Document

“Applicable Law” means the (i) Network Rules; and (ii) the laws, court opinions, attorney general opinions, rules and regulations of the United States or of any state or the various agencies, departments or administrative or governmental bodies thereof, and any regulatory guidance, determinations of (or agreements with) an arbitrator or Regulatory Authority and directions or instructions from (or agreements with) any arbitrator or Regulatory Authority, as the same may be amended and in effect from time to time during the Term, including, without limitation, (1) the EFTA; (2) the GLBA; (3) the Bank Secrecy Act; (4) federal and state money services business laws; (5) the prohibition against unfair and deceptive trade practices in the Federal Trade Commission Act; (6) state data security laws; (7) the Telephone Consumer Protection Act; (8) any and all sanctions or regulations enforced by OFAC; (9) statutes or regulations relating to consumers, and (10) statutes or regulations of any state relating to banks, banking, prepaid cards, money transmission or unclaimed property, to the extent applicable to the issuance, sale, authorization or usage of the products and services offered under the Programs or as otherwise applicable to any of the Parties, as all the same may be amended and in effect from time to time during the Term.

(vi) Manager shall cooperate with all audits contemplated by this Section, including but not limited to a compliance and vendor management audit of the Manager and Programs on an annual basis, and such other audits related to the Manager and Programs as may be requested by Sutton Bank from time to time in its reasonable discretion. Sutton Bank acknowledges and agrees that for each audit contemplated by this Section, it shall provide Manager with notice of such audit no later than October 1 of the year prior to the year such audit shall commence (“Audit Notice”). For example, Audit Notice is properly provided in October 2027 for audits to take place in 2028. Notwithstanding the foregoing, in the event an audit of Manager or a Program is required by a regulatory authority or, if Sutton Bank reasonably believes such an audit is necessary based on its oversight obligations, then Audit Notice shall not apply, and Sutton Bank

shall only give as much notice to Manager regarding such audit as required by the regulatory authority, Applicable Law, or as practicable given the circumstances. The Parties agree that upon receipt of notice of such audit or the scope of a given audit, Manager may dispute (i) the need for an audit, or (ii) the scope of a proposed audit. The Parties agree to discuss in good faith and if necessary, Sutton Bank agrees to facilitate a discussion between the respective Chief Compliance Officers of Sutton Bank and Manager to discuss and resolve any such disputes. Each audit contemplated under this Section shall be conducted by a third party audit firm that is selected by and reports to Sutton Bank; the scope of each audit shall be determined by Sutton Bank (considering in good faith input received by Manager) and may include the activities of Clients, Distributors, Marketers, Third Party Service Providers, Processor and subcontractors and their and Manager’s Compliance Controls (as defined below); Sutton Bank shall receive all draft and final reports of the audit firm, which drafts and final reports shall be deemed the Confidential Information of Sutton Bank, and Sutton Bank shall be included in any meetings or correspondence related to the audit; the auditor shall deliver the final audit report to Sutton Bank, and Sutton Bank shall provide a copy of the report to Manager; Manager may not share the report with any other person (other than Manager’s attorneys and accountants, subject to the provisions of Section 8.2) without the consent of Sutton Bank, except as required by Applicable Law; Manager shall promptly take action at Manager’s sole expense to correct any errors, deficiencies and recommendations identified in any report or audit described in this Section (other than errors, deficiencies or recommendations that, based on the mutual determination of the Parties, need not be corrected), and shall develop, with the approval of Sutton Bank, a schedule for the correction of such errors, deficiencies and recommendations. Within thirty (30) days after the scheduled completion date for the correction of such errors, deficiencies and recommendations, Manager shall provide Sutton Bank written evidence of Manager’s successful implementation and completion thereof, to Sutton Bank’s reasonable satisfaction.

(vii) Manager shall cooperate with a review of each model used in connection with any Program, and the associated model governance and validation of each model, on an appropriate schedule determined in Sutton Bank’s reasonable discretion, to be conducted by a third party review firm that is selected and engaged by, and reports to, Sutton Bank; the scope of the review shall be determined by Sutton Bank after consultation with Manager; Sutton Bank shall receive all draft and final reports from the review firm, which drafts and final reports shall be included in any meetings or correspondence related to the review; the reviewer shall deliver the final review report to Sutton Bank, and Sutton Bank shall provide a copy of the report to Manager; Manager may not share the report any other person (other than Manager’s attorneys and accountants, subject to the provisions of Section 8.2) without the consent of Sutton Bank, except as required by Applicable Law. Manager shall cause each Client to comply with the terms of this Section 3.1(O)(vii) to the extent such Client is the provider or the licensee of the provider of a model used in connection with a Program.

