(DocuSign Envelope ID: £78127 0-0864-4171-BB1-SSD7Sk08CEEO Page 1 SOLICITATIONIAWARD TETTETTEET FRETS OFFEROR TO COMPLETE BLOCKS 12, 17, 28, 24, & 30 ASBCC-21-00453 ™ TREC S RIDE ECTIR a ORDER I: sourararas ONE = SOLENT tate om RECYR-21-G-0467 o9/oe/2001 RECVR-21-R-OL8L 4/08/2021, NR -conracrirasancr OFTHTDLEDATE 7.FORSOLICITATION gad-5a2-2371 vo Te INFORMATION CALL Benjamin Nguyen Federal Deposit Insurance Corporation Ove DOR/ASB Os 1601 Bryan Street, Suite 26106 aes won Dallas, TX 75201 o benjnguyensfdic. gov erver Ly sete oes. eo verenen ‘onNED SvaLL BUSRESS “Ta RRAT RSET [COSCO TERR “TONUNLESS BLOCKS js suncormaactina | OE SETETRTOR ——————— Csteseneom oe Oe Be, Os. Michael Weaver, 1501 Bryan Street, Dallas, | Trae Dupart 1x 75021 (972) 761-8275 kduparteedic.gov TREES come [oaawaaaass] FAT as FANT WBE WHDEEY con ANCHOR LAB-001, ANCHOR LABS, INC., 221 Federal Deposit rnsurance corporation PINE ST FL 6, SAN PRANCISCO, CA 94104-2705 | DOF/AE ABDLSEdic.gov 7h agg RRTON OBERT ANB ICH AOORR ae one nae. scueouie oF sorties sence ay | ar nice atin lee aeons one Anse idaion! her as 307 a 25 TOTAL AWARD ANOUNT Gon Uae Orb) $0.00 Pm AKARD INCLUDES NTACHENTS rs Eso pe [conIPACTORIS AEGIAED TOSIGN THIS DOCUMENT ND RETURN De AWARD OF CONTRACT: ore HERE G ACCEPTED ASTOITERS: S [a FEDERAL DEPOSIT NSURANGE CORPORATION (SGNATURE OF CO Kervin Trae Dupart ecu ianeet [ae DATE SERED |5VB RAR OF CONTACTING OTTER eo TE DATEINED Nathan MeCouley, CEO Kpivin Dopert o9/o7/2021 FDIC 3700/55 (3-08) RECVR.21-G.0467PAGE 2 OF 70 (DocuSign Envelope ID: £78127 0-0864-4171-BB1-SSD7Sk08CEE Page 2 RTT TRA TTETR rece i vvsrrcte scree, mun conronms ti COMTRACT. ACHPTAS NOTES EE SENATOR SE EDEN CONE FR PARTE ARE RN TCE SE ROEDERER re TE CORSET REPRE APHINEET FF VOOR ROR RR VERS fra Fr Ra ‘CORFECT OR SE ORREDINT We, So SRVOICHERNEER ORE “a RTE TG ACU CORRECT AND PRGPWR FOR PATENT [a CRT aT TE SRATIEANT TEP CERRO ORTCE ETAT [a FEED AT aA — ee FDIC 3700/85 (3-08) RECVR.21-G.0467Section R_ Suinnlios nr Sanvicos and Prineeit PAGE 3 OF 70 SSoaiGign Envelope fs EVES TASER TIT ABB SebvSADRCEEO Section B - Suppl Attachments for this section start after this page RECVR.21-G.0467Section R_ Sew inline ar Sonics and Priroc!™. SSoaiGign Envelope fs EVES PASE TT ABB Seb SADRCEEO RECVR.21-G.0467 Page & ANCHORAGE DIGITAL Federal Deposit Insurance Company (FDIC) Crypto Mission Capabilities Volume 4 - Ps Proposal Request for Proposal (REP) #; RECVR-21-R-O181 July 28, 2021 Submitted By: Anchor Labs, Inc] Embarcadero Center #2623, SF, CA.94126 PAGE 4 OF 70PAGE 5 OF 70 Section R_ Suinnlios nr Sanicos and Prineeit SSoaiGign Envelope fs EVES PASE TT ABB Seb SADRCEEO Page 5 Federal Deposit Insurance Company (FDIC) Crypto Mission Capabilities Request for Proposal (RFP) #: RECVR-21-R-0181 Volume 4 - Price Proposal duly 28, 2021 Submited by: Anchor Labs, Ine. | 1 Embareadero Center #2623, San Francisco CA 94126 ‘Technical POC and Contracts POC: Authorized Negotiator: Chris Wilson ‘Chris Wilson Tel, 310.460.8683, Email: chris.wilson@anchorage.com ‘Tel. 310.460.8683 Email: chris.wilson@anchorage.com Submitted To: Trae Dupart Federal Deposit Insurance Corporation 1601 Bryan Strect Dallas. TX 75201 Phone: 214-532-9667 js nemesis nnn een gas aban ry er sre wt tenon Todas hsniie asm linden Pr RECVR.21-G.0467Section R_ Suinnlios nr Sanicos and Prineeit PAGE 6 OF 70 SSoaiGign Envelope fs EVES PASE TT ABB Seb SADRCEEO Page 6 sara epot insnance Congpny #DIC3] Cryo Mission Capes ohana = sce Popo Fable of Contents 1.0 Pricing Overview 2 ia Pricing Summary 2 2.0 Invoicing 2 3.0 Travel and Other Direet Costs (ODCs) 3 4.0, Validity 3 5.0, Assumptions and Clarifications 4 List of Tables Table 11-1, Pricing Summary. 2 Table 2-1. Payment Schedule. 3 . Remittance Information. 3 Tequs Foe opel (EPH ROWE STIEOINT Vay 1 SDT tise or dishware of the dca conan tis pug is sujet He eects he fille ae os Psu cor abn, All pbs reser RECVR.21-G.0467Section R_ Suinnlios nr Sanicos and Prineeit PAGE 7 OF 70 Senior enveh ope i Efe PUBERS TT BB eb SRORCESO Page 7 Feral pi ure Company (FDIC). Crypte Miskon Capi olime = Price Prop RECVR.21-G.0467 LOPricing Overview Anchor Labs, Ine. is pleased to present our price quotation as part of our overall response to the Federal Deposit Insuranee Company (FDIC) for RFP Number; RECVR-21-R-O181 Proposal Volume: Volume 4 - Pricing, Our firm-fixed-price proposal is based upon an estimated level of effiot to complete Statement of Work (SOW) to inelude the processes for acquiring, valuation, custody, transfer, and liquidation of eryproassets within desired time frames for requirement. The Anchorage Digital Team is equipped with technical capability and relevant experience to assist in Pre-Close. Close, and Post-Close Resolution Phases. The following proposal is based on the details provided in the REP, our understanding of the bank closing process, and industry standard eryptoassets trading, practices, The pricing presented in this section follows che model provided and works off the assumption that for the Monthly Readiness’Training Fee line item, the 3 (number of events) listed in “2021 Year 1” represent 3 months, and the 12 (number of events) in all subsequent years represent 12 months per year. The basis point fee offered for Cryptocurrency Support Services is inclusive of valuation, custody, transfer, and liquidation of cryptoussets within desired time frames for requirement, The Monthly Readiness’Training Fee represents Training and Market Updates for all events listed within seape of this request for proposal, AIl‘Travel related expenses will be invoiced in accordance with Federal ‘Travel Regulations. Lodging and meals shall be invoiced in accordance with the more restrietive of firm policy or the standard per diem rates referenced in FDIC's published Travel Reimbursement Guidelines found here: hups:/eww.flic. gov/about/doing-business/acquisition/contractortavelzuidelines. pat Anchorage Digital has built an institutional system specifically designed for the management, custody, and liquidation of large quantities of cryptoassets. Anchorage Digital stores eryptoasset-holding private keys in Hardware Security Modules (IISMs) with no dircet conneetion to the internet, Anchorage Digital scenrely stores billions in assets for the largest institutions in the world. Anchorage Digital will use our visibility and integrations with exchanges to cnable the most cost-effective disposal possible, without sacrificing quality or security, while adhering to recognized business standards in the industry. Anchorage Digital’s system will provide best execution pricing across multiple venues, giving us the ability to transact on the most favorable valuation terms with the most prominent and liquid venues for a large variety of eryptoassets. We can provide valuation quotes 24/7 on very short notice, which will allow the FDIC to receive an accurate snapshot of the eryptoasset valuation at any point during the Pre-Close, Close, and Post-Close process. Anchorage Digital is able to provide monthly reporting at the receivership level ina variety of manners, Anchorage Digital can generate reports from within the system and send them to an FDIC email address, Current and historical balances of eryptoassets, balances per addresses, transfers, cash collections, trade history, and settlement status all filtered by time range can be provided by Anchorage Digital. ‘This enables all reporting to be handled in standard manner and provided repeatedly by 7th business for information effective the preceding Tequs Foe opel (EPH ROWE STIEOINT Vay 1 SDT tise or dishware of the dca conan tis pug is sujet He eects he fille ae os Psu cor abn, All pbs reserSection R_ Suinnlios nr Sanicos and Prineeit PAGE 8 OF 70 SSoaiGign Envelope fs EVES PASE TT ABB Seb SADRCEEO Page 8 Flat Pps Insurance Company (FDIC) Crypts Mission Capabiien olime = Price Prop calendar month, All of thi preference, ced via an online portal as well if of 1.1 Pricing Summary The following table provides a summary of our proposed pricing by year. ‘Table 11-1. Pricing Summary. recon (ear Live eo Numberef Evens | Fee SoRove _tmateeste |__| (ea Yaad [Ca pocuvency Sapam Sener ua [ = == aly ewan Tag es m7 = Tram] OT Ta Ege n-ol s Yer ae [ome Veer? (CapenueresSappot Sewios 3a 5 znaranina pS Tze stenhly Renee Fee Lo Sa 5 somen| [X4) Tia [Eensed O-Denaod s ‘i total War $a} (neat Your — [Moy Roadiwseiaining Eo 10 ‘SEEAND - “snwonce| (YAY Tease Fate On a| “Fl Your 3 s one (RoBi Year (Corot Supa Sane aa =o aa, ‘Manly Roshan Tam es ie SD = soon] (vA) Taw Finan oa s “Tal Opin eT = ma| 202 Gnd Open Yea fp [Cmrocuency Suppam Services an 5 ssamonou0| § 00 00000 [Manty Resciaeaakag fee De Za 5 3900000 Tal Eajened Onan = Option Year? s wpm rajcted Contract Teak = Tan 2.01 nv oie! The remittance address for invoice payments ‘Table 2-2, Remittance Tnformation ace ‘Anchor Labs, Ine. Address One Fmbancadero| emer 12628 Say Francisco. CA 94126 Anebior Labs. Ine. Fail accounting@anchorage.con Tagpayer MU 82-3257853 Tequs Foe opel (EPH ROWE STIEOINT Vay 1 SDT tise or dishware of the dca conan tis pug is sujet He eens he fille ae a Ns Pou cor ann, All pbs ese RECVR.21-G.0467Section R_ Suinnlios nr Sanicos and Prineeit PAGE 9 OF 70 Senior enveh ope i Efe PUBERS TT BB eb SRORCESO Page 8 Feral pi urge Company (FDIC). Crypte MiskonCapabiis olime = Price Prop RECVR.21-G.0467 3.0 Travel and Other Direct Costs (OCs) Anchor Labs. Ine. has not included any travel in our proposed