1 UNITED STATES OF AMERICA DEPARTMENT OF THE TREASURY OFFICE OF THE COMPTROLLER OF THE CURRENCY In the Matter of: MUFG Union Bank, National Association San Francisco, CA AA-ENF-2021-34 CONSENT ORDER WHEREAS, the Office of the Comptroller of the Currency (“OCC”) has supervisory authority over MUFG Union Bank, National Association, San Francisco, CA (“Bank”); WHEREAS, the OCC intends to initiate cease and desist proceedings against the Bank pursuant to 12 U.S.C. § 1818(b), through the issuance of a Notice of Charges, for engaging in unsafe or unsound practices and its noncompliance with 12 CFR Part 30, Appendix B; WHEREAS, in the interest of cooperation and to avoid additional costs associated with administrative and judicial proceedings with respect to the above matter, the Bank, by and through its duly elected and acting Board of Directors (“Board”), consents to the issuance of this Consent Order (“Order”), by the OCC through the duly authorized representative of the Comptroller of the Currency (“Comptroller”); and NOW, THEREFORE, pursuant to the authority vested in the OCC by Section 8(b) of the Federal Deposit Insurance Act, as amended, 12 U.S.C. § 1818(b), the OCC hereby orders that:

2 ARTICLE I JURISDICTION (1) The Bank is an “insured depository institution” as that term is defined in 12 U.S.C. § 1813(c)(2). (2) The Bank is a national banking association within the meaning of 12 U.S.C. § 1813(q)(1)(A), and is chartered and examined by the OCC. See 12 U.S.C. § 1 et seq. (3) The OCC is the “appropriate Federal banking agency” as that term is defined in 12 U.S.C. § 1813(q) and is therefore authorized to initiate and maintain this cease and desist action against the Bank pursuant to 12 U.S.C. § 1818(b). ARTICLE II COMPTROLLER’S FINDINGS The Comptroller finds, and the Bank neither admits nor denies, the following: (1) The Bank is in noncompliance with the Interagency Guidelines Establishing Information Security Standards contained in Appendix B to 12 CFR Part 30 and engaged in unsafe or unsound practices regarding technology and operational risk management. (2) The Bank has begun corrective action and has committed resources to remediate the deficiencies. ARTICLE III COMPLIANCE COMMITTEE (1) By October 20, 2021, the Board shall appoint a Compliance Committee of at least three (3) members of which a majority shall be directors who are not employees or officers of the Bank or any of its subsidiaries or affiliates. The Board shall submit in writing to the Examiner- in-Charge the names of the members of the Compliance Committee within ten (10) days of their

3 appointment. In the event of a change of the membership, the Board shall submit in writing to the Examiner-in-Charge within ten (10) days the name of any new or resigning committee member. The Compliance Committee shall monitor and oversee the Bank’s compliance with the provisions of this Order. The Compliance Committee shall meet at least quarterly and maintain minutes of its meetings. (2) By January 30, 2022, and thereafter within thirty (30) days after the end of each quarter, the Compliance Committee shall submit to the Board a written progress report setting forth in detail: (a) a description of the corrective actions needed to achieve compliance with each Article of this Order; (b) the specific corrective actions undertaken to comply with each Article of this Order; and (c) the results and status of the corrective actions. (3) Upon receiving each written progress report, the Board shall forward a copy of the report, with any additional comments by the Board, to the Examiner-in-Charge within ten (10) days of the first Board meeting following the Board’s receipt of such report. ARTICLE IV COMPREHENSIVE ACTION PLAN (1) Within ninety (90) days of the effective date of this Order, the Bank shall develop an acceptable, written action plan detailing the remedial actions necessary to achieve compliance with Articles V through XI of this Order (“Action Plan”), thereby addressing the unsafe or unsound practices and noncompliance with 12 CFR Part 30, Appendix B. The Bank shall submit