(i) Ongoing Monitoring Obligations. Manager agrees to conduct ongoing monitoring of each active Program for purposes of ensuring compliance with Applicable Law and compliance with all agreements related to the Program, including but not limited to the agreements between Manager and Clients, Distribution and Service Agreements, Marketing Agreements, agreements with Third Party Service Providers and agreements with subcontractors, all as may be amended from time to time, and the sufficiency of the compliance management systems, enterprise risk management and internal audit functions related thereto (such compliance management systems, enterprise risk management and internal audit functions referred to as “Compliance Controls”). Without limitation to the foregoing, such monitoring shall include, to the extent applicable, monitoring performed for purposes of assessing compliance with the

EFTA (15 U.S.C. . §§ 1693 et seq.) and Regulation E (12 C.F.R. § 1005); the CIP requirements of the Bank Secrecy Act (31 U.S.C. § 5318(l)) and 31 C.F.R. § 1020.220); Section 5 of the Federal Trade Commission Act (15 U.S.C. §45) and Sections 1031 and 1036 of the Consumer Financial Protection Act (15 U.S.C. §§5531 and 5536), and related federal agency guidance; the Truth-In-Savings Act (12 U.S.C. § 4301; Regulation DD, 12 C.F.R. § 1030); and any other regulations applicable to products issued by Sutton Bank pursuant to the Agreement. If applicable, and without limitation to the foregoing, the specific monitoring conducted shall include ongoing monitoring of the subject Program’s handling of Regulation E disputes, and customer complaints received and responded to directly by that Program.

Such monitoring shall be performed as set forth in the Template Document (as defined below), and, to the extent that consumer requirements apply, the expectations set forth in the Consumer Compliance Review section of the CFPB’s Supervision and Examination Manual, and to the extent the Bank Secrecy Act applies as set forth in the FinCEN requirements for a money service business (“MSB”) codified at 31 C.F.R. 1022.210, regardless of whether Manager has any obligation to register as an MSB under the laws of any state, both as may be amended from time to time.

Manager agrees to provide Sutton Bank written reporting on the results of such monitoring as described in Exhibit G (attached as Schedule A to the Ninth Amendment and incorporated herein by reference) (as may be modified from time to time, the “Deliverables Exhibit”) in the forms set forth in the Template Document (as defined below), and the appropriate representatives of each Party shall meet to discuss such results and applicable deliverables not less than every other week (or more or less frequently as determined by Sutton Bank in its reasonable discretion). Sutton Bank has provided Manager with a document containing templates for all of the deliverables listed in the Deliverables Exhibit (as may be modified from time to time, the “Template Document”). Manager acknowledges its receipt of the Template Document. Sutton Bank may amend the Deliverables Exhibit and/or the Template Document (including, for the avoidance of doubt, to add Manager reporting obligations), in its reasonable discretion, so long as it provides Manager at least ninety (90) days prior written notice of any such amendments; provided, however, prior notice shall not be required for any amendments or additions that are required by Sutton Bank’s regulators, that are a result of a regulatory examination of Sutton Bank or that are required as a result of monitoring or testing of Sutton Bank’s own compliance management systems, enterprise risk management or internal audit function or regarding any model validation; provided, further, that if Manager demonstrates that its systems or processes do not allow it to comply with such amendments or additions within the relevant timeframe, the timeframe shall be extended upon mutual written agreement between the Parties. Sutton Bank shall provide monthly feedback on all Template Documents.