price. Should the need arise for travel during the execution of this contract, Anchor Lbs, Inc. will obtain authorization from the Contracting Officer Representative (COR) prior to ineurring or invoicing of these costs. Authorized and approved Travel costs and ODCs will be incurred and invoiced in accordance with Federal Travel Regulations. Lodging and meals shall be invoiced in accordance with the more restrictive of firm policy or the standard per diem rates referenced in FDIC’s published Travel Reimburscment Guidelines found here: bhups://www.filic, gov/about/doing-business/acquisition/contractortaavelguidelines.pdf 4.0Vali This offer is valid for 120 days from the date of submission, July 28, 2021 5.0Assumptions tions The following is a list of assumptions and expectations upon which Anchor Labs, Inc, has relied on (che “Project Assumptions”). Any deviation from the Project Assumptions may affect the fees, expenses. and timelines set forth herein, 1. Cooperation and Commitment of all Parties: We have found that the success of important projeets like this one is dependent, to a significant degree. on the cooperation and commitment of all parties, To this end. FDIC and Anchor Labs. Inc. will cooperate with each other in the performance of services. including, without limitation, the provision by FDIC to Anchor Labs, Ine. of timely access to stakeholders nd information nevessary to complete the required tasks. FDIC shall be responsible for the performance of its employees and agents and for the accuracy and completeness of all data and information provided to the contractor hereunder, FDC] acknowledges and agrees that, contractor's performance is dependent upon FDIC's timely and effective satisfaction of FDIC’s responsibilities hereunder. Anchor Labs, Inc. shall be entitled to rely on all decisions and approvals of FDIC. Advice and Recommendations: In the performance of these services, Anchor Labs, Ine. is offering professional and technical services to FDIC. Anchor Labs, Inc.’s deliverables will include advice and recommendations, but all decisions in connection with implementation of such advice and recommendations shall be the responsibility of and made by, FDIC. we 3. FDIC Provided Information: Anchor Labs, Inc.'s work is based on the assumption that the information that FDIC is providing is accurate and complete and will be provided in a timely manner in order to meet schedule and submission deadlines. 4. Timely Deliverable Review and Acceptance: Anchor Lubs, Inc. shall deliver all products concurrently to the Contracting Officer's Representative (COR) and the Rqast oe Rapa RFF RVCMRCST COTY Wy SS tise or dishware of the dca conan tis pug is sujet He eects he fille ae os Psu cor abn, All pbs reserSection R_ Suinnlios nr Sanicos and Prineeit PAGE 10 OF 70 SSoaiGign Envelope fs EVES PASE TT ABB Seb SADRCEEO Page 10 Feral pi urn Company (FDIC). Crypte MiskonCapabiis olime = Price Prop Technical Point of Contact (TPOC). The COR will notify Anchor Labs, Ine. whether the formal deliverable has been accepted or provide written comments within ten (10) Government work days of receipt. Anchor Labs, Inc, shall then resubmit the final deliverable within ten (10) Government workdays (0 the COR, All documents shall be provided in electronic format to the FDIC using Microsoft Word 2010, Excel or PowerPoint. 5, Stakeholder Support: Appropriate stakeholders from Anchor Labs, Inc, and FDIC will be made available for initial evaluation, planning and testing of the exyptocurreney, reporting solution and throughout the lifetime of the contract. 6. Scape: Anchor Labs, Ine. assumes that if the seope of work changes. we will have the opportunity to re-negotiate the proposed pricing, 7. Pre-existing or Other Proprietary Technical Data: To the extent that Anchor Labs, Ine. delivers any of its pre-existing, proprietary or independently developed tools, materials, information, technical data or computer software (“Consultant Information”) in connection with this opportunity, such Consukant Information will be delivered to the Government with limited rights (as defined in FAR $2.227-14) and to FDIC with limited rights for FDIC to use solely for its internal business purposes and in connection with the deliverables, Prior to such delivery of Consultant Information, Anchor Labs, Ine, will provide notice to FDIC and will appropriately legend such Consultant Information Moreover, in the performance of the services, Anchor Labs, Ine. may utilize certain Consultant Information; Anchor Labs, Ine, will not transfer any ownership right, title or interest in Consultant Information to FDIC or the Government as a result of this use. 8. Management Functions or Decision: Anchor Labs, Inc. will not perform any management functions, make management decisions or perform in a capacity equivalent to thar of an employee of FDIC. Anchor Labs, Ine. will not be providing any legal advice or conducting a legal review of any of FDIC's documents, records ar policies, ¥ Terms and Canditions; All terms and conditions in the pricing assumptions shall become a part of any awarded contract to Anchor Labs, Inc., Tequs Foe opel (EPH ROWE STIEOINT Vay 1 SDT tise or dishware of the dca conan tis pug is sujet He eens he fille ae a Ns Pou cor ann, All pbs ese RECVR.21-G.0467Section C_ Mascrintion!Srerifiratinne Worle Statomant PAGE 11 0F 70 BoeiSign Envaiope ib £7017 BEAT BOS! se0 SAsBCEEO Page 11 Section C - Description/Specifications/Work Statement Attachments for this section start after the clauses, Clauses Incorporated By Reference Clause # Title Date No reference clauses were found for this section, Full Text Clauses 7.3.2.21 - Description/Specifications/Work Statement - October 2008 The nameldescription of the goods or services being acquired is as follows: Cryptocurrency Services ‘The specifications for and the description of the work to be performed under this award are fully detailed in either a Statement of Work (SOW), which is included as an attachment in Section C of this award document 7.3.2-34 - Duty to Deliver or Perform - July 2008 Contractor agrees to perform the services (the "Services") ar provide the goods (the "Goads"}, in accordance with the terms and conditions set forth herein and in any attachments to the contract. RECVR.21-G.0467Section C_ Mascrintion!Snenifiratinne Mork Statement PAGE 12 OF 70 SSeLIMG( envalpe IB EP INPE ARENA NROS SSB SREB EGO Page 12 Cryptoasset Management & Liquidation SOW Cryptoasset Management & Liquidation Statement of Work RECVR.21-G.0467Section C_ Mascrintion!Srerifiratinne Worle Statomant SSoaiGign Envelope Id £7837 70962441 HOS! SeB/SeNBC EEO Page 13 Cryptoasset Management & Liquidation SOW Table of Contents 1.0 OVERVIEW 11 INTR( i 12 BACKGROUND... 13 NATURE OF SERVICES. 2.0 DESCRIPTION OF SERVICES ... 2.1 GENERAL REQUIREMENTS... 22 CONTRACTOR READINES: 23 OBJECTIVES AND SCOPE 3.0 TASKS 3a PRE-CLOSING 3.1.1 Valuation. 3.1.2 Post-Closing Liquidation Plan 3.2 CLOSING SUPPORT . 3.2.1 Securing and Transferring Cryptoassets .. 3.2.2. Technical Support & Consulting ... 33 POST-CLOSING ASSISTANCE 3.3.1 Ongoing Custody... . 3.3.2 Accounting and Financial Reporting. 3.3.3. Liquidation .. 3.4 SYSTEM SECURITY ASSESSMENT AND AUTHORIZATION REQUIREMENTS «2.000 second 3.4.1 System Security ‘Assessment and ‘Authorization Process Documentation ... . 3.4.2. Independent Assessment 3.4.3. Support the Completion of the Privacy Compliance Documentation 11 3.4.4 Authorization to Operate. 3.4.5 Continuous Monitoring/Ongoing Assessment 3.5 FDIC TRAINING ......... 3.6 PERIODIC MARKET UPDATES. 3.7 SUMMARY OF DELIVERABLES. Appendix A - Cryptoasset Information Request List (IRL). RECVR.21-G.0467 PAGE 13.0F 70Section C_ Mascrintion!Srerifiratinne Worle Statomant PAGE 14 OF 70 BoeiSign Envaiope ib £7017 BEAT BOS! se0 SAsBCEEO Page 14 Cryptoasset Management & Liquidation SOW 1.0 OVERVIEW 1.1 INTRODUCTION This Statement of Work (SOW) describes the Federal Deposit Insurance Corporation's (FDIC) requirements for a broad range of Cryptoasset Management and Liquidation services associated with a failing or failed financial institution. This SOW is part of a Receivership Basic Ordering Agreement (RBOA or Agreement), The RBOA represents the master agreement between the FDIC as Receiver for failing institutions (FDIC-R) and Contractor, and it establishes the basic terms, conditions, and requirements applicable to the services described herein. The FDIC-R will obtain services under this RBOA through the placement of Task Orders (TO). Individual TOs will be issued on an as- needed basis and will specify the tasks or services the FDIC-R requires the Contractor to perform. The FDIC-R will issue a Request for Task Order Proposal (RTOP) to obtain a final cost estimate from the Contractor for each specified phase of the project. The FDIC-R reserves the right to define the TO scope at its discretion. Cryptoassets are defined in the broadest sense to include any cryptographically secured representation of value without regard to ownership or how the value is determined or any federal or state law or regulatory definitions that limit the definition of cryptoassets 12 BACKGROUND The FDIC, established under the Banking Act of 1933, maintains the stability and public confidence in the nation’s financial system by insuring deposits, examining and supervising financial institutions, and — managing receiverships. The FDIC's Division of Resolutions and Receiverships (DRR) is responsible for resolving failing and failed financial institutions. The primary objective of the FDIC-R is to maximize the value of the failing or failed financial institution assets and to limit losses to the deposit insurance fund and pay uninsured depositors and general creditors. As such, the FDIC’s DRR plays an important role in liquidating these assets and resolving any liabilities, which may also include liquidating failed financial institution subsidiaries and their assets and liabilities. RECVR.21-G.0467Section C_ Mascrintion!Srerifiratinne Worle Statomant PAGE 15 OF 70 BoeiSign Envaiope ib £7017 BEAT BOS! se0 SAsBCEEO Page 15 Cryptoasset Management & Liquidation SOW A statutory responsibility of the FDIC is to dispose of these retained assets while maximizing the net present value of them in the most cost-effective manner. This is most often completed by utilizing a Purchase and Assumption Agreement (P&A) to pass the majority of assets and liabilities to an assuming institution as of the date of failure. This is known as a franchise sale. In certain instances, however, some or all of the assets and liabilities are retained by FDIC-R for post-closing liquidation. 