Exhibit 99.3

FEDERAL DEPOSIT INSURANCE CORPORATION

WASHINGTON, D.C.

The Federal Deposit Insurance Corporation (“FDIC”) is the appropriate Federal banking agency for The Columbia Bank, Columbia, Maryland (“Bank”), under section 3(q) of the Federal Deposit Insurance Act (“Act”), 12 U.S.C. § 1813(q).

The Bank, by and through its duly elected and acting Board of Directors (“Board”), has executed a STIPULATION AND CONSENT TO THE ISSUANCE OF A CONSENT ORDER (“CONSENT AGREEMENT”), dated December 23, 2014, that is accepted by the FDIC. With the CONSENT AGREEMENT, the Bank has consented, without admitting or denying any unsafe or unsound banking practices or violations of law or regulation, including weaknesses in the Bank’s Bank Secrecy Act (“BSA”) Compliance Program, to the issuance of this Consent Order (“ORDER”) by the FDIC.

Having determined that the requirements for issuance of an order under section 8(b) of the Act, 12 U.S.C. § 1818(b), have been satisfied, the FDIC hereby orders that:

BOARD SUPERVISION

1. (a) The Board shall increase its supervision and direction of the Bank’s BSA Compliance Program, assuming full responsibility for the approval of sound BSA policies, procedures and processes, consistent with the role and expertise commonly expected for directors of banks of comparable size and risk.

(b) Within 60 days from the effective date of this ORDER, the Board shall ensure that the Bank has a permanent, qualified and experienced BSA Officer (who may also be an officer or employee of Fulton Financial Corporation (“FFC”), the Bank’s parent holding company), acceptable to the Regional Director of the FDIC New York Regional Office (“Regional Director”) and the Commissioner of Financial Regulation for the State of Maryland (“Commissioner”), that:

(i) has sufficient authority to monitor and ensure compliance with the BSA;

(ii) reports monthly directly to the Board;

(iii) has an adequate level of appropriate resources (including resources provided by FFC or other vendors) to implement and enforce BSA compliance in all material aspects with all BSA and Anti-Money Laundering (“AML”) laws and regulations; and

(iv) is responsible for assuring the proper and timely filing of Suspicious Activity Reports (“SARs”), Currency Transaction Reports (“CTRs”), Reports of International Transportation of Currency or Monetary Instruments (“CMIRs”), Reports of Foreign Bank and Financial Accounts (“FBARs”) and any other BSA required reports.

(c) Within 60 days from the effective date of this ORDER, in the event that the BSA Officer is an officer or employee of FFC, the Board shall ensure that the Bank has employed at least one individual, acceptable to the Regional Director and the Commissioner, to provide assistance to the Bank’s BSA Officer, and whose responsibilities in substantial part will be dedicated to ensuring the Bank’s compliance with BSA/AML laws and regulations.

-2-

MANAGEMENT

2. (a) Management shall ensure compliance with all applicable laws and regulations, that govern BSA compliance. Each member of management shall have the qualifications and experience commensurate with his or her duties and responsibilities related to applicable BSA laws and regulations.

(b) The Bank shall provide written notification to the Regional Director and the Commissioner of the resignation or termination of the BSA Officer within 10 days of the event. In addition, the Bank shall provide written notification to the Regional Director and the Commissioner of any proposed new BSA Officer at least 30 days prior to the date such proposed individual is to begin service; such notification shall include their resume, completed Interagency Biographical and Financial Report (FDIC Form No. 3064-0006) (without financial information) and such other information as the Regional Director or the Commissioner may request. Such change will only be effective upon receipt of the Regional Director’s and the Commissioner’s written non-objection.

BSA INTERNAL CONTROLS

3. (a) Within 90 days from the effective date of this ORDER, the Bank shall develop a revised system of internal controls designed to ensure full compliance with the BSA (“BSA Internal Controls”) taking into consideration the Bank’s size and risk profile, as determined by the Bank’s Risk Assessment.

