Privacy Policy

This Privacy Policy describes how CitiBusiness Online ("we," "us," "our"), operated through the domain citibusiness.co.com, collects, uses, discloses and protects the personal and business information of visitors to this website and users of our commercial banking platform. This policy is designed to comply with the Gramm-Leach-Bliley Act (GLBA), regulations of the Office of the Comptroller of the Currency (OCC), and applicable federal and state privacy laws governing financial institutions in the United States.

By accessing citibusiness.co.com or using CitiBusiness Online services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the practices described herein, you should discontinue use of this website and our services.

1. Information We Collect

CitiBusiness Online collects information necessary to provide commercial banking services, comply with regulatory obligations and improve the user experience. The categories of information we collect include:

1.1 Information You Provide Directly

• Account enrollment information: Business name, legal entity type, Employer Identification Number (EIN), business address, state of incorporation, authorized officer names, dates of birth, Social Security Numbers (for authorized signers) and contact information (email, phone).
• Transaction information: Payment instructions including beneficiary names, account numbers, routing numbers, SWIFT/BIC codes, payment amounts, currencies and purpose-of-payment descriptions.
• Authentication credentials: User IDs, passwords (stored in hashed and salted form only) and multi-factor authentication device registrations.
• Communication records: Correspondence submitted through our contact forms, email communications, phone call records (with notice) and support ticket content.

1.2 Information Collected Automatically

• Device and browser information: IP address, browser type and version, operating system, screen resolution, device identifiers and installed plugins. This information is used for device fingerprinting as part of our security architecture.
• Usage data: Pages visited, features accessed, time spent on pages, click patterns, search queries within the platform and navigation paths.
• Location data: Approximate geographic location derived from IP address, used for fraud detection and geolocation-based security analysis.
• Cookies and similar technologies: Session cookies (required for platform functionality), persistent cookies (for user preferences) and analytics cookies (for service improvement). See Section 7 for cookie management options.

1.3 Information from Third Parties

• Credit reporting agencies: Business credit reports and financial data obtained during the account evaluation and credit underwriting process.
• Regulatory databases: Information from OFAC sanctions lists, PEP (Politically Exposed Persons) databases and other regulatory screening sources used for BSA/AML compliance.
• Business data providers: Company registration data, beneficial ownership information and industry classification data used to verify business identity and comply with Customer Due Diligence (CDD) requirements.

2. How We Use Your Information

CitiBusiness Online uses collected information for the following purposes:

• Service delivery: Processing payments, managing accounts, executing wire transfers, facilitating ACH transactions, providing treasury management services, performing foreign exchange transactions and generating reports.
• Security and fraud prevention: Authenticating user identity, detecting unauthorized access, monitoring transactions for suspicious activity, screening payments against sanctions lists and maintaining audit trails.
• Regulatory compliance: Fulfilling obligations under the Bank Secrecy Act (BSA), Anti-Money Laundering (AML) regulations, Customer Identification Program (CIP) requirements, OFAC sanctions screening and reporting obligations to the Financial Crimes Enforcement Network (FinCEN).
• Account management: Communicating service updates, security alerts, maintenance notifications and changes to terms of service or this Privacy Policy.
• Service improvement: Analyzing usage patterns to improve platform functionality, identify user experience issues and develop new features.
• Credit and lending: Evaluating creditworthiness for commercial loans, credit lines and business credit card applications.

3. Gramm-Leach-Bliley Act (GLBA) Compliance

As a financial services platform operated in connection with Citibank, N.A., CitiBusiness Online is subject to the privacy provisions of the Gramm-Leach-Bliley Act (15 U.S.C. §§ 6801-6809) and its implementing regulations. Under the GLBA:

• Nonpublic personal information (NPI): We collect NPI as defined by the GLBA, which includes personally identifiable financial information provided by customers, resulting from transactions with us, or obtained in connection with providing financial products or services.
• Privacy notice: This Privacy Policy serves as our privacy notice under GLBA Regulation P (12 CFR Part 1016). We provide this notice at account opening and annually thereafter.
• Opt-out rights: You have the right to opt out of certain information sharing with nonaffiliated third parties. To exercise this right, contact us at 800-285-1709 or email privacy@citibusiness.co.com. Note that opt-out rights do not apply to information sharing that is required by law, necessary for transaction processing, or permitted under GLBA exceptions (e.g., sharing with service providers under contractual confidentiality obligations).
• Safeguards: We maintain comprehensive administrative, technical and physical safeguards to protect NPI in compliance with the GLBA Safeguards Rule (16 CFR Part 314) and OCC guidance on information security (OCC Bulletin 2001-47).

4. Information Sharing and Disclosure

CitiBusiness Online may share your information in the following circumstances:

• Service providers: We share information with third-party service providers that perform functions on our behalf, including payment processing networks (Fedwire, SWIFT, NACHA), data center operators, customer support platforms and cybersecurity firms. All service providers are bound by contractual obligations to protect your information and use it only for the specified purpose.
• Affiliated entities: We may share information with Citigroup affiliates for purposes permitted under the GLBA and Fair Credit Reporting Act, including marketing of financial products. You may opt out of affiliate marketing by contacting us.
• Regulatory authorities: We disclose information to federal and state regulatory bodies as required by law, including the OCC, FDIC, Federal Reserve, FinCEN and state banking regulators. This includes Suspicious Activity Reports (SARs), Currency Transaction Reports (CTRs) and responses to regulatory examinations.
• Law enforcement: We comply with valid legal process including subpoenas, court orders and search warrants. We may also voluntarily disclose information to law enforcement when we believe in good faith that disclosure is necessary to prevent fraud, financial crimes or threats to safety.
• Payment counterparties: When you initiate a payment, necessary transaction information (originator name, account details, payment amount) is shared with the beneficiary's financial institution through the applicable payment network.

