ORDERED, pursuant to Section 501.A of the Department of Banking and Securities Code, 71 P.S. § 733-501.A, the Bank, its directors, officers, employees, agents, and other “institution-affiliated parties,” as that term is defined in Section 3(u) of the FDIA, 12 U.S.C. § 1813(u), and its successors and assigns, shall take the following affirmative action:

- 3 - I. BOARD OVERSIGHT 1. Within 60 days of the effective date of this Agreement, the board of directors of the Bank shall submit a written plan to the Bureau to strengthen board oversight of the management and operations of the Bank’s compliance with the BSA/AML Requirements and OFAC Regulations. The plan shall include the following six items: (a) actions that the Bank’s board of directors will take to improve the Bank’s condition and maintain effective control over, and supervision of, the Bank’s major operations and activities, including its digital asset strategy; (b) measures to ensure that the individuals or groups at the Bank charged with the responsibility of overseeing the Bank’s compliance with the BSA/AML Requirements and the OFAC Regulations possess appropriate subject matter expertise and are actively involved in carrying out such responsibilities; (c) adequate resources for the BSA/AML compliance officer, including sufficient staffing levels, and periodic re-evaluation of resources and staffing needs; (d) measures to ensure that the Bank’s board of directors monitors the adherence to approved policies and procedures, and applicable laws and regulations, including any exceptions to approved policies and procedures, by the Bank’s management; (e) measures to ensure that the Bank’s board of directors maintains oversight of the Bank’s compliance with the BSA/AML Requirements and the OFAC Regulations; and (f) measures to improve the quality, comprehensiveness, and granularity of the information and reports received and reviewed by the Bank’s board of directors in their oversight of the Bank and its operations, including information related to its digital asset strategy as well as proposed activities.

- 4 - II. RISK MANAGEMENT 2. Within 60 days of the effective date of this Agreement, the Bank shall submit a written plan to acceptable to the Bureau to improve risk management practices with respect to the Bank’s digital asset strategy. The plan shall require the following six items: (a) enhanced written policies, procedures, and risk management standards, including regular training thereon, to identify, assess, manage, and monitor risk exposures, and facilitate compliance with applicable laws and regulations; (b) measures to ensure that the individuals or groups charged with the responsibility for the Bank’s digital asset strategy possess the appropriate subject matter expertise, stature, independence, and authority; have clearly defined roles and responsibilities; and are allocated adequate resources and staffing; (c) steps to enable timely identification, measurement, assessment, and reporting of risk exposures associated with the digital asset strategy, including for existing and proposed partner, products, programs, services, business lines, or customers, and a common risk assessment and rating methodology that is regularly updated to account for changes in relevant risk factors; (d) the establishment of appropriate compensating controls to mitigate risks; (e) the provision of sufficient information, data, and reports to senior management and the board of directors that enable proper identification and oversight of existing and developing risks; and (f) steps to ensure that the Bank has adequate controls in place to conduct its dollar token activities in a safe and sound manner.

- 5 - III. BSA/AML COMPLIANCE PROGRAM 3. Within 60 days of the effective date of this Agreement, the Bank shall submit a written revised BSA/AML compliance program acceptable to the Bureau. The revised program shall include the following four items: (a) a system of internal controls reasonably designed to ensure ongoing compliance with the BSA/AML Requirements including, but not limited to, customer due diligence, beneficial ownership, and suspicious activity monitoring and reporting; (b) a comprehensive risk assessment that appropriately identifies and considers all products and services of the Bank, customer types, geographic locations, and transaction volumes, as appropriate, in determining inherent and residual risks; and (c) management of the BSA/AML compliance program by a qualified BSA/AML compliance officer, who is provided with adequate resources and training and is responsible for implementing and maintaining a BSA/AML compliance program that is commensurate with the Bank’s size and risk profile; and (d) a mechanism to ensure noncompliance with the BSA/AML Requirements are appropriately tracked, escalated, and reviewed by the Bank’s senior management. IV. CUSTOMER DUE DILIGENCE 4. Within 60 days of the effective date of this Agreement, the Bank shall submit a written revised customer due diligence program acceptable to the Bureau. The revised program shall include the following five items: (a) policies, procedures, and controls to ensure that the Bank collects, analyzes, and retains complete and accurate information for all customers, including, but not limited to:

- 6 - (i) documentation necessary to verify the identity, source of wealth, and business activities of the customer; and (ii) documentation necessary to understand the normal and expected transactions of the customer; (b) a plan, with intermediate timelines and milestones, to remediate deficient due diligence for existing customers; (c) a methodology for assigning risk ratings to customers that considers factors such as type of customer, type of products and services, geographic location, and transaction type and volume; (d) a risk-focused assessment of the Bank’s customer base to: (i) identify customers whose transactions and banking activities are routine and usual; (ii) identify customers who pose a heightened risk of conducting potentially illicit activities at or through the Bank; and (iii) determine the appropriate level of enhanced due diligence when required by law and additional due diligence necessary for those categories of customers that pose a heightened risk of conducting potentially illicit activities at or through the Bank; and (e) procedures to ensure that periodic reviews and evaluations of customer and account information are conducted and documented for all account holders. V. SUSPICIOUS ACTIVITY MONITORING AND REPORTING 5. Within 60 days of the effective date of this Agreement, the Bank shall submit a written revised program acceptable to the Bureau to reasonably ensure the identification and timely, accurate, and complete reporting by the Bank of all known or suspected violations of law or suspicious transactions to law enforcement and supervisory authorities, as required by

- 7 - applicable suspicious activity reporting laws and regulations. The revised program shall include the following four items: (a) well-documented methodology for establishing monitoring rules and processes that take into consideration the Bank’s risk profile, type of customer, type of product or service, geographic location, and banking activities; (b) policies and procedures that provide for: (i) periodic review of the monitoring rules and thresholds; and (ii) identifying subjects of law enforcement requests, monitoring the transaction activity of those subjects when appropriate, identifying unusual or potentially suspicious activity related to those subjects, and filing, as appropriate, suspicious activity reports related to those subjects; (c) enhanced monitoring and investigation criteria and procedures to ensure the timely detection, investigation, and reporting of all known or suspected violations of law and suspicious transactions, including: (i) effective monitoring of customer accounts and transactions; (ii) appropriate allocation of resources to manage alert and case inventory; (iii) adequate escalation of information about potentially suspicious activity through appropriate levels of management; and (iv) maintenance of sufficient documentation with respect to the investigation and analysis of potentially suspicious activity, including the resolution and escalation of concerns; and

- 8 - (d) measures to ensure that alert dispositions are supported with adequate rationale and documentation to evidence the research performed and the due diligence that was relied upon to arrive at the analyst’s conclusion. VI. TRANSACTION REVIEW 6. (a) Within 60 days of the effective date of this Agreement, the Bank shall engage an independent third party acceptable to the Bureau (the “Transaction Review Consultant”) to conduct a review of the Bank’s transaction monitoring activity from March 1, 2023, to August 31, 2023, to determine whether suspicious activity involving high risk customer or transactions at, by, or through the Bank was properly identified and reported in accordance with applicable suspicious activity reporting regulations (the “Transaction Review”) and to prepare a written report detailing the findings (the “Transaction Review Report”). (b) Within 10 days of the Bureau’s approval of the Transaction Review Consultant, the Bank shall submit an engagement letter to the Bureau for approval. The engagement letter shall detail the methodology for conducting the Transaction Review, including any sampling procedures to be followed; the expertise and resources to be dedicated to the Transaction Review; and the anticipated date of completion of the Transaction Review and Transaction Review Report. The engagement letter shall include a commitment that the Transaction Review Report will be provided to the Bureau at the same time that it is provided to the Bank’s board of directors, and that all supporting materials associated with the final Transaction Review Report will be made available to the Bureau upon request. (c) Based on the Bureau’s evaluation of the results of the Transaction Review, the Bureau may direct the Bank to conduct a review of the types of transactions described in paragraph 7(a) for additional time periods.

- 9 - (d) Throughout the Transaction Review, the Bank shall ensure that all matters or transactions required to be reported that have not previously been reported are reported in accordance with applicable rules and regulations. VII. OFFICE OF FOREIGN ASSETS CONTROL COMPLIANCE 7. Within 60 days of the effective date of this Agreement, the Bank shall submit a written plan acceptable to the Bureau to enhance the Bank’s compliance with the OFAC Regulations, including, but not limited to, enhanced OFAC screening procedures, an improved methodology for assessing OFAC risks, training related to compliance with the OFAC Regulations appropriate to the employee’s job responsibilities that is provided on an ongoing, periodic basis, and enhanced policies and procedures including OFAC screening procedures. VIII. NOTIFICATION OF NEW ACTIVITIES 8. Effective immediately, the Bank shall provide the Bureau with written notice thirty days prior to engaging in: (a) any new strategic initiative, product, service, or relationship with third parties related to the digital asset strategy; (b) the formation of any new subsidiary or restructuring of existing subsidiaries of the Bank; or (c) the creation, testing, or launching of a new intra- or inter-bank instant payments platform or network, other than the existing Customers Bank Instant Token (“CBIT”) network. IX. PROGRESS REPORTS 9. Within 45 days after the end of each calendar quarter following the date of this Agreement, the board of directors of the Bank shall submit to the Bureau written progress reports