-3-

(b) At a minimum, such system of BSA Internal Controls shall include policies, procedures, and processes addressing the following areas:

(i) Suspicious Activity Monitoring and Reporting: The Bank shall, taking into account its size and risk profile, revise and enhance its policies, procedures, processes, and systems for monitoring, detecting, and reporting suspicious activity being conducted in all areas within or through the Bank; and ensure the timely, accurate, and complete filing of SARs, with an appropriate level of documentation and support for management’s decisions to file or not to file a SAR, as required by law. These policies, procedures, processes and systems should ensure that all relevant areas of the Bank are monitored for suspicious activity and that alerts generated by the Bank’s suspicious activity monitoring systems are investigated and escalated appropriately. The Bank shall adopt measures to ensure that transaction monitoring and suspicious activity reporting functions that are outsourced to FFC are performed to meet regulatory requirements.

(ii) Due Diligence: The Bank shall review and enhance its customer due diligence (“CDD”) policies, procedures and processes for new and existing customers to:

a. be consistent with the guidance for CDD set forth in the FFIEC’s Bank Secrecy Act/Anti-Money Laundering Examination Manual (“BSA Manual”);

b. operate in conjunction with its Customer Identification Program (“CIP”); and

c. enable the Bank to predict with relative certainty the types of transactions in which a customer is likely to engage.

-4-

(iii) At a minimum, the CDD program shall provide for:

a. a risk assessment of the customer base through an appropriate risk rating system to ensure that the risk level of the Bank’s customers is accurately identified based on the potential for money laundering or other illicit activity posed by the customer’s activities, with consideration given to the purpose of the account, the anticipated type and volume of account activity, types of products and services offered, and locations and markets served by the customer;

b. an appropriate level of ongoing monitoring commensurate with the risk level to ensure that the Bank can reasonably detect suspicious activity and accurately determine which customers require enhanced due diligence (“EDD”);

c. a process to obtain and analyze a sufficient level of customer information at account opening to assist and support the risk ratings assigned;

d. a process to document and support the CDD analysis, including a method to validate risk ratings assigned at account opening and resolve issues when insufficient or inaccurate information is obtained;

e. processes to reasonably ensure the timely identification and accurate reporting of known or suspected criminal activity, as required by the suspicious activity reporting provisions of Part 353 of the FDIC’s Rules and Regulations, 12 C.F.R. Part 353; and

f. measures to ensure that CDD services that are outsourced to FFC are performed to meet regulatory expectations.

(iv) Enhanced Customer Due Diligence: The Bank shall establish EDD policies, procedures and processes to conduct EDD necessary for those categories of customers the Bank has reason to believe pose a heightened risk of suspicious activity, including, but not limited to, the high-risk accounts described in the April 7, 2014 Report of Examination issued jointly by the FDIC and the Office of the Commissioner of Financial Regulation for the State of Maryland (“2014 ROE”). The EDD policies, procedures and processes should:

a. be consistent with the guidance for EDD set forth in the BSA Manual; and

b. operate in conjunction with the Bank’s CIP and CDD policies, procedures and processes.

-5-

(v) At a minimum, the EDD program shall include procedures to:

a. determine the appropriate frequency for conducting ongoing reviews based on customer risk level;

b. determine the appropriate documentation necessary to conduct and support ongoing reviews and analyses in order to reasonably understand the normal and expected transactions of the customer;

c. reasonably ensure the timely identification and accurate and complete reporting of known or suspected criminal activity against or involving the Bank to law enforcement and supervisory authorities, as required by the suspicious activity reporting provisions of Part 353 of the FDIC’s Rules and Regulations, 12 C.F.R. Part 353; and

d. measures to ensure that EDD services that are outsourced to FFC are performed to meet regulatory expectations.

(vi) The Bank’s BSA internal control policies, procedures, processes, and practices shall operate in conjunction with each other and be consistent with the guidance for account/transaction monitoring and reporting set forth in the BSA Manual, including arranging for the dissemination of a high-risk customer list to appropriate departments within the Bank.

-6-

(c) Within 10 days of completion, the Bank shall submit the revised BSA-related internal control policies and procedures to the Regional Director and the Commissioner for non-objection or comment. Within 30 days from receipt of non-objection or comments from the Regional Director or the Commissioner, and after incorporation and adoption of all comments, the Board shall approve the revised BSA internal control policies, procedures, processes and practices, which approval shall be recorded in the minutes of the Board meeting. Thereafter, the Bank shall implement and fully comply with the revised internal control policies, procedures, processes and practices.