1.3 NATURE OF SERVICES The need for services under this RBOA is contingent upon the number of failing or failed financial institutions which the FDIC-R potentially markets before bank failure (pre-close) and/or acquires by appointment of receivership (closing) where those institutions own and/or maintain custody of Cryptoassets. These contingencies are highly variable and are marked by a high degree of uncertainty. As a result, the FDIC-R is unable to forecast the volume or frequency of services it may order under this RBOA. Flexibility and adaptability by all involved is essential. The Contractor providing the services described in this SOW must be prepared to perform within this context. 2.0 DESCRIPTION OF SERVICES The Contractor will provide a full range of Cryptoasset servicing and support services that include, but are not limited to, valuation, liquidation planning, securing and transferring Cryptoassets, offering technical support, maintaining ongoing custody, accounting end financial reporting, and executing liquidations. There is not always much time between the selection of the winning transaction in a franchise sale before the date of failure; therefore, planning for post-closing activities should be anticipated in all cases. Post-closing planning activities will begin pre-closing The Contractor will also provide training to FDIC staff and periodic market updates. 2.1 GENERAL REQUIREMENTS A Cryptoasset may be found in a financial institution in a division or department, or held by a subsidiary of the failing or failed financial institution. Cryptoassets may be used for several types of activities including the following. + Held in case of ransomware RECVR.21-G.0467Section C_ Mascrintion!Srerifiratinne Worle Statomant PAGE 16 OF 70 BoeiSign Envaiope ib £7017 BEAT BOS! se0 SAsBCEEO Page 16 Cryptoasset Management & Liquidation SOW + Held as loan collateral + Held in custody for customers 2.2 CONTRACTOR READINESS It is the FDIC-R’s intent to provide Contractor with as much advance notice as possible about an upcoming project. However, due to the variable nature of financial institution resolution work, requirements for services may arise with little or no advance notice. Therefore, it is essential for Contractor to be ready and capable of rapidly responding to the FDIC-R’s requirements. Additionally, Contractor may be awarded simultaneous TOs that will require a depth of resources necessary to accomplish multiple projects with varying deadlines. Some projects may be time sensitive and require an immediate start at an FDIC-R designated location or Contractor's office. Contractor will maintain readiness to meet objectives and deadlines. 2.3 OBJECTIVES AND SCOPE The objective of this RBOA Is to leverage Contractor to perform the below activities for failing or failed financial institutions that have Cryptoassets. The FDIC-R is responsible for minimizing losses to the Deposit Insurance Fund by efficiently managing and realizing the value of assets of the receivership. FDIC-R may also inherit a fiduciary responsibility if the bank were maintaining custody of Cryptoassets on behalf of its customers. The FDIC-R may require one or more of the following tasks described in Section 3.0 Tasks to be performed by the Contractor. 3.0 TASKS Contractor is to provide the full range of Cryptoasset management and disposal services. This includes but is not limited to such activities as accounting, customer management, audit compliance, managing blockchain forks, wallet creation and management, private encryption key generation and safekeeping, backup and recovery of private encryption key material, airdrops, etc., as well as future actions associated with the handling of Cryptoassets. Contractor may reference all tasks that are relevant to this end, in addition to those tasks specifically mentioned below RECVR.21-G.0467Section C_ Mascrintion!Srerifiratinne Worle Statomant PAGE 17 OF 70 BoeiSign Envaiope ib £7017 BEAT BOS! se0 SAsBCEEO RECVR.21-G.0467 Page 17 Cryptoasset Management & Liquidation SOW 3.1 PRE-CLOSING VALUATION AND LIQUIDATION PLANNING Contractor will support the FDIC-R in up to three simultaneous preparation efforts pre-closing. The FDIC-R will provide reasonable updates to Contractor regarding the expected liquidation stretegy to support the completion of all required contract deliverables (see 3.6). Contractor will coordinate with the FDIC-R to obtain information through the Information Request List (IRL, Appendix A) process whereby the FDIC-R can access financial institution documentation prior to close in support of pre-failure planning. Contractor may advise the FDIC-R on additional information requests necessary to request from the financial institution in order to accomplish any of the requirements below. Contractor should note that due to the nature of a pending financial institution failure, all analysis will be conducted within compressed timelines and usually short notice Contractor will designate at least one specific subject matter expert who will be the primary point of contact (POC) for the duration of the work. 3.1.1 Valuation Contractor will provide valuation services for bank owned Cryptoassets. Timely completion of a valuation is critical throughout the resolution process. Contractor may be asked to perform valuation services pre-closing, as of the closing or post-closing. In any case, Contractor will complete the following: + Provide a valuation for each bank owned Cryptoasset within 2 days as of a specified date selected by the FDIC-R. + Provide @ supportable basis to be determined for the valuation (e.g. market quote or discounted cash-flow calculation). + Advise the OM or designee on valuation related issues or matters requiring FDIC attention. 3.1.2 Post-Closing Liquidation Plan Post-closing liquidation support services begin pre-closing. Contractor will assist the FDIC-R In developing plans for all tasks defined in sections 3.2, and 3.3. Contractor will provide a draft Liquidation Plan (Plan) regarding the securing, transfer, management, and liquidation of Cryptoassets within 3 business days of request by FDIC-R for any Cryptoassets discovered. The Plan should address all of the topics discussed below in sections 3.2 and 3.3. Contractor shall submit a template for the Plan upon contract award. The designated Contractor POC will assist the FDIC-R by joining conference callsSactinn CM. ‘Boe Sgn Enval loscrintinn/Snerifiratione Minre Statement PAGE 18 OF 70 ope I6’ EYE TN PO-SBEI ATT bESBT SsO/sRORCEES Page 18 Cryptoasset Management & Liquidation SOW RECVR.21-G.0467 as needed to answer any questions related to the financial institution's Cryptoassets and/or any information in the Plan. 3.2. CLOSING SUPPORT Generally, bank closings take place over a weekend and is referred to as a “Closing Weekend.” A Closing Weekend is defined as the period between the date of failure (typically close of business Friday) until the bank re-opens the following Monday morning. It is expected the contractor will either travel onsite to any U.S. locations, state or territory or coordinate remotely with onsite FDIC-R representatives to successfully accomplish the tasks discussed below. Although this work typically takes place over a Closing Weekend, the Contractor will provide this support whenever requested (whether that be over a Closing Weekend or during the week). Designation of onsite tasks should be documented in the Plan, including any reliance by Contractor on FDIC and/or bank personnel. Two general categories of work include 1) Securing and Transferring Cryptoassets and 2) Technical Support and Consulting. 