Search results

×

Extension Terms

Certain services and functionalities made available by or through NMI are classified as “Extensions,” including but not limited to those listed below. The individual or business signing up for an Extension (“Company”) agrees to the following terms and conditions and any other terms and conditions that may be specified for particular Extensions (collectively, “Extension Terms”).

1. Extensions are subject to additional fees, as set forth in an applicable fee schedule or order form.

2. Extensions may supplement or be connected with other products, services, platforms, or portals offered by NMI (collectively, “Services”), each of which may be subject to a separate agreement or terms and conditions of use (“Service Terms”). If an Extension is associated with one or more Services, then, in addition to the applicable Extension Terms, the Service Terms for such Services will also apply to and govern the use of the associated Extension. Except as expressly provided otherwise, Extensions Term do not replace or supersede any applicable Service Terms, which remain in full force and effect.

3. In the event of a conflict between these Extension Terms (which apply to all Extensions) and more specific Extension Terms identified for a particular Extension, the specific Extension Terms will control to the extent of the conflict. If there are any conflicting terms between the Service Terms and the applicable Extension Terms, the Extension Terms will control to the extent of the conflict. However, if Company is receiving Extensions in connection with other Services, then if the Service Terms governing the underlying Services terminate for any reason, Company’s right to use the associated Extensions will also automatically terminate.

4. Some Extensions may be provided by third parties (“Third Party Extensions”), which may be subject to additional terms and conditions set by those third parties (“Third Party Terms”). Any such Third Party Terms will constitute an agreement solely between Company and the relevant third party provider, even if the Third Party Terms are presented to Company by NMI or if Company’s acceptance of such Third Party Terms is recorded by NMI (and in such cases Company authorizes NMI to communicate such acceptance to the applicable third party provider). NMI will not be a party to any Third Party Terms and will not be responsible for the operation of any Third Party Extensions. NMI makes no representations or warranties regarding any Third Party Extensions and will have no liability for any losses incurred in connection with their use.

5. Extension Terms may be updated from time to time by NMI in its sole discretion. Third Party Terms may be updated by the applicable third party providers in accordance with such Third Party Terms.

6. If Company is an authorized reseller of NMI, then Company may select Extensions to be offered to its merchants and other customers or end users (each, a “Merchant”). If permitted by NMI, Company will have the ability to enroll its Merchants directly in the Extensions that Company has selected for them. Company will be responsible and fully liable for its Merchants’ use of the Extensions and their compliance with the applicable Extension Terms and/or Third Party Terms.

7. Company represents, warrants, and covenants that its (and if Company is a Reseller, its Merchants’) use of the Extensions and any information submitted in connection with the Extensions: (i) will be fully compliant with all applicable laws, payment network rules, and security requirements; (ii) will be in accordance with all documentation and specifications applicable to such Extensions; and (iii) will not be used for any purpose other than as authorized. In addition, Company agrees that (a) Company will be solely responsible for all transactions processed through Company’s account (including by its Merchants, if Company is a Reseller), regardless of whether such transactions are monitored by an Extension; (b) Company will be solely responsible for its (and, if Company is a Reseller, its Merchants’) use of the Extensions including, without limitation, configuring, maintaining, and updating any applicable settings; and (c) to the extent an Extension relates to transaction processing, Company is solely responsible for determining the appropriate action for each such transaction (i.e., approve, void, decline, reject), regardless of any data, analysis, or information generated or not generated by the Extensions, as applicable.

8. Under certain circumstances, it may be necessary for NMI or the applicable third party provider to adjust Company’s (or any Merchant’s) Extension security settings, with or without notice, to guard against fraudulent activity, and Company acknowledges that such actions may inadvertently cause legitimate transactions to expire, be rejected or delayed, and that NMI will have no liability for the foregoing.

9. As used in these Extension Terms, “NMI” refers to the affiliate of Network Merchants, LLC (each, an “NMI Affiliate”) that provides a given Extension. If no NMI Affiliate is named, then the applicable NMI Affiliate will be (and “NMI” will refer to) Network Merchants, LLC. If Company uses Extensions from multiple NMI Affiliates, Company will be deemed to have a separate agreement with each one. Each NMI Affiliate will be liable only for the Extensions and services that it provides and for its own obligations or any breaches by it, and no NMI Affiliate (including Network Merchants, LLC) will have any liability for the obligations of any other NMI Affiliate or for any breach or default by any other NMI Affiliate.

