PRIVACY POLICY

SECURITY STATE BANK

DRAWER S

PEARSALL, TX 78061

PRIVACY POLICY

POLICY STATEMENT

All employees of Security State Bank (the “Bank”) must comply with the terms of this policy and procedures. Managers, employees and technical personnel must modify system configurations, forms, and procedures, if necessary, to comply with the terms of this policy.

The purpose of the Gramm-Leach-Bliley Act (GLBA) is to inform "consumers" of the Bank's policies and practices of disclosing nonpublic personal information to nonaffiliated third parties and to provide them with the option of saying no. The rules apply only to information about individuals who obtain financial products or services to be used for personal, family or household purposes. Therefore, the rules do not apply to information about businesses, corporations, partnerships or similar entities or about individuals who obtain financial products or services for business purposes.

This policy is a general statement of the Bank’s objectives and subsequent procedures to protect customer information and maintain privacy.

Scope of Policy

This policy applies to:

Bank employees;

Any organization or individual with whom we have a contractual or fiduciary relationship;

Information in all forms, including oral, written, image and electronic;

Physical and logical (non-physical) protection;

All modes of information processing, including, but not limited to, manual methods, hardware and software networks, other devices and information disposal techniques;

Information used by the Bank which originates outside including, but not limited to, vendors, contractors, customers, regulators, other enterprises and the public domain; and

The Bank’s information resources used by, shared by or in the custody of others.

NOTE: This statement of scope should not be interpreted to mean that all information resources must be protected equally.

The Bank expects that our processing partners will provide no less a level of customer privacy protection than that provided by the Bank. Conversely, the Bank will make every reasonable effort to apply the required level of customer privacy protection to partner information resources in our custodianship. These agreements should be concluded before accepting information resources from third parties.

Collection of Customer Information

The Bank collects customer information from many different sources, such as deposit accounts, loans, and other transactions. This includes such information as the customer’s name, address, tax identification number, telephone number, date of birth, mother’s maiden name, driver’s license number, credit report information and his or her signature when opening an account. In addition to the information the Bank collects for a deposit account, a customer requesting a loan is asked to provide additional information related to employment, income, assets, existing liabilities, dependents, financial history and any other relevant information.

The Bank collects transaction information about a customer such as balances, payee information, overdrafts and non-sufficient funds, payment history, address changes and changes in credit or financial standing during the course of handling a deposit account or a loan.

The Bank collects information submitted from customers via e-mail correspondence.

The Bank’s Privacy Notice, described in detail within this policy, discloses to customers how the Bank manages customer information and under what circumstances such information may be released to third parties (if any).

This written notice is disclosed to Bank customers at the time a new account is established or upon request.

Maintenance of Customer Information

Customer information, whether on paper or electronic form, is maintained when the Bank transmits or stores information. Information is transmitted when it moves from one person or place to another. The Bank stores information maintained for reference and historical reference.

Enforcement

Changes to this policy require approval by the Board of Directors of the Bank. Changes in operating procedures, standards, guidelines and technologies, provided they are consistent with this policy, may be authorized by Senior Management.

The Board of Directors has the authority to approve this policy, and annually approves the merit thereafter. Senior Management is responsible for ensuring the directives are implemented and administered in compliance with the approved policy.

The primary responsibility for enforcement of this policy and its operating procedures rests with Senior Management and our employees.

No part of this policy or its supporting operating procedures should be interpreted as contravening or superseding any other legal and regulatory requirements placed upon the Bank. Protective measures should not impede other legally mandated processes such as records retention or subpoenas. Any conflicts should be submitted immediately to Senior Management for further evaluation and/or subsequent submission to the Bank’s legal counsel.

Exceptions to Policy

Requests for exceptions to this policy must be very specific and may only be granted on specific items, rather than to entire sections. Bank personnel with exceptions are to communicate their requests by submitting an internal memorandum to the Bank’s CFO or President/CEO for consideration.

RESPONSIBILITIES

All Bank personnel have specific responsibilities under Regulation P that are directly related to their job functions. Each employee also has the responsibility to be aware of how the way he or she performs his or her job can affect customer privacy, such as those outlined in this section.

The Board of Directors has the ultimate responsibility to ensure the proper management of the Bank’s Privacy Program. To this end, the Board of Directors has charged Senior Management with the responsibility to determine the necessary course of action to ensure adherence to appropriate laws and regulations is managed in an effective and consistent manner for the entire organization.