3.2.1 Securing and Transferring Cryploassels FDIC-R is responsible for identifying the presence and location of Cryptoassets at a failed institution through the IRL and other pre-closing planning processes. Contractor, in coordination with FDIC personnel, shall use best and reasonable efforts to identify, document in the Plan and perform all actions necessary to secure any Cryptoassets as quickly as possible. Contractor will submit a mutually agreed upon time frame to secure any cryptoassets subject to available access to the bank resources necessary to conduct the transfer. Any needed resources (e.g, bank employee credentials) to accomplish this task should be included in the Plan. Any actions required of the FDIC for a particular Institution should be documented in the Plan. Any concerns with this expectation for a particular institution should be communicated in the Plan. Contractor, upon consultation with FDIC personnel, should include in the Plan whether Contractor's onsite presence is required to execute the Plan. Itis understood that the Contractor will not be able to manage every cryptocurrency currently in existence or that may ever be present at a bank; however, the Contractor should demonstrate capabilities to handle a wideSactinn CM. loscrintinn/Snerifiratione Minre Statement PAGE 19 OF 70 BoeiSign Envaiope ib £7017 BEAT BOS! se0 SAsBCEEO Page 19 Cryptoasset Management & Liquidation SOW RECVR.21-G.0467 variety of types of Cryptoassets and a willingness to be flexible in assisting FDIC-R to properly safeguard any Cryptoassets found in a bank. Any Cryptoassets which cannot immediately be secured and transferred to Contractor should be documented in the Plan. Contractor shall, at a minimum, advise FDIC-R on setting up reasonable internal controls around those Cryptoassets which Contractor cannot manage Possible actions desired include immediate liquidation and/or transfer into Contractor's custody on behalf of the FDIC-R for subsequent liquidation. There may be a variety of situations where FDIC-R does not or cannot liquidate Cryptoassets immediately and Contractor may be required to maintain custody for an extended period. It is anticipated that the Contractor will be used as the primary vehicle to liquidate Cryptoassets in an orderly fashion. 3.2.2 Technical Support & Consulting Contractor will be on call, if requested, the night of closing (usually Fridays) and additional designated hours over closing weekend for Technical Support and/or Consulting services related to implementing the Plan and resolution of any Cryptoassets discovered upon or after the time of failure. Hours would generally be limited to 8:00 AM - 8:00 PM local time. Work may be required outside of these typical hours to mitigate risks associated with the custody of cryptoassets, for example, if cryptoassets are discovered outside of these hours. 3.3 POST-CLOSING ASSISTANCE Contractor will be on call, if requested, the night of closing (usually Fridays) and additional designated hours over Closing Weekend for Technical Support and/or Consulting services related to implementing the Plan and resolution of any Cryptoassets discovered upon or after the time of failure. Hours would generally be limited to 8:00 AM - 8:00 PM local time. 3.3.1 Ongoing Custody Immediately and when technically feasible, Contractor shall take custody of and provide secure management and disposal services for any quantity of Cryptoassets and demonstrate a flexibility to accept a wide variety of Cryptoassets. Contractor should advise on options to set-up custody for Cryptoassets not currently within the Contractor’s offering. The ContractorSection C_ Mascrintion!Srerifiratinne Worle Statomant PAGE 20 OF 70 BoeiSign Envaiope ib £7017 BEAT BOS! se0 SAsBCEEO Page 20 Cryptoasset Management & Liquidation SOW shall provide all aspects of the secure storage and management of Cryptoassets in its custody from the time of receipt until disposal. While in the Contractor's custody, Cryptoassets shall be stored in a location aligned with security and privacy requirements as defined in the Federal Information Security Modernization Act of 2014 (FISMA), the Office of Management and Budget (OMB) IT security and privacy policies and the National Institute of Standards and Technology (NIST) in the forms of Federal Information Processing Standards (FIPS) and Special Publications (SP). The Contractor shall provide support and documentation of security and privacy compliance as outlined in the current published version of NIST SP 800-37 (See section 3.4 System Security Assessment and Authorization Requirements). All Cryptoassets must be backed up in redundant geographically separate logical locations and in a manner that prevents compromise by internal collusion, third-party collusion, remote or local cyber-attacks, physical loss, fire or acts of nature. Custody may be required for assets owned by the FDIC-R or assets for which the FDIC-R is holding in a fiduciary capacity for others. if custody is being maintained for third parties, Contractor will be expected to coordinate with the FDIC-R and those third parties to absolve the FDIC-R’s fiduciary responsibility. For example, if the bank was providing trust services to its customers, Contractor would be expected to coordinate with those customers to return control of the Cryptoassets to the customers or to an alternative fiduciary as instructed by the customers]. The Contractor shall maintain separate inventories of Cryptoassets for each failed financial institution such that it is never comingled with any other wallets or addresses of different types or owners. The Contractor shall take prudent steps to prevent the loss of FDIC-R inventory by all means including but not limited to theft, human error, system failures, and acts of nature. The Contractor shall hold Cryptoassets in FDIC-R account in cold storage. Hardware used to store private keys associated with FDIC-R accounts shall not be connected to any local or external networks at any time except when specifically necessary to conduct a transaction. Contractor should provide information regarding any available insurance coverage which may reduce the risk of loss to hacks from malicious parties. 3.3.2. Accounting and Financial Reporting Contractor will be responsible for performing the following tasks: RECVR.21-G.0467Section C_ Mascrintion!Srerifiratinne Worle Statomant BoeiSign Envaiope ib £7017 BEAT BOS! se0 SAsBCEEO Page 21 Cryptoasset Management & Liquidation SOW RECVR.21-G.0467 Provide monthly reports including the following information. All information must be reported at the receivership level as each receivership is accounted for as a separate legal entity. FDIC-R will consider leveraging standard reporting provided by the contractor, where possible. Monthly reports are due by the seventh (7) business day for the information effective the preceding calendar month. Contractor shall deliver the reports to an FDIC email address or web page as directed by the Oversight Manager © Receivership Fund ID and Name {provided by FDIC-R at time of transfer) FDIC-R Asset ID (provided by FDIC-R at time of transfer) Inventory of Cryptoassets as of month-end Change in inventory (e.g. new assets, removed assets) Cash collections during the month Settlements in process at month-end Cryptoassets held for others eococo Ad Hoc Reports: Upon request, and with the written approval of the Oversight Manager, Contractor shall produce reports not otherwise identified and shall be entitled to the Ad Hoc Reporting Fee described in the Pricing Schedule attached to the Contract. Contractor shall provide inquiry access to FDIC-R Cryptoassets by Receivership via online access. Functionality shall include the ability to view amounts and types of coin owned by each receivership. Contractor shall file all required tax reporting with local and federal taxing authorities, 3.3.3 Liquidation Contractor will provide the following services as it relates to Cryptoasset disposal. Contractor shall dispose of retained Cryptoassets in the manner specified by the FDIC-R and upon request by the FDIC. These methods include but are not limited to the following: Direct exchange from Cryptoassets into United States Dollars (USD) where markets exist. Exchange to USD and/or sale via a sealed-bid auction Return to third party. 10 PAGE 21 OF 70Section C_ Mascrintion!Srerifiratinne Worle Statomant BoeiSign Envaiope ib £7017 BEAT BOS! se0 SAsBCEEO Page 22 Cryptoasset Management & Liquidation SOW RECVR.21-G.0467 FDIC Contracting Officer will designate primary points of contact (Asset Manager and Oversight Manager) from whom the Contractor shall receive direction to take action related to asset disposition. 