4 the Action Plan to the Examiner-in-Charge for review and prior written determination of no supervisory objection. The Action Plan, at a minimum, shall specify: (a) A description of the corrective actions needed to achieve compliance with each Article of this Order; (b) Reasonable and well-supported timelines for completion of the corrective actions required by this Order; and (c) The person(s) responsible for completion of the corrective actions required by this Order. (2) The timelines contained in the Action Plan shall be consistent with any deadlines set forth in this Order, including any modifications to the Order made pursuant to Article XV, Paragraph (5). (3) In the event the Examiner-in-Charge requires changes to the Action Plan, the Bank shall incorporate the required changes into the Action Plan and submit the revised Action Plan to the Examiner-in-Charge for review and prior written determination of no supervisory objection. (4) Upon receipt of a written determination of no supervisory objection from the Examiner-in-Charge, the Board shall ensure the Bank establishes appropriate success criteria and timely adopts and implements all corrective actions required by this Order, and shall verify the Bank adheres to the Action Plan, including the timelines set forth within the Action Plan. (5) The Bank shall not take any action that will cause a significant deviation from, or material change to, the Action Plan. Where the Bank considers modifications to the Action Plan appropriate, the Bank shall submit a revised Action Plan containing the proposed modifications to the Examiner-in-Charge for prior written determination of no supervisory objection from the

5 Examiner-in-Charge. Upon receipt of a written determination of no supervisory objection from the Examiner-in-Charge, the Board shall ensure the Bank has timely adopted and implemented all corrective actions required by this Order, and shall verify the Bank adheres to the revised Action Plan. (6) By February 14, 2022, and thereafter within forty-five (45) days after the end of each quarter, the Bank shall prepare, and shall submit to the Board, a written Action Plan progress report setting forth in detail: (a) The specific corrective actions undertaken to comply with each Article of this Order; (b) The results and status of the corrective actions; and (c) A description of the outstanding corrective actions needed to achieve compliance with each Article of this Order and the party or parties responsible for the completion of outstanding corrective actions. (7) The Board shall direct the Bank to forward a copy of the report, with any additional comments by the Board, to the Examiner-in-Charge within ten (10) days of the first Board meeting following the Board’s receipt of such report. ARTICLE V BOARD AND MANAGEMENT OVERSIGHT (1) Within ninety (90) days of the effective date of this Order, the Bank shall submit to the OCC, for review and prior written determination of no supervisory objection by the Examiner-in-Charge, an acceptable, written plan to improve reporting to the Board and senior management on the Bank’s technology and operations risk (“Board and Management Oversight Plan”).

6 (2) Technology and operations risk reporting shall comprehensively and accurately report on the level of risk in the technology and operations environments, including how issue remediation impacts the level of risk. (3) Within thirty (30) days following receipt of the Examiner-in-Charge’s written determination of no supervisory objection to the Board and Management Oversight Plan or to any subsequent amendment to the Board and Management Oversight Plan, the Board shall adopt and Bank management, subject to Board review and ongoing monitoring, shall immediately implement and thereafter adhere to the Board and Management Oversight Plan. The Board shall review the effectiveness of the Board and Management Oversight Plan at least annually, and more frequently if necessary or if required by the OCC in writing, and amend the Board and Management Oversight Plan as needed or as directed by the OCC. Any amendment to the Board and Management Oversight Plan must be submitted to the Examiner-in-Charge for review and prior written determination of no supervisory objection. ARTICLE VI TECHNOLOGY RISK ASSESSMENT (1) Within ninety (90) days of the effective date of this Order, the Bank shall develop and submit to the OCC, for review and prior written determination of no supervisory objection by the Examiner-in-Charge, an acceptable, written plan to improve the technology risk assessment process (“Technology Risk Assessment Plan”). (2) The results of the technology risk assessment process shall serve as the basis for reporting to the Board and senior management on the Bank’s technology risk, as required in Article V. (3) The Technology Risk Assessment Plan shall include actions to address known