(ii) Independent Testing by Bank. Sutton Bank shall have the right to conduct independent testing of Manager’s monitoring to confirm its accuracy or other effectiveness, including but not limited to compliance with Applicable Law and the sufficiency of the Compliance Controls, which may include [***] at Sutton Bank’s reasonable discretion (“Independent Testing”). Sutton Bank must provide to Manager [***] notice of its intent to conduct independent testing. In furtherance of such testing, Manager shall provide Sutton Bank [***] along with [***], including but not limited to [***], if applicable, within: (i) [***] of Sutton Bank’s reasonable request for such materials, or (ii) such timeframes as the Parties may mutually agree to in writing. Manager shall have [***] from its receipt of the findings of such independent testing to respond to all noted errors, deficiencies and recommendations (other than errors, deficiencies or recommendations that, based on the mutual determination of the Parties, need not be corrected) (“Manager Response”); provided, however, that if the scope of the findings changes after Manager’s receipt of such findings, such [***] period will reset beginning from the date of such change in scope. Sutton Bank shall timely accept or reject a Manager Response. The Manager Response provided shall be in writing and must include an explanation of the root cause(s) of each such error, deficiency or recommendation together with a proposed remediation plan, to be completed at Manager’s sole expense, for Sutton Bank’s review and approval setting forth the respective date(s) by which appropriate remediation, including monetary restitution, if warranted, will be completed. Alternatively, if Manager disagrees with any finding of an error, deficiency or recommendation, the written response provided to Sutton Bank shall set forth Manager’s specific reason(s) for disagreement. Such written response shall constitute a Manager Response. Notwithstanding the foregoing, if Manager believes in good faith that a response satisfying the above-stated

requirements cannot be provided to a given finding in the absence of further information or discussion, Manager shall promptly request in writing an extension of the time period for responding to such finding, specifying its reasons for delay, which request shall not be unreasonably denied. Within [***] after the scheduled completion date for the Sutton Bank-approved remediation plan (or on a timeline as mutually agreed by the Parties), Manager shall provide Sutton Bank written evidence of Manager’s successful implementation and completion thereof, to Sutton Bank’s satisfaction.


Non-Compliance Event			Non-Compliance Fee
Manager fails to timely provide Sutton Bank with two or more deliverables identified in the Deliverables Exhibit by the stated deliverable deadline, or for any such deliverable that is provided, Sutton Bank in its reasonable discretion determines two or more deliverables fail to provide sufficient responsive information			[***]
Manager fails to timely and completely provide the documents and information requested in connection with Section 3.1(Q)(ii)			[***]
Manager fails to timely implement and complete, to Sutton Bank’s reasonable satisfaction, any corrections or remediation plans resulting from an audit, ongoing monitoring or independent testing as set forth therein, including satisfaction of applicable remediation deadlines			[***]

Any Program is determined by Manager or Sutton Bank, each in its reasonable discretion, through an audit, ongoing monitoring or independent testing to be [***] with Applicable Law(s) or Compliance Controls applicable to this Agreement			[***]

Sutton Bank shall provide Manager written notice of the occurrence of any Non-Compliance Event for which Sutton Bank is assessing a Non-Compliance Fee. [***]. Upon receipt of such written notice, Manager shall have a period of [***] to dispute the occurrence or validity of such Non-Compliance Event (the “Non-Compliance Dispute Period”). During the Non-Compliance Dispute Period, the Parties agree to work in good faith to ensure the veracity of the occurrence of any Non-Compliance Event and applicability of any corresponding Non-Compliance Fee, [***] mutually agreed upon procedures. The Parties further agree that if Sutton learns of a potential Non-Compliance Event, but does not provide Manager written notice of such potential Non-Compliance Event within [***] of learning of its occurrence, no Non-Compliance Fee shall arise, and Manager shall not be liable for, any Non-Compliance Fee related to such potential Non-Compliance Event. Non-Compliance Fee(s) shall be due and payable to Sutton Bank by Manager within the time period(s) set forth in such written notice, which shall in no event be less than [***] from the conclusion of the Non-Compliance Dispute Period, absent manifest error. If Manager fails

In the event Manager is required to pay the Maximum Non-Compliance Fee under this subsection for any [***] in any [***] period, Sutton Bank shall immediately be entitled to terminate this Amended Program Manager Agreement, notwithstanding anything to the contrary herein; provided, however, that, prior to exercising such termination right, Sutton Bank shall meet with Manager to discuss Manager’s proposal to address and remediate the repeated instances of non-compliance and shall consider, in good faith, Manager’s proposal before determining, in its reasonable discretion, whether to exercise such termination right.

Additionally, in the event that a Program generates two (2) Non-Compliance Events in a given [***] for [***] (the “Direct Agreement Trigger”), Sutton Bank shall immediately be entitled to enter into agreements directly with the Client associated with such Program. Notwithstanding anything to the contrary herein, Manager agrees to continue serving as Processor in connection with any such Program during the term of any such direct agreement between Sutton Bank and Client at a reasonable and customary rate agreed upon by the Parties at the time Bank enters into an agreement with Client. Upon the occurrence of a Direct Agreement Trigger, Manager shall promptly provide to Sutton Bank copies of all relevant agreements between Manager and the applicable Client, and if any agreement between Manager and any such Client contains confidentiality provisions that may prohibit Manager and/or Client from disclosing a copy of such agreement to Sutton Bank, Manager shall (i) use commercially reasonable efforts to obtain specific permission and waiver from Client to allow Manager to disclose a copy of such agreement to Sutton Bank and (ii) inform Client that Manager approves such disclosure to Sutton Bank and that Manager grants Client specific permission and waiver to allow Client to disclose a copy of such agreement to Sutton Bank. For the avoidance of doubt, Sutton Bank’s rights under this paragraph are notwithstanding the provisions of Section 3.2(K) hereunder.