CTR LOOK BACK REVIEW

4. (a) Within 90 days from the effective date of this ORDER, the Bank shall conduct a review of currency transaction aggregation reports and CTRs transmitted since May 1, 2013, through the effective date of this ORDER, to determine whether transactions by a common conductor were properly identified and reported in accordance with applicable law and regulations (“Look Back Review”). The Bank shall ensure that the Look Back Review includes currency exchange transactions.

(b) Within 30 days from receipt of the findings of the Look Back Review, the Bank shall provide a report detailing its Look Back Review findings, along with copies of any additional CTRs filed, to the Regional Director and the Commissioner.

-7-

REPORTS

5. The Bank shall review and enhance its policies, procedures and processes in order to appropriately detect reportable transactions and ensure that all required reports, including its CTRs, SARs, CMIRs, FBARs, and any other similar or related reports required by law or regulation are completed accurately and properly filed within required timeframes.

VENDOR MANAGEMENT

6. Within 60 days from the effective date of this ORDER, the Board shall develop, adopt, and implement an enhanced process to effectively monitor the correction of BSA-related regulatory weaknesses identified at FFC, the Bank’s BSA/AML compliance vendor. Any corrective actions taken by FFC to address any identified BSA/AML weaknesses shall be reviewed at Board meetings and noted in the Board minutes.

CORRECTIVE ACTION

7. The Bank shall take all steps necessary, consistent with other provisions of this ORDER and sound banking practices, to eliminate and correct any unsafe or unsound banking practices and any violations of law or regulation cited in the 2014 ROE.

DIRECTORS’ COMPLIANCE COMMITTEE

8. Within 30 days from the effective date of this ORDER, the Board shall establish a directors’ BSA Compliance Committee (“Compliance Committee”) of at least three members, a majority of which members shall not be and shall not have been within the last five years, involved in the daily operations of the Bank, and whose composition is acceptable to the

-8-

Regional Director and the Commissioner, with the responsibility of overseeing the Bank’s compliance with this ORDER, the BSA regulations and laws and the Bank’s BSA Compliance Program. At least two members of the Compliance Committee shall be the Bank’s representatives to the Special Joint Board Compliance Committee of FFC. The Compliance Committee shall receive comprehensive monthly reports from the Bank’s BSA Officer regarding the Bank’s compliance with BSA regulations and the Bank’s BSA Compliance Program. The Compliance Committee shall present a report to the Board, at each regularly scheduled Board meeting, regarding the Bank’s compliance with this ORDER, the BSA regulations and laws and the Bank’s BSA Compliance Program, which shall be recorded in the appropriate minutes of the Board meeting and retained in the Bank’s records.

PROGRESS REPORTS

9. Within 45 days from the end of each calendar quarter following the effective date of this ORDER, the Bank shall furnish to the Regional Director and the Commissioner written progress reports detailing the form, manner, and results of any actions taken to secure compliance with this ORDER. All progress reports and other written responses to this ORDER shall be reviewed and approved by the Board, and made a part of the Board minutes.

SHAREHOLDER DISCLOSURE

10. Within 30 days from the effective date of this ORDER, the Bank shall send a copy of this ORDER, or otherwise furnish a description of this ORDER, to FFC. The description shall fully describe the ORDER in all material aspects.

-9-

MISCELLANEOUS

It is expressly understood that if, at any time, the Regional Director or the Commissioner shall deem it appropriate in fulfilling the responsibilities placed upon them under applicable law to undertake any further action affecting the Bank, nothing in this ORDER shall bar, estop, or otherwise prevent the FDIC or the Commissioner or any other federal or state agency or department from taking any other action against the Bank or any of the Bank’s current or former institution-affiliated parties.

This ORDER shall be effective on the date of issuance.

The provisions of this ORDER shall be binding upon the Bank, its institution-affiliated parties, and any successors and assigns thereof.

The provisions of this ORDER shall remain effective and enforceable except to the extent that and until such time as any provision has been modified, terminated, suspended, or set aside by the FDIC.

Issued Pursuant to Delegated Authority

-10-