3.93.1 Goneral Liquidation Once the FDIC-R has transferred a Cryptoasset to the Contractor and requested liquidation from the FDIC Asset Manager, Contractor will confirm in writing the recommended liquidation method within five (5) business days, including a comparison of expected gross and net recoveries with at least five (5) different exchanges. If the directed method is determined to not be feasible, Contractor must provide a written explanation of the mitigating factor and provide an alternative method and explanation of the choice, and any change in pricing. Standard disposals of all types of virtual currency shall be completed within seven (7) business days of notification. Initiate cash transfers for any proceeds of Cryptoasset liquidations to a bank account designated by the FDIC. The seven-day disposal deadline will be considered complete when all proceeds, net of any costs to transfer Cryptoassets are in the FDIC's bank account. Any expected deviations shall be noted to the Asset Manager in writing before the deadline 3.3.3.2 Seated-bid Auctions The FDIC, in consultation with the Contractor, may determine in its sole discretion that any amount of Cryptoassets will be sold separately via a sealed-bid auction, rather than on an exchange. Sealed bid auctions of all types of Cryptoassets shall be completed within forty-five (45) calendar days of notification. Know Your Customer (KYC) will be required for the contractor to hold an auction, The registered bidders will need to provide the auctioneer their Personally Identifiable Information (PII) to enable the FDIC-R to perform adequate background investigation on each control person of each bidder. Each potential bidder may also be required to submit the FDIC's purchaser eligibility certification (PEC). The process to fill out and submit the Pll and PEC will need to be part of the auction timeline. The sealed-bid auction is constructed such that bidders are to submit bids for the assets. The winning bids are determined solely by the highest bid. a PAGE 22 OF 70Section C_ Mascrintion!Srerifiratinne Worle Statomant ‘Boe Sgn Enval ope ib PBs 7GaBEA aT BOS sO /SRIBCESO Page 23 Cryptoasset Management & Liquidation SOW RECVR.21-G.0467 FDIC-R sealed-bid auctions do not have @ minimum bid. The Contractor can determine if they want to adjust the rules/structure and submit these requested changes and logic for the change to the FDIC-R consideration and approval 2.3.3.3 Retunn to Thitel Party In instances where the FDIC-R is to return Cryptoassets to a third party (e.g. to cease offering custody services to a consumer) the Contractor shall process these requests in a timely and efficient manner. Although the return of Cryptoassets are considered a type of disposal with regard to the asset itself, the Contractor shall NOT be entitled to a commission, rather it shall be entitled to its regular monthly management fee only. The return of assets to a third party shall be completed within seven (7) business days of notification. 3.4. SYSTEM SECURITY ASSESSMENT AND AUTHORIZATION REQUIREMENTS In the event the Contractor inputs, stores, processes, outputs, and/or transmits FDIC data within a Contractor IT system, the Contractor shall obtain an Authority to Operate (ATO) signed by the FDIC Authorizing Official (AO) granted via the System Security Authorization (SSA) process. The FDIC process for obtaining and maintaining ATO, is in accordance with NIST SP 800-37 Risk Management Framework for Information Systems and Organizations. The Contractor shall adhere to current FDIC policies, procedures, and guidance for the SSA process as defined below Complete the Security Authorization Process. The SSA process shall proceed according to the NIST SP 800-37 Risk Management Framework for Information Systems and Organizations or any successor publication including templates. 3.4.1 System Securily Assessment and Authorization Process Documentation SSA documentation shall be developed by the Contractor using the FDIC provided security documentation templates. SSA documentation consists of the following: Security Categorization Worksheet, System Security Plan, Contingency Plan, Contingency Plan Test Results, Configuration Management Plan, Security Assessment Plan, Security Assessment Report, and Authorization to Operate Letter. Additional documents that may be required 12 PAGE 23. OF 70Section C_ Mascrintion!Srerifiratinne Worle Statomant PAGE 24 OF 70 BoeiSign Envaiope ib £7017 BEAT BOS! se0 SAsBCEEO Page 26 Cryptoasset Management & Liquidation SOW include a Plan(s) of Action and Milestones and Interconnection Security Agreement(s). 3.4.2 Independent Assessment Contractor shall have an independent third party perform an assessment of the FDIC-prescribed security and privacy controls as outlined in NIST SP 800- 53 to determine the extent to which the selected controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting security and privacy requirements for the system and the FDIC. Should the independent assessment find deficiencies, the Contractor must follow the direction of the FDIC to create and track Plans of Action & Milestones (POA&Ms) to be included in the final authorization package. FDIC has the unilateral right to determine if the results and mitigation strategy are acceptable. In the case of unacceptable results or mitigation strategy, or if the Contractor does not remediate control weaknesses in a timely manner as established in POA&Ms, FDIC may treat the failure as an event of default. 3.4.3 Support the Completion of the Privacy Compliance Documentation As part of the SSA process, the Contractor may be required to support the FDIC in the completion of a Privacy Threshold Analysis (PTA). The requirement to complete 2 PTA is triggered by the creation, use, modification, upgrade, or disposition of a contractor IT system that will store, maintain and use Pll. Upon review of the PTA, the OCISO Privacy Section determines whether a Privacy Impact Assessment (PIA) and/or Privacy Act System of Records Notice (SORN), or modifications thereto, are required. The Contractor shall provide all support necessary to assist the FDIC in completing the PIA in a timely manner and shall ensure that project management plans and schedules include time for the completion of the PTA, PIA, and SORN (to the extent required) as milestones. Support in this context includes responding timely to requests for information from the FDIC about the use, access, storage, and maintenance of Pll on the Contractor's system, and providing timely review of relevant compliance documents for factual accuracy. Information on the FDIC’s privacy compliance process, including PTAs, PIAs, and SORNSs, is accessible at www.fdic.qov/privacy. 3.4.4 Aulhorization to Operale Upon completion of the SSA documentation and independent assessment, the Contractor shall submit a signed SSA package, validated by the independent third party, to the Oversight Manager for acceptance by the FDIC Authorizing Official (AO}, or designee, at least thirty (30) days prior to 13 RECVR.21-G.0467Section C_ Mascrintion!Srerifiratinne Worle Statomant PAGE 25 OF 70 BoeiSign Envaiope ib £7017 BEAT BOS! se0 SAsBCEEO Page 25 Cryptoasset Management & Liquidation SOW the use of the system. The FDIC is the final authority on the compliance of the SSA package and may limit the number of resubmissions of a modified SSA package. Once the ATO has been granted by the FDIC AO the Contracting Officer shall incorporate the ATO letter into the contract as a compliance document. The FDIC's issuance of the ATO does not alleviate the Contractor's responsibility to ensure the controls are implemented and operating effectively. The SSA package must include the following: Deliverables (30 Days Prior to System Use) Security and privacy plans Security and privacy assessment reports Plan of action and milestones ‘Supporting assessment evidence or other documentation, as required. 3.4.5 Continuous Monitoring/Ongoing Assessment After an initial authorization, the Contractor shall have the security and privacy controls assessed on an ongoing basis in accordance with NIST SP 800-37 and based on the FDIC Control Assessment Frequency. Ongoing assessment of the control effectiveness is part of the continuous monitoring activities of the FDIC. Adherence to the terms and conditions specified by the AO as part of the authorization decision are also monitored. Ongoing control assessment continues as the information generated as part of continuous monitoring is correlated, analyzed, and reported to the Oversight Manager for acceptance by the FDIC AO. The system needs to undergo a Security Impact Assessment {SIA} whenever any changes/modifications are made to the system. Should the independent assessment find deficiencies, the Contractor must follow the direction of the FDIC to create and track Plans of Action & Milestones (POA&Ms) to be included in the final authorization package. FDIC has the unilateral right to determine if the results and mitigation strategy are acceptable. In the case of unacceptable results or mitigation strategy, or if the Contractor does not remediate control weaknesses in a timely manner as established in POA&Ms, FDIC may treat the failure as an event of default. 3.5 FDIC TRAINING Facilitate and enhance the FDIC staff's knowledge of the Cryptoasset industry through training. It is anticipated approximately 50 participants 14a RECVR.21-G.0467Section C_ Mascrintion!Srerifiratinne Worle Statomant ‘Boe Sgn Enval ope ib PBs 7GaBEA aT BOS sO /SRIBCESO Page 26 Cryptoasset Management & Liquidation SOW RECVR.21-G.0467 would attend training that could span one to three days. Some of the training topics should include, but are not limited to the following: + Overview of the Cryptoasset industry especially those Cryptoassets most likely to be used by the commercial banking and non-bank industry now or in the future. + Description of distributed ledger technology. Specifically, any current form of this technology of which the FDIC-R should be aware to resolve a failing or failed financial institution with Cryptoassets. + Types of Cryptoasset private keys to assist FDIC personnel in being vigilant in identifying Cryptoassets at failed institutions which otherwise may not have been properly disclosed + Key changes in the Cryptoasset industry since the previous FDIC Training. Contractor will review with the FDIC point of contact for possible leveraging of Contractor’s existing course materials, which at a minimum will cover the above topics. Contractor will provide the training material to the FDIC in electronic presentation-style format and will allow the FDIC to video tape or capture by other means all training provided. The FDIC, in its discretion, may require Contractor to provide updates and/or refresher training to the initial event, and require updates to Contractor's existing course materials. The FDIC may require the full curriculum to be delivered more than once. The training must be able to be conducted virtually, although FDIC and Contractor may also mutually agree to conduct training in person. 