7 deficiencies in the technology risk assessment. (4) Within thirty (30) days following receipt of the Examiner-in-Charge’s written determination of no supervisory objection to the Technology Risk Assessment Plan or to any subsequent amendment to the Technology Risk Assessment Plan, the Board shall adopt and Bank management, subject to Board review and ongoing monitoring, shall immediately implement and thereafter adhere to the Technology Risk Assessment Plan. The Board shall review the effectiveness of the Technology Risk Assessment Plan at least annually, and more frequently if necessary or if required by the OCC in writing, and amend the Technology Risk Assessment Plan as needed or as directed by the OCC. Any amendment to the Technology Risk Assessment Plan must be submitted to the Examiner-in-Charge for review and prior written determination of no supervisory objection. ARTICLE VII INFORMATION TECHNOLOGY AND OPERATIONAL RISK GOVERNANCE (1) Within ninety (90) days of the date of this Order, the Bank shall submit to the Examiner-in-Charge for review and prior written determination of no supervisory objection an acceptable, written plan to timely and effectively implement the Bank’s information technology (“IT”) and operational risk governance frameworks and supporting programs (“IT and Operational Risk Governance Plan”). (2) The IT and Operational Risk Governance Plan shall include actions to address known deficiencies in IT and operational risk governance. (3) Within thirty (30) days following receipt of the Examiner-in-Charge’s written determination of no supervisory objection to the IT and Operational Governance Plan or to any subsequent amendment to the IT and Operational Governance Plan, the Board shall adopt and

8 Bank management, subject to Board review and ongoing monitoring, shall immediately implement and thereafter adhere to the IT and Operational Governance Plan. The Board shall review the effectiveness of the IT and Operational Governance Plan at least annually, and more frequently if necessary or if required by the OCC in writing, and amend the IT and Operational Governance Plan as needed or as directed by the OCC. Any amendment to the IT and Operational Governance Plan must be submitted to the Examiner-in-Charge for review and prior written determination of no supervisory objection. ARTICLE VIII OPERATIONS AND INTERNAL CONTROLS (1) Within ninety (90) days of the date of this Order, the Bank shall submit to the Examiner-in-Charge for review and prior written determination of no supervisory objection an acceptable, written plan to improve policies, procedures, processes, and internal controls within the Bank’s technology and operations environments, commensurate with the level of risk and complexity of the Bank’s activities (“Operations and Internal Controls Plan”). (2) The Operations and Internal Controls Plan shall include actions to address known deficiencies in operations and internal controls. (3) Within thirty (30) days following receipt of the Examiner-in-Charge’s written determination of no supervisory objection to the Operations and Internal Controls Plan or to any subsequent amendment to the Operations and Internal Controls Plan, the Board shall adopt and Bank management, subject to Board review and ongoing monitoring, shall immediately implement and thereafter adhere to the Operations and Internal Controls Plan. The Board shall review the effectiveness of the Operations and Internal Controls Plan at least annually, and more frequently if necessary or if required by the OCC in writing, and amend the Operations and

9 Internal Controls Plan as needed or as directed by the OCC. Any amendment to the Operations and Internal Controls Plan must be submitted to the Examiner-in-Charge for review and prior written determination of no supervisory objection. ARTICLE IX INFORMATION SECURITY PROGRAM (1) Within ninety (90) days of the date of this Order the Bank shall submit to the Examiner-in-Charge for review and prior written determination of no supervisory objection an acceptable, updated written Information Security Program and a plan to effectively implement it at the Bank (“Information Security Program Implementation Plan”). (2) The Information Security Program shall comply with 12 C.F.R. Part 30, Appendix B and safe and sound principles. (3) The Information Security Program Implementation Plan shall include actions to address known deficiencies in the Information Security Program. (4) Within thirty (30) days following receipt of the Examiner-in-Charge’s written determination of no supervisory objection to the Information Security Program and Information Security Program Implementation Plan or to any subsequent amendment to the Information Security Program or Information Security Program Implementation Plan, the Board shall adopt and Bank management, subject to Board review and ongoing monitoring, shall immediately implement and thereafter adhere to the Information Security Program and/or Information Security Program Implementation Plan. (5) The Board shall review the effectiveness of the Information Security Program and Information Security Program Implementation Plan at least annually, and more frequently if necessary or if required by the OCC in writing, and amend the Information Security Program or