 

Available Extensions include the following (which list may be updated at any time):

  • Fraud Prevention
  • Customer Vault
  • Automatic Card Updater
  • Payer Authentication
  • Card Present Device
  • iProcess Mobile Payments
  • Electronic Checks
  • Electronic Invoicing
  • QuickBooks® Plug-In
  • Level III Advantage
  • CertifyPCI
  • DataDecryption /Encrypted Devices
  • Invoicing
  • Kount® Advanced Fraud Prevention (additional Extension Terms apply)
  • Account Updater (additional Extension Terms apply)
  • Authvia TXT2Pay (additional Extension Terms apply)
  • Mastercard tap 2 mobile (T2M) (additional Extension Terms apply)
  • Shopify (additional Extension Terms apply)
  • Network Tokenization
  • Open Banking (additional Extension Terms apply)

 

Extension— Kount Advanced Fraud Prevention Terms

Definitions

1.1. Definitions. Capitalized terms used but not defined in these Extension Kount Advanced Fraud Prevention Terms (“Extension Kount Terms“) will have the meanings given to them in the General Terms and Conditions, the Partner Terms or Merchant Terms (as applicable), or elsewhere in the Agreement. In addition, the following definitions will apply to these Extension Kount Terms only.

Merchant Communications” means the data exchanged among Company, Merchant (if applicable), NMI, and NMI’s Third Party Service Provider in connection with the provision of the Kount Services, which may include Personal Data.

Kount Services” means the Kount Central fraud detection service.

Merchant Order Form” means any webpage where Company (or Merchant) enters information for the purpose of: (a) initiating a payment; (b) submitting an application; (c) opening a new account; (d) accessing an existing account; or (e) initiating any action for which Company may request a risk control opinion.

RIS Update” means updated transaction information transmitted by Company (or Merchant) for the Kount Services , which may include any data elements that are provided to NMI.

Risk Inquiry” means any transaction initiated by NMI in which the Risk Inquiry System is queried, including, but not limited to, for the purposes of obtaining an authorization code or risk control opinion.

Risk Inquiry System” means the primary Kount technical interface through which NMI initiates Risk Inquiries and RIS Updates on behalf of Company (and Merchants, if applicable), and through which Kount delivers an authorization code or risk control opinion as part of the Kount Services.

2. Services

2.1. NMI, along with its Third Party Service Provider, will provide the Kount Services, which allow Company to monitor the risk status of previously authorized transactions, in accordance with the Kount Technical Specification Guide provided for or associated with the Kount Services, as may be updated from time to time (“Kount Technical Specification Guide“).

3. Company Responsibilities

3.1. Company will initiate a real-time Risk Inquiry to NMI, who will use Kount’s Risk Inquiry System, as described in the Kount Technical Specifications Guide, for each Order Form for which a risk opinion is requested. If Company is a Reseller, then Company will initiate such Risk Inquiries on behalf of its Merchants.

3.2. If Company is a Reseller, or if Company is a Merchant receiving the Kount Services through a Reseller, then both the Reseller and the Merchant agree that the Reseller (and not NMI or another Third Party Service Provider) will provide the Merchant with first line Merchant-facing customer support with respect to the Kount Services.

4. Company and Merchant Consent

4.1. The Kount Services requires access to the contents of Merchant Communications. Company expressly consents and grants NMI permission to access any Merchant Communication to the extent necessary to process a Risk Inquiry and return a response or report regarding Company or a Merchant (an “Indication“). If Company is a Merchant, then Company consents and grants NMI permission to provide the Indication to its Reseller.

4.2. Company shall obtain any and all consents necessary disclosures for NMI and its Third Party Service Provider to access the pertinent Merchant Communication to which Company (and its Merchants, if applicable) are a party. If Company is a Reseller, Company shall be solely liable for the legal adequacy of and the means used to obtain each Merchant consent.

5. No Guarantee of Kount Services

5.1. Company acknowledges and agrees that Kount Services do not constitute a guarantee, warranty or representation that a particular transaction is: (a) entered into by the actual authorized account holder; or (b) enforceable against the actual authorized account holder. Neither NMI nor its Third Party Service Provider will have any liability to Company (or any Merchant, if applicable) for any reversals, refunds, fraud losses or chargebacks related to the Kount Services.

6. Indications

6.1. Company acknowledges and agrees that Indications: (a) do not constitute consumer reports as defined within the Fair Credit Reporting Act (“FCRA”) or credit references; (b) are only to be used in relation to determining the likelihood of a customer’s identity and not in any determination of a customer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living; (c) represent a combination of factors that refer to a customer’s possible identity and not a representation that a particular transaction is (i) entered into by the actual authorized account holder; or (ii) enforceable against the actual authorized account holder.

Extension – Account Updater Terms

1. Definitions

1.1. Definitions. Capitalized terms used but not defined in these Extension Account Updater Terms (“Extension Account Updater Terms“) will have the meanings given to them in the General Terms and Conditions, the Partner Terms or Merchant Terms (as applicable), or elsewhere in the Agreement. In addition, the following definitions will apply to these Extension Account Updater Terms only.

Account Updater Services” or “AUS” means the updating services provided pursuant to these Extension Account Updater Terms to be provided through NMI’s third party’s relationship with the Payment Networks.