5. OCC Regulatory Compliance

CitiBusiness Online operates in accordance with the regulatory framework established by the Office of the Comptroller of the Currency for national banks and their service providers. Our privacy and data protection practices comply with:

• OCC Bulletin 2001-47: Third-Party Relationships — Risk management guidance for vendor and service provider oversight.
• OCC Bulletin 2020-10: Information Security standards for the protection of customer information.
• 12 CFR Part 30, Appendix B: Interagency Guidelines Establishing Information Security Standards applicable to national banks.
• 12 CFR Part 1016: Privacy of Consumer Financial Information (Regulation P implementation for national banks).

For questions about our regulatory compliance, you may contact the OCC's Customer Assistance Group at 1-800-613-6743 or visit occ.treas.gov.

6. Data Security

CitiBusiness Online implements comprehensive security measures to protect your information:

• Encryption in transit: All data transmitted between your browser and our servers uses TLS 1.3 with forward secrecy.
• Encryption at rest: All stored data is encrypted using AES-256 encryption.
• Access controls: Employee access to customer data is restricted on a need-to-know basis and protected by multi-factor authentication, role-based permissions and comprehensive audit logging.
• Monitoring: Continuous security monitoring, intrusion detection systems and real-time alerting for anomalous activity.
• Testing: Regular penetration testing by independent third-party security firms, annual SOC 2 Type II audits and periodic regulatory examinations.
• Incident response: Documented incident response plan with defined procedures for containment, investigation, notification and remediation of security incidents.

7. Cookies and Tracking Technologies

CitiBusiness Online uses cookies and similar technologies for the following purposes:

• Essential cookies: Required for platform authentication, session management and security functions. These cookies cannot be disabled without losing access to the platform.
• Functional cookies: Store user preferences such as language settings, dashboard layout and default account selections.
• Analytics cookies: Collect aggregated usage data to help us understand how the platform is used and identify areas for improvement. Analytics data is anonymized and not linked to individual user identities.

You can manage cookie preferences through your browser settings. Disabling essential cookies will prevent you from accessing CitiBusiness Online authenticated features. We do not use advertising cookies or share cookie data with advertising networks.

8. Data Retention

CitiBusiness Online retains information in accordance with regulatory requirements and legitimate business purposes:

• Transaction records: Retained for a minimum of 7 years as required by the Bank Secrecy Act and OCC examination guidelines.
• Account information: Retained for the duration of the account relationship and a minimum of 7 years following account closure.
• Authentication logs: Retained for a minimum of 5 years for security investigation and audit trail purposes.
• Communication records: Retained for a minimum of 3 years or longer as required by applicable regulations.
• Website analytics data: Anonymized analytics data is retained for 24 months.

9. Your Rights and Choices

Depending on your jurisdiction, you may have the following rights regarding your personal information:

• Access: You may request a copy of the personal information we hold about you and your business.
• Correction: You may request correction of inaccurate personal information. For account-related corrections, contact your Citi relationship manager or call 800-285-1709.
• Opt-out of information sharing: You may opt out of certain information sharing with nonaffiliated third parties as described in Section 3.
• Marketing communications: You may opt out of marketing communications by clicking the unsubscribe link in any marketing email or contacting us directly.
• California residents: Under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), California residents have additional rights including the right to know, right to delete, right to correct and right to opt out of the sale or sharing of personal information. CitiBusiness Online does not sell personal information. To exercise CCPA/CPRA rights, contact us at privacy@citibusiness.co.com or 800-285-1709.

10. Children's Privacy

CitiBusiness Online is a commercial banking platform intended for use by authorized representatives of business entities. We do not knowingly collect personal information from individuals under the age of 18. If we become aware that we have collected information from a minor, we will take prompt steps to delete that information.

11. International Data Transfers

CitiBusiness Online primarily processes data within the United States. When international payment transactions require data transfer to foreign financial institutions or Citi affiliates in other countries, such transfers are conducted through secure banking networks (SWIFT, Citi proprietary network) in compliance with applicable data protection laws and subject to appropriate safeguards including contractual data protection obligations.

12. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, regulatory requirements or applicable law. Material changes will be communicated through a notice on the CitiBusiness Online platform and, where required by law, through direct communication to account holders. The "Last Updated" date at the top of this policy indicates when the most recent revision was published. We encourage you to review this policy regularly.

13. Regulatory Resources

For additional information about your rights under federal financial privacy laws and regulations, the following regulatory agencies provide consumer and business education resources:

• Consumer Financial Protection Bureau (CFPB) — Federal agency responsible for consumer financial protection, including privacy rights under GLBA.
• Federal Trade Commission (FTC) — Enforces GLBA Safeguards Rule and Privacy Rule for non-bank financial institutions and provides guidance on financial privacy.

14. Contact Information

For questions about this Privacy Policy, to exercise your privacy rights, or to file a privacy-related complaint, contact us through any of the following channels:

• Email: privacy@citibusiness.co.com
• Phone: 800-285-1709 (Monday–Friday, 8am–8pm ET)
• Mail: CitiBusiness Online Privacy Office, P.O. Box 6500, Sioux Falls, SD 57117
• Online: citibusiness.co.com/contact-us

If you are not satisfied with our response to a privacy concern, you may file a complaint with the Office of the Comptroller of the Currency at 1-800-613-6743 or with your state attorney general's office.

This Privacy Policy is effective as of March 29, 2026. CitiBusiness Online is operated through the domain citibusiness.co.com. Banking services referenced in this policy are provided by Citibank, N.A., Member FDIC, regulated by the Office of the Comptroller of the Currency. NMLS #412915. Equal Housing Lender.