10 Information Security Program Implementation Plan as needed or as directed by the OCC. Any amendment to the Information Security Program or Information Security Program Implementation Plan must be submitted to the Examiner-in-Charge for review and prior written determination of no supervisory objection. ARTICLE X STAFFING (1) Within ninety (90) days of the date of this Order, the Bank shall submit to the Examiner-in-Charge for review and prior written determination of no supervisory objection an acceptable, written plan to hire and retain sufficient staff to support the Bank’s remediation of information technology and operational risk issues and business-as-usual activities (“Staffing Plan”). (2) The Staffing Plan shall include actions to address known staffing concerns. (3) Within thirty (30) days following receipt of the Examiner-in-Charge’s written determination of no supervisory objection to the Staffing Plan or to any subsequent amendment to the Staffing Plan, the Board shall adopt and Bank management, subject to Board review and ongoing monitoring, shall immediately implement and thereafter adhere to the Staffing Plan. The Board shall review the effectiveness of the Staffing Plan at least annually, and more frequently if necessary or if required by the OCC in writing, and amend the Staffing Plan as needed or as directed by the OCC. Any amendment to the Staffing Plan must be submitted to the Examiner-in-Charge for review and prior written determination of no supervisory objection.

11 ARTICLE XI DATA MANAGEMENT AND REPORTING (1) Within ninety (90) days of the date of this Order, the Bank shall submit to the Examiner-in-Charge for review and prior written determination of no supervisory objection an acceptable, written plan to improve data management and reporting practices to ensure accurate risk, regulatory and other reporting (“Data Management and Reporting Plan”). (2) The Data Management and Reporting Plan shall include actions to address known deficiencies in data management and reporting. (3) Within thirty (30) days following receipt of the Examiner-in-Charge’s written determination of no supervisory objection to the Data Management and Reporting Plan or to any subsequent amendment to the Data Management and Reporting Plan, the Board shall adopt and Bank management, subject to Board review and ongoing monitoring, shall immediately implement and thereafter adhere to the Data Management and Reporting Plan. The Board shall review the effectiveness of the Data Management and Reporting Plan at least annually, and more frequently if necessary or if required by the OCC in writing, and amend the Data Management and Reporting Plan as needed or as directed by the OCC. Any amendment to the Data Management and Reporting Plan must be submitted to the Examiner-in-Charge for review and prior written determination of no supervisory objection. ARTICLE XII GENERAL BOARD RESPONSIBILITIES (1) The Board shall ensure that the Bank has timely adopted and implemented all corrective actions required by this Order, and shall verify that the Bank adheres to the corrective actions and they are effective in addressing the Bank’s deficiencies that resulted in this Order.

12 (2) In each instance in which this Order imposes responsibilities upon the Board, it is intended to mean that the Board shall: (a) authorize, direct, and adopt corrective actions on behalf of the Bank as may be necessary to perform the obligations and undertakings imposed on the Board by this Order; (b) ensure the Bank has sufficient processes, management, personnel, control systems, and corporate and risk governance to implement and adhere to all provisions of this Order; (c) require that Bank management and personnel have sufficient training and authority to execute their duties and responsibilities pertaining to or resulting from this Order; (d) hold Bank management and personnel accountable for executing their duties and responsibilities pertaining to or resulting from this Order; (e) require appropriate, adequate, and timely reporting to the Board by Bank management of corrective actions directed by the Board to be taken under the terms of this Order; and (f) address any noncompliance with corrective actions in a timely and appropriate manner. ARTICLE XIII WAIVERS (1) The Bank, by executing and consenting to this Order, waives: (a) any and all rights to the issuance of a Notice of Charges pursuant to 12 U.S.C. § 1818;