2. Scope of Services

2.1. NMI, along with its Third Party Service Provider, will provide Account Updater Services by which Company (and if Company is a Reseller, its Merchants) may submit to NMI a file of current limited and permitted cardholder information so that such cardholder information may be transmitted by NMI to the Payment Networks to allow such cardholder information to be matched and verified against information currently on file with the Payment Networks. Company shall, at its sole expense, provide all inquiry files to NMI in a format designated by NMI and in accordance with NMI’s standards and timeframes, and Company will cooperate with NMI in connection with any Payment Network third party registration requirements related to the AUS.

3. Representations and Warranties, and Disclaimers

3.1. Company represents and warrants that its (and if Company is a Reseller, its Merchants’) use the AUS solely for the purpose of updating applicable cardholder information in order to complete future pre-authorized applicable transactions in accordance with the Rules and Laws, and shall not use AUS data for any other purpose

3.2. If Company is a Reseller, Company shall enter into a Merchant Agreement with each Merchant that authorizes the Merchant to use AUS and obligates the Merchant to comply with the merchant requirements of these Extension Account Updater Terms, including the Agreement.

3.3. Company hereby assumes all risk associated with its (and if Company is a Reseller, its Merchants’) use of the AUS, and neither NMI nor its third parties shall have any liability whatsoever to NMI for any liability associated with the AUS or these Extension Account Updater Terms and the Agreement, including but not limited to the accuracy or completeness of the information provided via the AUS.

3.4. Neither NMI nor its Third Party Service Provider make any guarantee for any rate or number of matched transactions or verified transactions.

3.5. Company understands and agrees that only merchants who are located in the United States and who do not have excessive chargebacks (as determined in NMI’s sole discretion) may participate in and receive the Account Updater Services. NMI reserves the right to decline or terminate Company’s (or any Merchant’s, as applicable) participation in and use of the Account Updater Services for excessive chargebacks or for any other reason, in NMI’s sole discretion.

Extension — TXT2Pay Terms

1. Definitions

1.1. Definitions. Capitalized terms used but not defined in these Extension TXT2Pay Terms (“Extension TXT2Pay Terms“) will have the meanings given to them in the General Terms and Conditions, the Partner Terms or Merchant Terms (as applicable), or elsewhere in the Agreement. In addition, the following definitions will apply to these Extension TXT2Pay Terms only.

Company Data” means all data provided to NMI by Company, including Merchant Data.

End User” means Company’s (or, if applicable, a Merchant’s) end-user customers who (a) may use the Services to make electronic payments to Company or its Merchants (as applicable), and (b) are identifiable by a unique identifiable number, such as a mobile phone number.

Merchant Data” means all data, information and other content of any type and in any format, medium or form, including Personal Information, that is (i) uploaded, submitted, posted, transferred, transmitted, or otherwise provided or made available, by or on behalf of Company, a Merchant (if applicable) or its End Users to NMI and its Third Party Provider through their use of the Services, or (ii) collected, downloaded, or otherwise received by NMI and its Third Party Provider from Company, a Merchant (if applicable) or its End Users pursuant to their use of the Services. Merchant Data may include, but is not limited to, name, email address, phone number, financial account information, transaction value and volume, and invoice data.

2. Services Offered:

2.1. Authvia APIs (Application Programing Interfaces): Services include the following primary functions documented at https://developer.authvia.com:

(a) Messaging And Conversations – used to create and deliver message-based conversations of an advisory or transactional nature. Conversations shall fall into one of the following categories:

  • Payment Conversations

  • Approval Conversations

  • Welcome Conversations

  • Card Capture Conversations

  • Additional Conversation types as available in the portal listed above

(b) Platform And Application Management – used to manage Company’s account and sub-accounts (and if Company is a Reseller, those of its Merchants). This includes boarding, account configuration, authentication and sending and receiving API requests.

(c) Data And Analytics – offers the capability of collecting and reporting certain transactional and conversation data through APIs, documented in the portal listed above.

(d) Hosted Payment Page – allows Company (or its Merchants, if applicable) to manage and customize a hosted payment page which allows End Users to complete secure credit card, debit card and ACH transactions on a website or mobile application environment.

2.2. Authvia TXT2PAY

(a) TXT2PAY – mobile optimized HTML application that allows businesses or organizations to send text-based payment requests to their customers, receive payments, and report results. Each user or agent of TXT2PAY requires a license, internally defined as an agent account. Agents can be grouped together inside of a company or organization.