3.6 PERIODIC MARKET UPDATES ‘Semiannual or upon FDIC request, Contractor should provide a market update briefing on the status of the industry. FDIC may request follow-up briefings based on material provided. 3.7 SUMMARY OF DELIVERABLES + Valuation of cryptoassets as requested by FDIC + Post-closing liquidation plan 15 PAGE 26 OF 70Section C_ Mascrintion!Srerifiratinne Worle Statomant PAGE 27 OF 70 BoeiSign Envaiope ib £7017 BEAT BOS! se0 SAsBCEEO Page 27 Cryptoasset Management & Liquidation SOW RECVR.21-G.0467 Written confirmation upon successful transfer of any cryptoassets into contractor's custody Accounting and financial reports as defined in 3.3.2 Training curriculum as described in 3.5 Market updates as described in 3.6 Other reports or confirmation as mutually agreed by FDIC and contractor 16Section C_ Mascrintion!Srerifiratinne Worle Statomant PAGE 28 OF 70 BoeiSign Envaiope ib £7017 BEAT BOS! se0 SAsBCEEO Page 28 Cryptoasset Management & Liquidation SOW Appendix A - Cryptoasset Information Request List (IRL) + Is the bank involved in any Blockchain or Distributed Ledger Technology (DLT) arrangement? (Y/N) © Provide the name and contact information of the key holder (who has access rights to the Cryptoassets)? © Provide details on key storage location (Physical, exchange- based) + Describe the business use-case for the Distributed Ledger Technology. For example, is this an intrinsic crypto currency (Bitcoin, Ethereum, Ripple, custom-developed, etc.) or do the tokens represent ownership interests in something else (cash accounts, bars of gold, real estate, stock in a company, access rights, etc.}? + Is the Cryptoasset(s) involved in any third party relationships (does it serve as loan collateral, are the any Smart contracts involved, custodial services, it used to process payments of the bank and/or third parties)? © If Cryptoassets represent loan collateral, provide a list of loans collateralized by Cryptoassets, identify who has custody of the Cryptoassets and describe the process of "foreclosure" on the Cryptoassets based on the terms of the loan agreements if the bank does not already have custody. ©. If Smart Contracts are involved, provide a list active Smart Contracts and counterparties subject to Smart Contracts and counterparties subject to Smart contracts. Provide all applicable terms known relative to any active Smart contracts. ©. If providing custodial services, provide a list of customers for who custody if being provided and the amount of Cryptoassets being serviced for each customer. © If being used by the bank to process bank settlements, list any assets of the bank which are connected in any way to the distributed ledger (i.e, minimum deposits to participate in a blockchain) ©. If being used to process third-party payments, provide list of participants in the payment network if applicable. Otherwise, provide list of payments executed in the past six (6) months. + Was the DLT developed internally or by a third party? Provide the name of the developer of the technology. W7 RECVR.21-G.0467Section C_ Mascrintion!Srerifiratinne Worle Statomant PAGE 29 OF 70 BoeiSign Envaiope ib £7017 BEAT BOS! se0 SAsBCEEO Page 20 Cryptoasset Management & Liquidation SOW + Provide the quantity (count/amount) of Cryptoassets owned for each type, if applicable. 18 RECVR.21-G.0467Section F_ Inenectinn and Arcantance PAGE 30 OF 70 Boe Sign Envaiepe i E717 USE ATP BB SSD TSAORCEEO Page 30 Section E - Inspection and Acceptance No attachments were added for this section, Clauses Incorporated By Reference Clause # Title Date No reference clauses were found for this section, Full Text Clauses 7.6.4-01 - Inspection and Acceptance - July 2008 {@} All goods and services shall be subject to inspection and test by the FDIC Oversight Manager, to the extent practicable, a all imes and places during the term of the award. All inspections by the FDIG shall be made in such aimanner as not to unduly delay the work (b) The FDIC shall have 30 business days from the date of Contractor's delivery to determine if such goods and services are in compliance with the requirements of the cantract. If any services performed ar goods delivered hereunder are not in conformity with the requirements of this Award, the FDIC shall have the right to require Contractor to reperform the services or redeliver the goods in conformity with the requirements of the Award, at no ditional increase in total contract amount, ‘When the services to be performed are of such a nature that the defect cannot be corrected by reperformance of the services, the FDIG shall have the right ta (1) require Contractor immediately to take all necessary steps lo ensure fulure performance of the services in conformity with the requirements of the contract; and (2) reduce the contract price te reflect the reduced value of the services performed. in the event Contractor fails promptly to reperform the services or redeliver the goods, or to take necessary steps to ensure future performance of the services or delivery of the goods in conformity with the requirements of the Award, the FDIC shall have the right to either (1) by contract or otherwise, have the services performed or the goods delivered in conformity with the contract requirements and charge to Contractor any cost ‘occasioned to the FDIC that's directly related to the performance of such services or the delivery of such goods; or (2) terminate this Award for default as provided in 7.6.6-2, Termination for Default, (©) Contractor shall provide and maintain an inspection system acceptable to the FDIC covering the goods or services to be delivered or performed hereunder. Records of all inspection work by Contractor shall be kept complete and available to the FDIC during the term of this Award and for such longer period as may be specified elsewhere in this Award. RECVR.21-G.0467Section F_ Neliverias ar Barfrwrm: PAGE 31 OF 70 SSoaiGign Envelope i £7810 FASB 11 F1-BBB1-SSDTIAORCEEO Page 31 Section F - Deliveries or Performance No attachments were added for this section, Clauses Incorporated By Reference Clause # Title Date No reference clauses were found for this section, Full Text Clauses 7.3.1-10 - Place of Delivery or Performance - November 2013 The place of delivery or performance is: At the Contractors place of business or the offices of the FDIC. 7.3.4-11 - Deliverables - July 2008 The Contractor must provide all del verables described in the statement of work. 7.3.1-12 « Period of Performance - October 2015 ‘The Initial Period of Performance begins on September 8, 2021 ("Effective Date") and expires on September 7, 2024, If all option periods are exercised, the final expiration date is September 7, 2026, See clause 7.5.5-1, Option Period, RECVR.21-G.0467Section @_ Contract Adm inictration Mat: PAGE 32 OF 70 SiSoaiGign Envelope is E7850 7oS8Eb1 eHba1-SSDTIAOBCEEO Page 32, Section G - Contract Administration Data No attachments were added for this section, Clauses Incorporated By Reference Clause # Title Date No reference clauses were found for this section, Full Text Clauses 7.3.2-41 - FDIC Personnel - July 2008 {@) FDIC Oversight Manager. The Oversight Manager is the person designated in writing by the Contracting Officer to represent the FDIC for the purpase of monitoring technical performance and accepting goods or services. ‘The Oversight Manager is not authorizes to Issue any instructions or directions whieh effect any substantive change in this contract, including, but not limited to, an increase or decrease in the price of this contract, or a change in the doivery date(s) or Period of Performance, Specific areas of delegated authority are more particularly defined in the ‘Oversight Manager Appointment Memorandum. The Oversight Manager is Michael Weaver. (b) FDIC Contracting Officer. The Contracting Officaris the person with FDIC-delegated authority to enter into, modify, administer, and terminate contracts and orders, The Contracting Officer 's Kervin Duparr. 7.5.13-01 - Method of Payment - Electronic Fund Transfer (EFT) - March 2014 {a} Payment methods. Payments by the FDIC may be made by check or electronic funds transfer (EFT), or by a third party in lieu of payment directly from the FDIC, at the option of the FDIC. If the FDIC makes payment by EFT, the FDIC may, at its option, also forward the associated payment information by electronic transfer. Any third party payments will be made by the FDIC's commercial purchase card issuer. In the event Contractor certifies in variting, to the payment office that Contractor does not have an account with a financial institution or an authorized payment agent, the FDIC would make payments by other than EFT. (b) Contractor Payment Requests. If the FDIG elects for third party payments to be made, Contractor shall make payment requests through a charge to the FDIC purchase card! with the third party, atthe time and for the amount due in accordance with the terms of this contract. Contractor and the third party shall agrae that payments due under this contract shall be made upon submittal of payment requests to the third party in accordance with the terms and conditions of an agreement between Contractor, the Contractor's financial agent (if any), and the third party and its agents (it any). No payment shall be due the Contractor until such agreement is made, Payments made or due by the third party are not subject to the Prompt Payment Act or any implementation thereat in this contract. Decumentation of each charge against the FDIC's purchase card shall be provided to the Contracting Officer upon request. Contractor is required, as a condition to any payment, to maintain current information in the System for Award Management (SAM) database. Ary invoice submitted with incorrect EFT information shall be deemed not to be a proper invoice as defined in the Prompt Payment Act clause herein. RECVR.21-G.0467Section @_ Contract Adm inictration Mat: PAGE 33. OF 70 SiSoaiGign Envelope is E7850 7oS8Eb1 eHba1-SSDTIAOBCEEO Page 33, 7.5.13-12 - Schedule for Invoicing - July 2008 For Firm-Fixed-Price, Contractor must submit invoice upon completion of the service or delivery of the goods. 