Senior Management is responsible for the supervision and overall management of the Bank’s Privacy Program.

Operations, Lending, Note Department and Support Personnel

Operations, Lending, Note Department and support personnel are required to conduct the following procedures in promoting effective management of the Bank’s Privacy Program.

1. Know when and how to provide the Bank’s privacy notices to consumers and customers;

2. Be able to explain the basics of the Bank’s compliance to customers and Bank personnel;

3. Protect all customer information (clean desks, secure computer screens when absent, lock documents in branch vault at night etc.), including all documents containing transactions, signature cards, customer and employee lists and reports, logs, telephone messages, and files out of customer’s view;

4. Do not discuss a customer’s business in the presence of another customer’s hearing distance;

5. Supervise and manage compliance and skill levels of all branch personnel (applies to supervisors);

6. Recognize identity fraud and information theft attempts;

7. Be familiar with requirements for government access to customer information;

8. Keep passwords private;

9. Shred all documents containing customer information into the locked shred bins at night;

10. Finish each transaction before calling another customer to your desk or teller window;

11. Do not discuss pending loans or customer business in the hearing distances of others when conducting business outside of the Bank;

12. Do not take reports, customer’s financial information or files home; and

13. Manage the Bank’s Privacy Program with vendors through contracts and monitoring (refer to the Bank’s Vendor Management Policy).

BANK’S INITIAL PRIVACY NOTICE

The Bank is required to provide a "clear and conspicuous" initial written privacy notice to consumers and customers that accurately reflect the Bank's privacy policies and practices.

The rule defines the phrase "clear and conspicuous" to mean one that is reasonably understandable and designed to call attention to the nature and significance of the information contained in the notice.

No initial notice is required to be given to consumers who are not customers if their nonpublic information will not be shared or will be shared only under the "processing and servicing" exceptions.

An initial notice is required to be given to customers no later than when a customer relationship is established. The Bank can provide the initial notice at the same time it is required to give other notices, such as with deposit account disclosures required under Regulation DD when opening a deposit account or the Regulation Z disclosures at the time the extension of credit is consummated. In cases where the relationship is established in person, the notice should be given at a point when the consumer still has a meaningful choice about whether to enter into the customer relationship.

The initial notice requirements also apply when an existing customer obtains a new financial product or service that is covered under the regulation (i.e., for personal, family or household purposes) from the Bank.

If two or more consumers jointly obtain a financial product or service, the Bank can satisfy the initial notice requirements by providing one notice to those consumers jointly.

ANNUAL NOTICE TO CUSTOMERS

The Bank is required to notify customers annually during the continuation of the customer relationship of the Bank's privacy policies and practices. The notice must be given to all customers.

The term "annually" means at least once in any period of 12 consecutive months during which the customer relationship exists. The Bank is permitted to define the 12 consecutive month period. However, the time period must be applied consistently.

Effective 2016, the Bank is not required to provide the annual notice, since it meets the following two conditions.

1. The Bank only shares information in ways that do not trigger any opt-out requirements. In other words, the Bank only shares information under exceptions in sections 1016.13, 1016.14 and 1016.15 of 12 CFR 1016; and

2. The Bank has not changed its policies and practices under paragraphs 1016.6(a)(2)-(5) and (9) since its last notice. These paragraphs include disclosures of the categories of information disclosed to third parties, the categories of third parties disclosed to, the categories of information about former customers disclosed and to whom, the categories of information disclosed under joint marketing agreements and categories of the third parties involved, and broad categories of certain types of disclosures made under exceptions, for example “as permitted by law.” If the Bank makes a change to a policy or procedure that does not affect a disclosure under these specific paragraphs, it does not affect the Bank’s qualification for the exception.

If the Bank changes its policies and practices in such a way that it no longer meets the conditions as set forth above, it will comply with the regulations then in effect for providing annual notices.

CONTENTS OF PRIVACY NOTICES

The initial and annual privacy notices have the same required content. The Bank is required to address only those items that apply to it. The notices must disclose:

1. Collection. The categories of nonpublic personal information that the Bank collects. The Bank satisfies the requirement to categorize the nonpublic personal information that it collects if it lists the following categories, as applicable:

A. Information from consumers;

B. Information about the consumer's transactions with the Bank or its affiliates;

C. Information about the consumer's transactions with nonaffiliated third parties; and

D. Information from a consumer reporting agency. A statement "we collect everything" would not comply.

2. Disclosure. The categories of nonpublic personal information about the consumers that the Bank discloses. The Bank satisfies the requirement to categorize the nonpublic personal information it discloses if it lists the categories described above, as applicable, and provides a few examples to illustrate the types of information in each category.

