Common use of Your Internal Security Clause in Contracts

Your Internal Security. (non-consumer customers only). You bear sole responsibility for establishing, maintaining, implementing and updating policies, procedures, equipment and software (“Internal Security Controls”) that ensure the security and integrity of your computer systems, Mobile Devices and information, protect them from any unauthorized use, intrusion, takeover or theft, and prevent your Access Credentials from any unauthorized discovery or use (collectively “Internal Security Breaches”). You bear all risk of fraudulent transfers and other losses or disclosures arising from your Internal Security Breaches or from the interception of your communications prior to their receipt by us (collectively “Internal Security Losses”). We will not reimburse your Internal Security Losses. You are encouraged to consider purchasing insurance to cover your Internal Security Losses. To help protect your system from Internal Security Breaches, your Internal Security Controls program should consider including: • Verifying all instructions from your payees (e.g., ensure new or changed payment addresses were not communicated by an imposter); • Limiting and controlling who has access to your computer systems and Mobile Devices; • Protecting and frequently changing your Access Credentials; • Adopting dual authorization and/or transaction-based authentication procedures for financial transfers; • Employing up-to-date security software such as anti-virus, anti-malware and anti-spyware programs, as well as up-to-date software patches for all your software programs, internet browsers, e-mail programs, and the like (such as IBM® Trusteer RapportTM software); • Prohibiting the disabling or modification the security features of any software or hardware (e.g., “jailbreaking” of mobile devices); and prohibiting the use of “burner” mobile devices. • Using effective, up-to-date firewalls; • Procedures to avoid infection by malware and malicious code, such as: controlling what software and applications are downloaded to your computers and Mobile Devices; controlling what websites are visited by your computers and Mobile Devices; controlling the connection of other devices (e.g., flash drives) to your computers and Mobile Devices; controlling what documents, e-mail attachments, programs and other files are opened or installed on your computers and Mobile Devices; and limiting which of your computers and Mobile Devices are used for Digital Banking or other financial matters; • Reconciling all accounts on a daily basis, and immediately reporting any discrepancies; • Prohibiting your Authorized Users from leaving a computer or Mobile Device unattended while connected to Bank’s systems, or from communicating or accessing sensitive information from insecure locations (e.g., terminals or networks at Internet cafes or airports); • Allowing Digital Banking to be accessed only from secure locations; and • Adopting such other recommendations that we may (but are not obligated to) make from time to time to help promote safe use of our services. This is not a complete listing of the Internal Security Controls that you may need. You are solely responsible for determining and implementing all of the Internal Security Controls necessary to prevent your Internal Security Breaches and Internal Security Losses. We have no duty to review your Internal Security Controls, identify deficiencies or make recommendations. We do not represent or warrant that any or all of the above recommendations or any future recommendations are adequate for your needs or will prevent Security Losses. We may at any time (but are not required to) limit access to any Digital Banking Channel or function to only those customers who have adopted specific Internal Security Controls. Our specification of any required Internal Security Controls shall not constitute a representation or warranty that they (a) are adequate for your security needs or will prevent any Internal Security Breach or Internal Security Losses, or (b) will be compatible with any computer system or other Internal Security Controls. You remain at all times solely responsible for your Internal Security Controls, Internal Security Breaches and Internal Security Losses. Although we may employ various systems and procedures from time to time to prevent losses by us, we assume no obligation for your Internal Security Losses. APPENDIX: END USER AGREEMENT FOR MOBILE BANKING SOFTWARE Zions Bancorporation, N.A.’s primary licensor for the Mobile Banking Software is mFoundry, Inc. (and/or one or more affiliates thereof, hereafter collectively “mFoundry”). mFoundry authorizes and requires Zions Bancorporation, N.A. to enter into the following end user agreement (the “End User Agreement”) with you for the use of mFoundry’s “Software” (defined below). By enrolling in Zions Bancorporation, N.A.’s Mobile Banking service, and during such time as Zions Bancorporation, N.A. maintains its rights to license the mFoundry Software, you hereby agree as follows:

Your Internal Security. (non-consumer customers only). You bear sole responsibility for establishing, maintaining, implementing and updating policies, procedures, equipment and software (“Internal Security Controls”) that ensure the security and integrity of your computer systems, Mobile Devices and information, protect them from any unauthorized use, intrusion, takeover or theft, and prevent your Access Credentials from any unauthorized discovery or use (collectively “Internal Security Breaches”). You bear all risk of fraudulent transfers and other losses or disclosures arising from your Internal Security Breaches or from the interception of your communications prior to their receipt by us (collectively “Internal Security Losses”). We will not reimburse your Internal Security Losses. You are encouraged to consider purchasing insurance to cover your Internal Security Losses. To help protect your system from Internal Security Breaches, your Internal Security Controls program should consider including: • Verifying all instructions from your payees (e.g., ensure new or changed payment addresses were not communicated by an imposter); • Limiting and controlling who has access to your computer systems and Mobile Devices; • Protecting and frequently changing your Access Credentials; • Adopting dual authorization and/or transaction-based authentication procedures for financial transfers; • Employing up-to-date security software such as anti-virus, anti-malware and anti-spyware programs, as well as up-to-date software patches for all your software programs, internet browsers, e-mail programs, and the like (such as IBM® Trusteer RapportTM software); • Prohibiting the disabling or modification the security features of any software or hardware (e.g., “jailbreaking” of mobile devices); and prohibiting the use of “burner” mobile devices. • Using effective, up-to-date firewalls; • Procedures to avoid infection by malware and malicious code, such as: controlling what software and applications are downloaded to your computers and Mobile Devices; controlling what websites are visited by your computers and Mobile Devices; controlling the connection of other devices (e.g., flash drives) to your computers and Mobile Devices; controlling what documents, e-mail attachments, programs and other files are opened or installed on your computers and Mobile Devices; and limiting which of your computers and Mobile Devices are used for Digital Banking or other financial matters; • Reconciling all accounts on a daily basis, and immediately reporting any discrepancies; • Prohibiting your Authorized Users from leaving a computer or Mobile Device unattended while connected to Bank’s systems, or from communicating or accessing sensitive information from insecure locations (e.g., terminals or networks at Internet cafes or airports); • Allowing Digital Banking to be accessed only from secure locations; and • Adopting such other recommendations that we may (but are not obligated to) make from time to time to help promote safe use of our services. This is not a complete listing of the Internal Security Controls that you may need. You are solely responsible for determining and implementing all of the Internal Security Controls necessary to prevent your Internal Security Breaches and Internal Security Losses. We have no duty to review your Internal Security Controls, identify deficiencies or make recommendations. We do not represent or warrant that any or all of the above recommendations or any future recommendations are adequate for your needs or will prevent Security Losses. We may at any time (but are not required to) limit access to any Digital Banking Channel or function to only those customers who have adopted specific Internal Security Controls. Our specification of any required Internal Security Controls shall not constitute a representation or warranty that they (a) are adequate for your security needs or will prevent any Internal Security Breach or Internal Security Losses, or (b) will be compatible with any computer system or other Internal Security Controls. You remain at all times solely responsible for your Internal Security Controls, Internal Security Breaches and Internal Security Losses. Although we may employ various systems and procedures from time to time to prevent losses by us, we assume no obligation for your Internal Security Losses. APPENDIX: END USER AGREEMENT FOR MOBILE BANKING SOFTWARE Zions Bancorporation, N.A.’s primary licensor for the Mobile Banking Software is mFoundry, Inc. (and/or one or more affiliates thereof, hereafter collectively “mFoundry”). mFoundry authorizes and requires Zions Bancorporation, N.A. to enter into the following end user agreement (the “End User Agreement”) with you for the use of mFoundry’s “Software” (defined below). By enrolling in Zions Bancorporation, N.A.’s Mobile Banking service, and during such time as Zions Bancorporation, N.A. maintains its rights to license the mFoundry Software, you hereby agree as follows:.