Sutton Bank acknowledges that Manager uses a Third-Party Service Provider to monitor Online Program Materials and all Program Materials approved by Sutton Bank to determine whether, after such approval, such Online Program Materials or Program Materials match what Sutton Bank approved (such Third-Party Service Provider, the “Content Control Service Provider” and such services the “Content Control Services”). For a period of [***] from the date of the Ninth Amendment Effective Date (the “Content Control Trial Period”), Manager shall utilize the services of the Content Control Service Provider to provide Content Control Services. The Parties agree that [***] before the expiration of the Content Control Trial Period, they shall meet in good faith to discuss the efficacy of the Content Control Service Provider. In the event that Sutton Bank believes the Content Control Service Provider is ineffective in the provision of Content Control Services, Sutton Bank will provide a detailed explanation for why the Content Control Services are deficient along with examples. Within a period of [***] of such notice, the Parties will collaborate in good faith on an alternative solution for the provision of Content Control Services. As used in this Section R, “Online Program Materials” means online content published on the World Wide Web that identifies Sutton Bank or a Program that Sutton Bank sponsors, including but not limited to the following social media platforms: Facebook, Instagram and TikTok.

Manager shall cause each Client, in connection with such Client’s Program, to: (i) maintain policies and procedures (“Red Flags Policy”) to (A) detect relevant red flags that may arise in the performance of Manager’s obligations, (B) take appropriate steps to address such red flags and to prevent and mitigate the effect of identity theft, and (C) report to Sutton Bank on such policies and procedures on a regular basis; (ii) identify a program administrator responsible for the Red Flags Policy; and (iii) conduct training regarding the Red Flags Policy no less frequently than annually, by the date designated by Sutton Bank, which report shall (A) address material matters related to the Program, (B) evaluate issues such as the effectiveness of the Red Flags Policy in addressing the risk of identity theft in connection with the opening of covered accounts and with respect to existing covered accounts, (C) identify service provider arrangements, (D) identify significant incidents involving identity theft and management’s response, and (E) provide recommendation for material changes to the Red Flags Policy.

6.Amendment to Manager’s Agreements with Clients. Promptly after the Ninth Amendment Effective Date, Manager shall use best efforts to amend each of its agreements with Clients and all other agreements related to the Program to require the Clients to take all actions necessary to allow the Manager to comply with this Ninth Amendment, including but not limited to the payment of the Non-Compliance Fees by Clients, and to make Sutton Bank a third-party beneficiary of each such agreement; provided, however, that Manager’s failure to procure such amendments or agreements with its Clients will not be deemed to be a material breach of the Agreement.

7.Exhibit Labeling. As of the Ninth Amendment Effective Date, the Exhibit to the Amended Program Manager Agreement titled “Covered Programs” is hereby labeled Exhibit E to the Amended Program Manager Agreement, and the Exhibit to the Amended Program Manager Agreement titled “Sutton Bank Processing Procedures and Service Levels” is hereby labeled Exhibit F to the Amended Program Manager Agreement, and all references to such Exhibits in the Amended Program Manager Agreement are hereby amended accordingly.

10.Miscellaneous. This Ninth Amendment shall be governed by and construed and enforced in accordance with the internal laws of the State of Ohio without regard to its conflict of laws principles. This Ninth Amendment may be executed by facsimile and in counterparts, each of which shall be deemed an original, and all of which when taken together shall be deemed one and the same instrument. The Agreement, as amended hereby sets forth the entire agreement of the Parties with respect to the subject matter hereof and thereof, supersedes any and all prior contemporaneous agreements or understandings, whether written or oral, between the Parties with respect to such subject matter. This Ninth Amendment shall inure the benefit of and be binding upon the Parties and each of their respective successors and assigns. Section headings used in this Ninth Amendment are included herein for convenience of reference only and will not constitute a part of this Ninth Amendment for any other purpose.