7.5.13-13 - Contents of Invoice - March 2014 Contractors invoices must include the following items in order to be processed for payment, (a) Contractor name, adéress and phone number. (b) Invoice date. {Contractors must date invoices as close as possible to the date of electronic transmission 10 Folic.) (©) Invoice number. (4) Contract Number (e.g, Contract Number, Task Order Number, Delivery Order Number, etc) {e) Line Item Number(s}, as identified in the contract, and the amount invoiced for each Line Item Number {f} Allocation of all hours and expenses to Financial Institution Number (FIN} and Asset Name/Number, if applicable, (g) Description, quantity, unit of measure, unit price, extended price of goods delivered or services performed (h} Total invoice amount. (@ Payment terms (discount for prompt payment terms}. @) Remittance address. (&) Billing Point of Contact (2.g., name (where practicable), title, phone number, and mailing address af person to nlity if there are questions regarding the invoice), (Shipping information (e.g... shipment number. date of shipment, bill of lading number and weight of shipment. Shipping charges, if any, must be shown as a separate item on the invoice). (mn) For time and material or labor hour awards, copies of time sheets in suppod of direct labor charges. (n) I travel expenses are reimbursable under the award, Contractor must submit travel documentation, receipts and cther proof of expenses as required by the FDIC Contractor Travel Reimbursement Guidelines. {0} If subcontractor expenses are reimbursable under a labor-hour or time-and-material award, Contractor must (1) identify subcontractor expenses and costs separate from prime contractor expenses and costs on the invoice it submits to FDIC; (2) submit with its invoice, as supporting documentation, 2 copy of its subcontractors invoice when seeking reimbursement of subcontractor expenses. (P) Pass through costs - If expenses or costs are reimbursable under the terms of the award, a description of each shall be provided in the invoice along with the quantity, unit amount, and total amount. Also, it amounts are derived from application of any formula, calculation, percentage, etc., such application must be clearly evident in the supporting documentation provided with the invoice. {q) The following cerification statement, signed by an authorized company representative: “This is to certly that the services set forth herein (goads described herein] were performed [delivered] during the period stated. Contractor's Authorized Representative Date’ (0 Any other information or supporting documentation required by the award. fan invoice does not contain the above required information: contains errors; or exceeds the total compensation ceiling limit for this award, the invoice wil be returned to Contractor and processing of the invoice for payment will be delayed until the deficiency is corrected, RECVR.21-G.0467Section @_ Contract Adm inictration Mat: PAGE 34 OF 70 SiSoaiGign Envelope is E7850 7oS8Eb1 eHba1-SSDTIAOBCEEO Page 34 In addition, the FDIC requires Contraciors to maintain current information in the System for Award Management (SAM) database and complete the annual renewal pracess, in order to receive timely involce payments, FDIG may reject any invoice received from Contractor where processing of the invoice cannot be completed because Contractor has failed to maintain ils registration, including electronic funds transfer (EFT) information, in the SAM database. 7.5.13-15 - Electronic Invoice Preparation and Submission (CORFD/RECVR/SUBSD) - July 2010 Contractor must follow the FDIC's electronic invoice preparation and submission instructions stated below: {@) Contractor must email electronic invoices to the FDIC's (see also Department of Finance/Accounts Payable (DOFIAP)} at the following address: APDL@fdic.gov {b} Contractor must only email their invoices to the above DOF/AP email address and not the Oversight Manager {OM) or Contracting Officer. The FDIC will not accept hand-delivered invoices or invoices sent to any other address {i.e., FDIC street address or any other email addresses} (6) Contractor must submit the electronic invoice as a single file document, in Portable Document Format (pdf). The file should include the exact same information that has been submitted physically via mall in the past. (FDIC oniy wants one electronic file because we will be uploading the single pdf into a database and we only want one file associated with an invoice. However, ifthe size of a single pdf fle exceeds 30 MB, the invaice may either be submitted as two paf files, with neither pd fle exceeding 30 MB, or it may be submitted as 2 zip file thal does not exceed 30 MB. If two pdf files are used, each email must clearly identity that the invoice has been separated into two pdf files to accommodate the size limitation. If zip file is used, the individual files inside the zip file must be kept to.a minimum and each must have a descriptive file name, such as "Invoice cover page", "Timesheets", etc.) (@) Contractor must not include more than one electronic invoice in the same email, (For example, i Contractor has four task orders, a separate email with a single invoice must be submitted for each of the four task orders.) {(e) Contractor must name the pdf file or zip fle in the following format (with invoice date shown as yearimonthidate followed by a space and the Invoice number}: Invoice date and invoice number (e.g., 2008-01-31 1067876) {f} Contractor's email subject fine must include the words, “Contractor Invoice", followed by a hyphen and the ‘Contract Number (or Task Order Number, or Delivery Order Number, as applicable}, as shown in the example below ‘ontractor Invoice - CORHQ-08-C-0000" (g) Task Assignments; For contracts and task orders containing provisions for Task Assignments, a separate invoice must be submited via @ separate email for each Task Assignment, {h) The caunting of days far Prompt Payment begins on the date the invoice is received in the inbox of the DOF/AP RECVR.21-G.0467Section @_ Contract Adm inictration Mat: PAGE 35 OF 70 SiSoaiGign Envelope is E7850 7oS8Eb1 eHba1-SSDTIAOBCEEO Page 35, ‘email address, until 4PM, Invoices received ater 4PM will be counted as being received the following FDIC workday @ Contractor may check on the status of an invoice by sending an email to the following aderess: APDLINQUIRY@FDIC, GOV, oF by calling the Dallas Accounts Payable Unit directly at (972) 761-8098. If payment has not been received within the time frame of the contract terms, the Contractor is advised to contact the FDIC to make sure the invoice was received and processed. FDIC will research and provide the Contractor with the status. RECVR.21-G.0467Section H_ Snacial Contract Roniiramants SSoaiGign Envelope i> E7540 72966441 -BBS-SSDTIADECEEO Page 36 Section H - Special Contract Requirements No attachments were added for this section, Clauses Incorporated By Reference Clause # Title Date No reference clauses were found for this section, Full Text Clauses 7.1.3-2 - Post-Government Employment Certification (Post-Award) - May 2009 Any former Federal Deposit |nsurance Corporation (FDIC) or Resolution Trust Corporation {RTC} employee who: the contractor intends to use in performance of werk under the contractor iis subcontracts must complete and subnit the post-government employment certification found at FDIC website www. fdic. gowbuying/goods/acquisition/index.html. The certification must be submitted to the Contracting Officer prior to the former emplayee commencing work under the contract. The FDIC Legal Division Ethics Unit will review the certification to determine compliance with the post-government emplayment restritions. The former employee may be required to provide additional information as to their position and responsibilties while employed at FDIC or RTC and as a post-government employee working on the FDIC contract or subeontract. 