- 10 - detailing the form and manner of all actions taken to secure compliance with this Agreement and the results thereof. X. APPROVAL AND IMPLEMENTATION OF PLANS AND PROGRAMS 10. (a) The Bank shall submit the written plans and programs that are acceptable to the Bureau within the applicable time periods set forth in paragraphs 1, 2, 3, 4, 5, 6, and 7 of this Order. Each plan and program shall contain a timeline for full implementation of the plan or program with specific deadlines for the completion of each component of the plan or program. An independent third party acceptable to the Bureau shall be retained in accordance with the Bureau’s requirements by the Bank within the time period set forth in paragraph 6(a) of this Order. The engagement letter shall be submitted to the Bureau within the time period set forth in paragraph 6(b) of this Order. (b) Within 10 days of approval by the Bureau, the Bank shall adopt the approved plans and programs. Upon adoption the Bank shall promptly implement the approved plans or program and thereafter fully comply with them. (c) During the term of this Agreement, the approved plans and programs shall not be amended or rescinded without the prior written approval of the Bureau. XI. MISCELLANEOUS 11. All reports required to be submitted to the Bureau under this Order are special reports being required under Section 403 of the Department of Banking and Securities Code, 71 P.S. § 733-403, and shall be submitted to the Bureau in accordance with Section 403.B of the Department of Banking and Securities Code, 71 P.S. § 733-403.B. 12. If at any time the Bureau shall deem it appropriate in fulfilling the responsibilities placed upon the Bureau under applicable law to undertake any further action affecting the Bank, nothing in this Order shall in any way inhibit, estop, bar or otherwise prevent the Bureau from

- 11 - doing so. 13. Nothing herein shall preclude any proceedings brought by the Bureau to enforce the terms of this Order, and that nothing herein constitutes, nor shall the Bank contend that it constitutes, a waiver of any right, power or authority of any other representatives of the United States, departments or agencies thereof, Department of Justice, or any other representatives of the Commonwealth of Pennsylvania or any other departments or agencies thereof, including any prosecutorial agency, to bring other actions deemed appropriate. 14. The provisions of this Order including the recital paragraphs shall be binding upon the Bank and all of their institution-affiliated parties, in their capacities as such, and their successors and assigns. 15. The effective date of this Order shall be the date upon which this Order has been executed by the Bureau. Each provision of this Order shall remain effective and enforceable, jointly and severally, until stayed, modified, terminated or suspended by the Bureau. 16. The titles used to identify the paragraphs of this document are for the convenience of reference only and do not control the interpretation of this document. XII. NON-OBJECTION, IMPLEMENTATION, AND ADHERENCE 17. When a provision of this Order requires the Bank to submit a matter to the Bureau for review and non-objection, or engage in any other communications with the Bureau, the Bank will make the submission (which may be by electronic mail) to: Robert C. Lopez, Director Bureau of Bank Supervision Commonwealth of Pennsylvania Department of Banking and Securities 17 North Second Street, Suite 1300 Harrisburg, Pennsylvania, 17101 rolopez@pa.gov

- 12 - 18. For submitted matters receiving the written non-objection of the Bureau, the Board will, at its next regularly scheduled meeting, formally adopt the submitted matter as non-objected to by the Bureau. For any matter required by this Order but not requiring the written non-objection of the Bureau must be adopted by the Board within the time frame required for such action in this Order. These actions must be appropriately reflected in the Board minutes. Thereafter, the Board must ensure that the Bank fully implements and adheres to the matter as adopted and enforce full and complete compliance with it. SO ORDERED 8/5/24 /s/ Robert C. Lopez Date Robert C. Lopez, Director Bureau of Bank Supervision Commonwealth of Pennsylvania Department of Banking and Securities 17 North Second Street, Suite 1300 Harrisburg, PA 17101