3. To Whom. The categories of affiliates and nonaffiliated third parties to whom the Bank discloses nonpublic personal information, other than under the exceptions for processing and servicing and other uses discussed in the Exceptions section below.

The Bank satisfies its requirement to categorize the affiliates and nonaffiliated third parties to whom it discloses nonpublic personal information if it lists the following categories, as applicable, and a few examples to illustrate the types of third parties in each category:

A. Financial service providers (i.e., mortgage-bankers, securities broker-dealers, and insurance agents);

B. Non-financial companies (i.e., retailers, direct marketers, airlines and publishers); and

C. Others (i.e., non-profit organizations).

4. Former Customers. The categories of nonpublic personal information about the Bank's former customers that it discloses and the categories of affiliates and nonaffiliated third parties to whom the Bank discloses nonpublic personal information about its former customers, other than under the exemptions for processing and servicing and other exemptions.

5. Opt-Out Disclosure. An explanation of the right to opt-out of the disclosure of nonpublic personal information to nonaffiliated third parties, including the methods by which the consumer exercises that right. (The opt-out right is discussed below in the Right to Opt-out section.

6. Confidentiality and Security. The Bank's policies and practices with respect to protecting the confidentiality and security of nonpublic personal information.

The Bank describes its policies and practices with respect to protecting the confidentiality and security of nonpublic personal information if it does both of the following:

A. Describes in general terms who is authorized to have access to the information; and

B. States whether the Bank has security practices and procedures in place to ensure the confidentiality of the information in accordance with its policy.

RIGHT TO OPT-OUT

Bank does not disclose any nonpublic personal information to nonaffiliated third parties, other than those permitted by law; consequently, the Bank is not required to provide an Opt-Out Notice.

If the Bank changes its previously disclosed polices or practices regarding sharing of nonpublic personal information, it will provide the consumer with a revised privacy and opt-out notice. The Bank is required to include a new opt-out notice with the revised notice and give the consumer a reasonable opportunity to opt-out before disclosing any information not covered in the prior disclosure.

THE SHARING OF ACCOUNT NUMBERS FOR MARKETING

The Bank is prohibited from, directly or through an affiliate, disclosing, other than to a consumer reporting agency, account numbers or similar form of access number or access code for a credit card account, deposit account, loan account or transaction account of a consumer to any nonaffiliated third party for use in telemarketing, direct mail marketing, or other marketing through electronic mail to the consumer.

Exception

An exception is provided to the general prohibition on sharing accounts numbers or similar form of access numbers or access codes when the Bank discloses such information to:

1. The Bank's agent or service provider solely in order to perform marketing for the Bank's own products or services, as long as the agent or service provider is not authorized to directly initiate charges to the account; or

2. A participant in a private label credit card program or an affinity or similar program where the participants in the program are identified to the customer when the customer enters into the program.

Under this exception, an account number, or similar form of access number or access code, does not include a number or code in an encrypted form, as long as the Bank does not provide the recipient with a means to decode the number or code. Additionally, the final rule provides that a transaction account is an account other than a deposit account or a credit card account. A transaction account does not include an account to which third parties cannot initiate charges.

PRIVACY PRINCIPLES

The Bank recognizes that customer information is important, confidential, and personal. Protecting customer privacy, along with our customer’s financial assets, is at the core of our business. The Bank has adopted procedures to try and ensure the privacy of customer information is safeguarded and protected with the highest levels of security and appropriate discretion.

The Bank’s daily operating procedures help assure that customer financial information is accurate, current, and

complete in accordance with commercial standards and practices. It is Bank policy to respond to customer requests to

correct inaccurate information in a timely manner.

The Bank is committed to the security of customer financial and personal information. The entire Bank’s operational and data processing systems are maintained in a secure and redundant environment that protects customer account information from being accessed by third parties. It is the policy of the Bank to maintain internal security standards and procedures to help prevent unauthorized access to confidential customer information. These security mechanisms are periodically updated and tested to improve the protection of customer information to assure the data integrity.