Your Internal Security. (non-consumer customers only). You bear sole responsibility for establishing, maintaining, implementing and updating policies, procedures, equipment and software (“Internal Security Controls”) that ensure the security and integrity of your computer systems, Mobile Devices and information, protect them from any unauthorized use, intrusion, takeover or theft, and prevent your Access Credentials from any unauthorized discovery or use (collectively “Internal Security Breaches”). You bear all risk of fraudulent transfers and other losses or disclosures arising from your Internal Security Breaches or from the interception of your communications prior to their receipt by us (collectively “Internal Security Losses”). We will not reimburse your Internal Security Losses. You are encouraged to consider purchasing insurance to cover your Internal Security Losses. To help protect your system from Internal Security Breaches, your Internal Security Controls program should consider including: • Verifying all instructions from your payees (e.g., ensure new or changed payment addresses were was not communicated by an imposter); • Limiting and controlling who has access to your computer systems and Mobile Devices; • Protecting and frequently changing your Access Credentials; • Adopting dual authorization and/or transaction-based authentication procedures for financial transfers; • Employing up-to-date security software such as anti-virus, anti-malware and anti-spyware programs, as well as up-to-date software patches for all your software programs, internet browsers, e-mail programs, and the like (such as IBM® Trusteer RapportTM software); • Prohibiting the disabling or modification the security features of any software or hardware (e.g., “jailbreaking” of mobile devices); and prohibiting the use of “burner” mobile devices. • Using effective, up-to-date firewalls; • Procedures to avoid infection by malware and malicious code, such as: controlling what software and applications are downloaded to your computers and Mobile Devices; controlling what websites are visited by your computers and Mobile Devices; controlling the connection of other devices (e.g., flash drives) to your computers and Mobile Devices; controlling what documents, e-mail attachments, programs and other files are opened or installed on your computers and Mobile Devices; and limiting which of your computers and Mobile Devices are used for Digital Banking or other financial matters; • Reconciling all accounts on a daily basis, and immediately reporting any discrepancies; • Prohibiting your Authorized Users from leaving a computer or Mobile Device unattended while connected to Bank’s systems, or from communicating or accessing sensitive information from insecure locations (e.g., terminals or networks at Internet cafes or airports); • Allowing Digital Banking to be accessed only from secure locations; and • Adopting such other recommendations that we may (but are not obligated to) make from time to time to help promote safe use of our services. This is not a complete listing of the Internal Security Controls that you may need. You are solely responsible for determining and implementing all of the Internal Security Controls necessary to prevent your Internal Security Breaches and Internal Security Losses. We have no duty to review your Internal Security Controls, identify deficiencies or make recommendations. We do not represent or warrant that any or all of the above recommendations or any future recommendations are adequate for your needs or will prevent Security Losses. We may at any time (but are not required to) limit access to any Digital Banking Channel or function to only those customers who have adopted specific Internal Security Controls. Our specification of any required Internal Security Controls shall not constitute a representation or warranty that they will (a) are adequate for your security needs or will prevent any Internal Security Breach or Internal Security Losses, or (b) will be compatible with any computer system or other Internal Security Controls. You remain at all times solely responsible for your Internal Security Controls, Internal Security Breaches and Internal Security Losses. Although we may employ various systems and procedures from time to time to prevent losses by us, we assume no obligation for your Internal Security Losses. APPENDIX: END USER AGREEMENT FOR MOBILE BANKING SOFTWARE Zions BancorporationDEPOSIT ZB, N.A.’s primary licensor for the Mobile Banking Software is mFoundry, Inc. (and/or one or more affiliates thereof, hereafter collectively “mFoundry”). mFoundry authorizes and requires Zions BancorporationZB, N.A. to enter into the following end user agreement (the “End User Agreement”) with you for the use of mFoundry’s “Software” (defined below). By enrolling in Zions BancorporationZB, N.A.’s Mobile Banking service, and during such time as Zions BancorporationZB, N.A. maintains its rights to license the mFoundry Software, you hereby agree as follows:

Your Internal Security. (non-consumer customers only). ) You bear sole responsibility for establishing, maintaining, implementing and updating policies, procedures, equipment and software (“Internal Security Controls”) that ensure the security and integrity of your computer systems, Mobile Devices and information, protect them from any unauthorized use, intrusion, takeover or theft, and prevent your Access Credentials from any unauthorized discovery or use (collectively “Internal Security Breaches”). You bear all risk of fraudulent transfers and other losses or disclosures arising from your Internal Security Breaches or from the interception of your communications prior to their receipt by us (collectively “Internal Security Losses”). We will not reimburse your Internal Security Losses. You are encouraged to consider purchasing insurance to cover your Internal Security Losses. To help protect your system from Internal Security Breaches, your Internal Security Controls program should consider including: • Verifying all instructions from your payees (e.g., ensure new or changed payment addresses were not communicated by an imposter); • Limiting and controlling who has access to your computer systems and Mobile Devices; • Protecting and frequently changing your Access Credentials; • Adopting dual authorization and/or transaction-based authentication procedures for financial transfers; • Employing up-to-date security software such as anti-virus, anti-malware and anti-spyware programs, as well as up-to-date software patches for all your software programs, internet browsers, e-mail programs, and the like (such as IBM® Trusteer RapportTM software); • Prohibiting the disabling or modification the security features of any software or hardware (e.g., “jailbreaking” of mobile devices); and prohibiting the use of “burner” mobile devices. • Using effective, up-to-date firewalls; • Procedures to avoid infection by malware and malicious code, such as: controlling what software and applications are downloaded to your computers and Mobile Devices; controlling what websites are visited by your computers and Mobile Devices; controlling the connection of other devices (e.g., flash drives) to your computers and Mobile Devices; controlling what documents, e-mail attachments, programs and other files are opened or installed on your computers and Mobile Devices; and limiting which of your computers and Mobile Devices are used for Digital Banking or other financial matters; • Reconciling all accounts on a daily basis, and immediately reporting any discrepancies; • Prohibiting your Authorized Users from leaving a computer or Mobile Device unattended while connected to Bank’s systems, or from communicating or accessing sensitive information from insecure locations (e.g., terminals or networks at Internet cafes or airports); • Allowing Digital Banking to be accessed only from secure locations; and • Adopting such other recommendations that we may (but are not obligated to) make from time to time to help promote safe use of our services. This is not a complete listing of the Internal Security Controls that you may need. You are solely responsible for determining and implementing all of the Internal Security Controls necessary to prevent your Internal Security Breaches and Internal Security Losses. We have no duty to review your Internal Security Controls, identify deficiencies or make recommendations. We do not represent or warrant that any or all of the above recommendations or any future recommendations are adequate for your needs or will prevent Security Losses. We may at any time (but are not required to) limit access to any Digital Banking Channel or function to only those customers who have adopted specific Internal Security Controls. Our specification of any required Internal Security Controls shall not constitute a representation or warranty that they (a) are adequate for your security needs or will prevent any Internal Security Breach or Internal Security Losses, or (b) will be compatible with any computer system or other Internal Security Controls. You remain at all times solely responsible for your Internal Security Controls, Internal Security Breaches and Internal Security Losses. Although we may employ various systems and procedures from time to time to prevent losses by us, we assume no obligation for your Internal Security Losses. APPENDIX: END USER AGREEMENT FOR MOBILE BANKING SOFTWARE Zions Bancorporation, N.A.’s primary licensor for the Mobile Banking Software is mFoundry, Inc. (and/or one or more affiliates thereof, hereafter collectively “mFoundry”). mFoundry authorizes and requires Zions Bancorporation, N.A. to enter into the following end user agreement (the “End User Agreement”) with you for the use of mFoundry’s “Software” (defined below). By enrolling in Zions Bancorporation, N.A.’s Mobile Banking service, and during such time as Zions Bancorporation, N.A. maintains its rights to license the mFoundry Software, you hereby agree as follows:;