13 (b) any and all procedural rights available in connection with the issuance of this Order; (c) any and all rights to a hearing and a final agency decision pursuant to 12 U.S.C. § 1818 and 12 C.F.R. Part 19; (d) any and all rights to seek any type of administrative or judicial review of this Order; (e) any and all claims for fees, costs, or expenses against the OCC, or any of its officers, employees, or agents related in any way to this enforcement matter or this Order, whether arising under common law or under the terms of any statute, including, but not limited to, the Equal Access to Justice Act, 5 U.S.C. § 504 and 28 U.S.C. § 2412; (f) any and all rights to assert these proceedings, the consent to and/or the issuance of this Order, as the basis for a claim of double jeopardy in any pending or future proceedings brought by the United States Department of Justice or any other governmental entity; and (g) any and all rights to challenge or contest the validity of this Order. ARTICLE XIV OTHER PROVISIONS (1) As a result of this Order, the Bank is not: (a) precluded from being treated as an “eligible bank” for the purposes of 12 C.F.R. Part 5, unless the Bank fails to meet any of the requirements contained in subparagraphs (1) – (4) of 12 C.F.R. § 5.3, Definitions, Eligible bank or eligible savings association, or is otherwise informed in

14 writing by the OCC; (b) subject to the restrictions in 12 C.F.R. § 5.51 requiring prior notice to the OCC of changes in directors and senior executive officers or the limitations on golden parachute payments set forth in 12 C.F.R. Part 359, unless the Bank is otherwise subject to such requirements pursuant to 12 C.F.R. § 5.51(c)(7)(i), (iii); and (c) precluded from being treated as an “eligible bank” for the purposes of 12 C.F.R. Part 24, unless the Bank fails to meet any of the requirements contained in 12 C.F.R. § 24.2(e)(1)-(3) or is otherwise informed in writing by the OCC. (2) This Order supersedes all prior OCC communications issued pursuant to 12 C.F.R. §§ 5.3, 5.51(c)(7)(ii), and 24.2(e)(4). ARTICLE XV CLOSING (1) This Order is a settlement of the cease and desist proceedings against the Bank contemplated by the OCC, based on the unsafe or unsound practices and violations of law/regulation described in the Comptroller’s Findings set forth in Article II of this Order. The OCC releases and discharges the Bank from all potential liability for a cease and desist order that has been or might have been asserted by the OCC based on the practices and/or violations described in Article II of this Order, to the extent known to the OCC as of the effective date of this Order. Nothing in this Order, however, shall prevent the OCC from:

15 (a) instituting enforcement actions other than a cease and desist order against the Bank based on the Comptroller’s Findings set forth in Article II of this Order; (b) instituting enforcement actions against the Bank based on any other findings; (c) instituting enforcement actions against institution-affiliated parties (as defined by 12 U.S.C. § 1813(u)) based on the Comptroller’s Findings set forth in Article II of this Order, or any other findings; or (d) utilizing the Comptroller’s Findings set forth in Article II of this Order in future enforcement actions against the Bank or its institution-affiliated parties to establish a pattern or the continuation of a pattern. (2) Nothing in this Order is a release, discharge, compromise, settlement, dismissal, or resolution of any actions, or in any way affects any actions that may be or have been brought by any other representative of the United States or an agency thereof, including, without limitation, the United States Department of Justice. (3) This Order is: (a) a “cease-and-desist order issued upon consent” within the meaning of 12 U.S.C. § 1818(b); (b) a “cease-and-desist order which has become final” within the meaning of 12 U.S.C. § 1818(e); (c) an “order issued with the consent of the depository institution” within the meaning of 12 U.S.C. § 1818(h)(2);

