Bridgewater Bancshares, Inc._2023 Annual Report

affiliates, including an expansion of the definition of “covered transactions” and an increase in the amount of time for which collateral requirements regarding covered transactions must be maintained. Certain limitations and reporting requirements are also placed on extensions of credit by the Bank to its directors and officers, to directors and officers of the Company and its subsidiaries, to principal shareholders of the Company and to “related interests” of such directors, officers and principal shareholders. In addition, federal law and regulations may affect the terms on which any person who is a director or officer of the Company or the Bank, or a principal shareholder of the Company, may obtain credit from banks with which the Bank maintains a correspondent relationship. Safety and Soundness Standards/Risk Management. FDIC-insured institutions are expected to operate in a safe and sound manner. The federal banking agencies have adopted operational and managerial standards to promote the safety and soundness of such institutions that address internal controls, information systems, internal audit systems, loan documentation, credit underwriting, interest rate exposure, asset growth, compensation, fees and benefits, asset quality and earnings. In general, the safety and soundness standards prescribe the goals to be achieved in each area, and each institution is responsible for establishing its own procedures to achieve those goals. If an institution fails to operate in a safe and sound manner, the FDIC-insured institution’s primary federal regulator may require the institution to submit a plan for achieving and maintaining compliance. If an FDIC-insured institution fails to submit an acceptable compliance plan, or fails in any material respect to implement a compliance plan that has been accepted by its primary federal regulator, the regulator is required to issue an order directing the institution to cure the deficiency. Until the deficiency cited in the regulator’s order is cured, the regulator may restrict the FDIC-insured institution’s rate of growth, require the FDIC-insured institution to increase its capital, restrict the rates that the institution pays on deposits or require the institution to take any action that the regulator deems appropriate under the circumstances. Operating in an unsafe or unsound manner will also constitute grounds for other enforcement action by the federal bank regulatory agencies, including cease and desist orders and civil money penalty assessments. During the past decade, the bank regulatory agencies have increasingly emphasized the importance of sound risk management processes and strong internal controls when evaluating the activities of the FDIC-insured institutions that they supervise. Properly managing risks has been identified as critical to the conduct of safe and sound banking activities and has become even more important as new technologies, product innovation, and the size and speed of financial transactions have changed the nature of banking markets. The agencies have identified a spectrum of risks facing a banking institution including, but not limited to, credit, market, liquidity, operational, legal and reputational risk. The key risk themes identified for 2024 are discussed under “—Risk Factors.” The Bank is expected to have active board and senior management oversight; adequate policies, procedures and limits; adequate risk measurement, monitoring and management information systems; and comprehensive internal controls. Privacy and Cybersecurity . The Bank is subject to many U.S. federal and state laws and regulations governing requirements for maintaining policies and procedures to protect non-public confidential information of their customers. These laws require the Bank to periodically disclose its privacy policies and practices relating to sharing such information and permit consumers to opt out of their ability to share information with unaffiliated third parties under certain circumstances. They also impact the Bank’s ability to share certain information with affiliates and non-affiliates for marketing and/or non-marketing purposes, or to contact customers with marketing offers. In addition, as a part of its operational risk mitigation, the Bank is required to implement a comprehensive information security program that includes administrative, technical, and physical safeguards to ensure the security and confidentiality of customer records and information and to require the same of its service providers. These security and privacy policies and procedures are in effect across all business lines and geographic locations. Branching Authority . Minnesota banks, such as the Bank, have the authority under Minnesota law to establish branches anywhere in the State of Minnesota, subject to receipt of all required regulatory approvals. The Dodd-Frank Act permits well-capitalized and well-managed banks to establish new interstate branches or acquire individual branches

18