Confidential data should be accessed only by employees with a legitimate business need for that data. When appropriate and to meet industry standards, the Bank will strive to prevent inappropriate employee access to confidential data by utilizing physical controls, software controls, hardware controls, employee training, and employee screening.

Bank employees are made aware that a requirement of their current employment at the Bank includes the requirement that the restrictions of this privacy policy will carry forward to any post-employment periods.

RIGHT TO FINANCIAL PRIVACY ACT REFERENCE

The Right to Financial Privacy Act (“RFPA”) establishes procedures that federal government agencies must follow in order to obtain confidential customer information. The RFPA requires the Bank to make sure that these requirements are met prior to releasing customer information to a government agency.

No government agency may access or obtain any customer information maintained by the Bank unless the customer information that is being requested is reasonably described and at least one of the following is provided to the Bank:

1. An administrative or judicial subpoena or summons;

2. A search warrant;

3. A formal written request; or

4. A customer’s written authorization.

Legal Processes

A government agency may obtain customer records through an administrative or judicial subpoena or summons otherwise authorized by law only if the records sought are relevant to a legitimate law enforcement inquiry. The customer must be served a copy of the subpoena or one must be sent to the last known mailing address on or before the date the Bank received the subpoena or summons.

The customer must also be given a notice that states with reasonable preciseness the reason of the law enforcement inquiry. Federal law requires the Bank to wait 10-days after the customer has been served the notice or 14 days from the mailing date in order to give the customer a chance to challenge the subpoena or summons.

Search Warrants

A government agency may obtain customer information if it obtains a search warrant pursuant to the Federal Rules of Criminal Procedure. The government agency must mail a copy of the search warrant along with a notice to the customer’s last known address no later than 90 days after the government agency serves the search warrant. The notice must state the government agency that obtained the information, the date the information was obtained and the reason for obtaining the information.

Formal Written Requests

A government agency may request customer information pursuant to a formal written request only if:

1. The request is authorized by regulations and signed by the head of the agency or department;

2. No administrative summons or subpoena reasonably appears to be available to that government agency to obtain customer information for the purpose in which they are sought;

3. There is reason to believe that the records are sought relevant to a legitimate law enforcement inquiry;

4. The customer has been served a copy of the request or one has been mailed to the last known address on or before the date the request was made to the Bank, together with a notice stating with reasonable specificity, the nature of the law enforcement inquiry; and

5. Ten days have expired from the date of service or 14 days from the date of mailing and within such period the customer has not filed a sworn statement and application to enjoin the government agency in the appropriate court.

Customer Authorization

A customer may authorize the disclosure of information to a government agency by furnishing to both the Bank and the government agency, a signed and dated statement which:

1. Authorizes such disclosure for a period not in excess of three months;

2. States that the customer may revoke such authorization at any time before the information is disclosed;

3. Identifies the specific information that is authorized to be disclosed;

4. Specifies the purposes for which, and the government agency to which, such information may be disclosed; and

5. States the customer’s rights under the RFPA.

The customer has the right, unless the government authority obtains a court order, to obtain a copy of the information disclosed to the government agency as well as the identity of the government agency that requested the information.

Delayed Notice to Customer

The customer notice may be delayed by order of an appropriate court if:

1. The investigation being conducted is within the lawful jurisdiction of the government agency seeking the information;

2. There is reason to believe that the information being sought is relevant to a legitimate law enforcement inquiry; and

3. There is reason to believe that such notice will result in:

A. Endangering the life or physical safety of any person;

B. Flight from prosecution;

C. Destruction of or tampering with evidence;

D. Intimidation of a potential witness; or

E. Otherwise seriously jeopardizing an investigation or official proceeding or unduly delaying a trial or ongoing official proceeding.

Bank Procedures

Bank employees are instructed to immediately contact Bank’s Compliance Officer, CFO and/or Internal Auditor at the time any request from a government agency seeking customer information is requested.

Under no circumstances shall Bank personnel provide any confidential information to a government agency without the express written consent of Senior Management or the Bank’s legal counsel.

REVIEW AND APPROVAL

The Board of Directors will review and approve this policy on an annual basis.

APPROVED and adopted by the Board of Directors on March 13, 2019.

_______________________________________________

Emily M. Briscoe

Secretary to the Board of Directors