16 (d) an “effective and outstanding . . . order” within the meaning of 12 U.S.C. § 1818(i)(1); and (e) a “final order” within the meaning of 12 U.S.C. § 1818(i)(2) and (u). (4) This Order is effective upon its issuance by the OCC, through the Comptroller’s duly authorized representative. Except as otherwise expressly provided herein, all references to “days” in this Order shall mean calendar days and the computation of any period of time imposed by this Order shall not include the date of the act or event that commences the period of time. (5) The provisions of this Order shall remain effective and enforceable against the Bank and its successors in interest except to the extent that, and until such time as, such provisions are amended, suspended, waived, or terminated in writing by the OCC, through the Comptroller’s duly authorized representative. If the Bank seeks an extension, amendment, suspension, waiver, or termination of any provision of this Order, the Board or a Board-designee shall submit a written request to the Deputy Comptroller asking for the desired relief. Any request submitted pursuant to this paragraph shall include a statement setting forth in detail the circumstances that warrant the desired relief or prevent the Bank from complying with the relevant provision(s) of the Order, and shall be accompanied by relevant supporting documentation. The OCC’s decision concerning a request submitted pursuant to this paragraph, which will be communicated to the Board in writing, is final and not subject to further review. (6) The Bank will not be deemed to be in compliance with this Order until it has adopted, implemented, and adhered to all of the corrective actions set forth in each Article of this Order; the corrective actions are effective in addressing the Bank’s deficiencies; and the OCC has verified and validated the corrective actions. An assessment of the effectiveness of the

17 corrective actions requires sufficient passage of time for the Bank to demonstrate the sustained effectiveness of the corrective actions. (7) This Order is not a contract binding on the United States, the United States Treasury Department, the OCC, or any officer, employee, or agent of the OCC and neither the Bank nor the OCC intends this Order to be a contract. (8) Each citation, issuance, or guidance referenced in this Order includes any subsequent citation, issuance, or guidance that replaces, supersedes, amends, or revises the referenced cited citation, issuance, or guidance. (9) This Order applies to the Bank, all its subsidiaries, and its successors in interest. (10) No separate promise or inducement of any kind has been made by the OCC, or by its officers, employees, or agents, to cause or induce the Bank to consent to the issuance of this Order. (11) All reports, plans, or programs submitted to the OCC pursuant to this Order shall be forwarded via email, to the following: Examiner-in-Charge (12) The terms of this Order, including this paragraph, are not subject to amendment or modification by any extraneous expression, prior agreements, or prior arrangements between the parties, whether oral or written.

18 IN TESTIMONY WHEREOF, the undersigned, authorized by the Comptroller as his duly authorized representative, has hereunto set her signature on behalf of the Comptroller. Bethany A. Dugan Deputy Comptroller for Large Bank Supervision /s/ September 20, 2021

19 IN TESTIMONY WHEREOF, the undersigned, as the duly elected and acting Board of Directors of MUFG Union Bank, National Association, San Francisco, CA, have hereunto set their signatures on behalf of the Bank. Roberta A. Bienfait Date Kevin Cronin Date Linda Cunningham Date John R. Elmore Date Michael D. Fraizer Date Kazuo Koshi Date Masahiro Kuwahara Date Hiroshi Masaki Date Toby S. Myerson Date Jeffrey Storey Date /s/ /s/ /s/ /s/ /s/ /s/ /s/ /s/ /s/ /s/ September 16, 2021 September 16, 2021 September 16, 2021 September 16, 2021 September 17, 2021 September 17, 2021 September 17, 2021 September 17, 2021 September 17, 2021 September 17, 2021

20 Kazuto Uchida Date Dean A. Yoost Date /s/ /s/ September 16, 2021 September 17, 2021