7.3.2-36 - Task Order - July 2008 ‘At any time during the Paried of Performance, the Contracting Officer may send to Contractor, and any other Contractors awarded this RBOA, a Request for Task Order Proposal (RFTOP) describing the nature af one or more specific tasks, the structure for Contractors offer and any other information relating to the task. Task orders under this Agreement may be awarded based using the following methiod(s) Rotational: Contractors will be placed in a queue established on the basis of their price-fee proposals. The queue will list contractors from lowest to highest price-foe with the lowest price-fee contractor listod first. Task ordors will be issued on a rotational basis beginning with the first contractor in the queue. This method will be the primary method used to award task orders, Direct Award: FDIC reserves the right to issue a task order directly, outside of any rotation. A contractor receiving a direct award will be placed at the end of the queue for the next rotalignal award. ‘Competition: FDIC may compete the award of a particular task order among all contractors holding this Agreement. Both price-fee and technical capability will be evaluated, A contractor awarded a task order through competition will be placed at the eng of the queue for the next rotational award. I Contractor wishes to offer its goods or services for the task, it must deliver an affer pursuant ta the terms of the Request. Based on the offers received, the FDIC may select one or more contractors to perform the tasks. The task order must be executed by Contractor and the FDIC Contracting Officer after which there will exist a binding obligation between Contractor and the FDIC under the terms of the Agreement and the task order for delivery of the goods or services described therein. The task order format may change during the periad af performance: of this RECVR.21-G.0467 PAGE 36 OF 70Section H_ Snacial Contract Roniiramants PAGE 37 OF 70 SSoaiGign Envelope i> E7540 72966441 -BBS-SSDTIADECEEO Page 37 Agreement, 2-43 - Key Personnel - July 2008 The following key personnel are essential to the proper performance of Contractors duties under this contract Na Tile \ Director of Client Operations Anchorage Digital jenior Manager of Client Operations Anchorage Digital (b) Contractor must make the above named key personnel available for performance under this contract as long as such persons are employed by Contractor or its elated entities. All key personnel changes must be authorized in writing by the FDIC Contracting Officer prior to the new key personnel beginning work. Contractor must give @ minimum of a 14-day advance written notice to the FDIC Contracting Officer of any proposed substitutions of key personnel. The notice must describe the reason for the proposed change; give the name of the proposed substitute individual with a description of his eclusational and professional background; and include a completed background investigation questionnaire. The determination of acceptebilly of proposed substitute personnel is in the sole discretion of the FDIC. 7.4.2-01 - Security and Privacy Compliance for IT Services - March 2021 (a) Security and Privacy Compliance. The Contractor is responsible for Information Technology (IT) security for Contractor Personnel and subcontractor personnel granted access to: sensitive information as defined in FDIC. Circular 1360.9 (and referenced throughout this contract as ‘sensitive’ or FDIC-sensitive information’); the FDIC network; systems connected to the FDIC network; and systems developed, maintained, implemented or operated by the Contractor for FDIC. All T products and services provided by the Contractor that collect, process, maintain, (or store FDIC-sensitive information shall comply with all FDIC information security and privacy directives, policies land requirements unless Contractor obtains a vatitten waiver from FDIC Information Security/Privacy stat. {b} Laws and Standards. All T products and services provided by the Contractor that collec, process, maintain, o store FDIC-sensitve information must comply with Federal laws and standards addressing information security and privagy. These include but are not limited to: (1) The Privacy Act of 1974 (5 U.S.C. 52a) as amended (if incorporated in the contract); (2) Office of Management and Budget (OMB} Circular A-130, Management of Federal Information Resources {Transmittal Memorandum No. 4) including Appendices; (3) E-Government Act of 2002 (P. L. 107-347) including Title Il, Section 268 - Privacy Provisions and Tite Ill - Federal Information Security Modernization Act of 2014 (FISMA), and related OMB guidance; and (4 National Insitute of Standards and Technology (NIST) Federal Information Processing Standards (FIPS) and Special Publications {€) FDIC Policy ang Guidance. AIIT products developed by and |T development services provided by the Contracior, specifically for FDIC, shall address information security and privacy requirements throughout their design, development, implementation, maintenance, operation, and termination as provided in FDIC system development life cycle policy and guidance. This includes completing or providing the necessary information for the FDIC to complete privacy impact assessments, security assessments, risk assessments, security plans, contingency plans, and olher security and privacy artifacts as required RECVR.21-G.0467Section H_ Snacial Contract Roniiramants PAGE 38 OF 70 SSoaiGign Envelope i> E7540 72966441 -BBS-SSDTIADECEEO Page 38 (@) Subcontracts. Contractor must must ensure this clause is included in all frst-tier subcontracts and lower-tier levels of subcontracts to which the conditions and requirements described in this clause would apply. 7.4.2-02 - Off-site Processing and Storing of FDIC Information - August 2018 {a} Control and Protection of FDIC Information, The Contractor shall implement effective, administrative, technical, ‘and physical safeguards to ensure that all FDIC information in its possession or under its control is adequately protected from loss, misuse, and unauthorized access or modification. The creation, collection, use, processing, sloring, maintenance, dissemination, disclosure, end disposal of FDIC information shell comply with all applicable federal and state laws and FDIC directives, rules and regulations regarding protection of information. The ‘Contractor shall not use any FDIC information except io the extent necessary to carry out its obligations under the sontract. The Contractor shall nat disclose FDIC information to any third party unless disclosure is authorized in the contract, the Contractor obtains the prior written consent of the Cantracting Officer, or to the extent expressly required by applicable law, in which case the Contractor shall notify the Contracting Otficer atleast ten (10) business day betore such disclosure, to allow the FDIC to object or concur, The Contractor, subcontractor, or any entity under the Cantractor's control shall nat access, disseminate, maintain, store, use or disclose FDIC information outside the United States. unless specifically directed by the contract or otherwise authorized by the Contracting Officer. (b) Return, Destruction and Retention of FDIC Information. All FDIC information remains the property of the FDIC. Upan completion or termination of the contract, or at any time upon request of the Contracting Officer, Contractor shall promptly return to the Oversight Manager all FDIC information in its possession andior securely dispose of it as required in the contract, Statement of Work, or as directed by the Oversight Manager. Information shall be returned securely in a format directed by the Oversight Manager. Retention of FDIC information by the Contractor beyond the conclusion of the contract is only permissible in accordance with clause 7.6.3-2, Contractor Return, Destruction and Retention of FDIC Information. (©) Inspections/Assessments/Audits/Reviews/Examinations. To canfirm Contractor's compliance with this contract, as well as any applicable laws, regulations and industry standards, Contractor shall grant FDIC information security and privacy staff, the FDIC Office of the Inspector General, the U.S. Government Accountability Office (GAO}, or an FDIC-selected third party acting on the FDIC's behalt, permission to perform inspections, assessments, audits, reviews or examinations of all controls in Contractor's physical and/or technical environment in relation to all FDIC information being handled and/or services being provided to FDIC pursuant lo this contract. The Contractor shall fully cooperate by providing access to knowledgeable personnel, physical premises, documentation, infrastructure and application software that collects, processes, transmits, or stores FDIC information pursuant to this contract, Those inspections, assessments, audits, reviews, and examinations may be conducted either by phone, electronically or ig the FDIC or the federal government's aucit and inspection rights delineated in other clauses of this contract or by statute. person. Nothing in this clause shall be viewed as limit (4) Security and Privacy Incident Handling. The Contractor shall monitor its facility, premises and information systems for security and privacy incidents and provide the capability to respond to and resolve them effectively and ina timely manner, including allowing for inspection, investigation, forensic analysis, and any other action necessary to ensure compliance with OMB M-17-12 and FDIC's Breach Response Plan, and to assist in responding toa breach. FDIC's Breach Response Plan is available at the FDIC website: wow dic. gov/buying/goods/acquisitiony/index.htmil. The Contractor and subcontractors (at any tier) shall report a ‘suspected oF confirmed breach in any medium or form, as soon as possible and without unreasonable delay, RECVR.21-G.0467