3. Company Responsibilities

3.1. Company hereby acknowledges and agrees that it shall (i) provide or obtain all consents that may be required in order for NMI and its Third Party Service Provider to provide the Service hereunder (including consents from Company’s Merchants, if Company is a Reseller); (ii) be solely responsible for all Company Data that Company provides to NMI and the means by which Company acquired such data, and ensure it has all rights to make available, transfer and provide any Merchant Data to NMI and its Third Party Provider for the purposes hereunder, including under applicable data privacy and data security laws; (iii) to the extent applicable, employ physical administrative and technical controls, screening and security procedures and other safeguards designed to maintain and protect any Merchant Data that is processed via the Services from unauthorized access or use; (iv) promptly document and report any known issues with the Service and any known misuse of the Service; (v) cooperate with NMI where reasonably required in order to facilitate the provision of the Services.

3.2. Company may use the Services provided under Extension TXT2Pay Terms only for Company’s own internal business purposes (which would include any provisioning to its End Users). Company shall not be permitted to resell or otherwise market or make commercially available the Services to any other third party.

3.3. If Company is a Reseller, Company must enter into a Merchant Agreement with each Merchant for the Services hereunder and Company agrees that the Merchant Agreement will be at least as restrictive as those hereunder. Company will ensure that its Merchant Agreements require Merchants only use the Services for Merchant’s own internal business purposes (which would include any provisioning to its End Users) and state that Merchants shall not be permitted to resell or otherwise market or make commercially available the Services to any other third party.

3.4. If Company is a Reseller, or if Company is receiving the Services through a Reseller, then both the Reseller and the Merchant agree that the Reseller (and not NMI or another Third Party Service Provider) shall provide first level support to the Merchant for the Services hereunder.

Extension — Tap to Pay (“TTP”) Terms

1. Definitions; Interpretation

1.1. Definitions. Capitalized terms used but not defined in these Extension Tap to Pay Terms (“Extension TTP Terms“) will have the meanings given to them in the General Terms and Conditions, the Partner Terms or Merchant Terms (as applicable), or elsewhere in the Agreement. In addition, the following definitions will apply to these Extension TTP Terms only.

Third Party Technology” means the products, services or software provided to Payment Networks by Third Party Technology Providers in connection with the provision of the TTP Solution (“TTP” refers to NMI’s Tap to Pay solution, also known as Tap to Mobile, Tap to Phone, Tap on Phone, TTM, ToP, or SoftPOS).

Third Party Technology Providers” means any third-party technology company that any Payment Network may independently contract with to provide services for the purpose of enabling and providing the TTP Solution.

2. Scope of Services

2.1. NMI, in connection with various Payment Networks, will provide a contactless tap to pay payment solution and associated services (“TTP Solution“) to Company (and its Merchants, if applicable). Company acknowledges and agrees that NMI is reliant on the Payment Networks, Third Party Technology and Third Party Technology Providers to provide this TTP Solution.

2.2. NMI will provide, in combination with the Payment Networks, the TTP Solution to Company (and its Merchants, if applicable).

2.3. If Company is a Reseller, Company shall refer its Merchants to NMI for the TTP Solution, and Company will be responsible for training its Merchants. Upon reasonable written request, NMI will provide training to Company to enable it to resell the TTP Solution to Merchants. The scope of the training provided shall be at NMI’s sole discretion (acting reasonably and in good faith). Company will assist potential Merchants in completing all documentation required to receive the TTP Solution, including (where applicable) providing reasonable training to Merchants on the use of the TTP Solution. For the avoidance of doubt, NMI shall not be required to provide additional training to Merchants.

3. Third Party Technology

3.1. Company acknowledges the TTP Solution is designed for use with certain third party programs, including, without limitation, certain Internet browser software programs. Company will look solely to the developers and manufacturers of such programs with regard to warranty, maintenance or other support regarding the same. NMI makes no warranty, express or implied, with regard to any such third party software or services. Without limitation, NMI specifically disclaims all representations and warranties, express or implied, with respect to any Third Party Technology Provider or Third Party Technology. NMI shall have no express or implied obligation to provide, or continue to provide, support or maintain any or all Third Party Technology. Company acknowledges and agrees that at any time, all or any portion of Third Party Technology may be subject to modifications, suspension or termination by the Payment Networks or Third Party Technology Provider, with or without notice, and with immediate effect. NMI may be required to implement any such modifications, suspension or termination of the TTP Solution, and as this is outside of NMI’s reasonable control, (to the fullest extent permitted by law) NMI shall not be liable for any actions required by a Payment Networks or Third Party Technology Provider.

Extension — Shopify Terms

Definitions; Interpretation

1. Definitions. Capitalized terms used but not defined in these Extension Shopify Terms (“Extension Shopify Terms“) will have the meanings given to them in the General Terms and Conditions, the Partner Terms or Merchant Terms (as applicable), or elsewhere in the Agreement. In addition, the following definitions will apply to these Extension Shopify Terms only.

Customer” means any individual that visits or transacts via the Merchant Store.

Customer Data” means information (including Personal Information) relating to a Customer, including order information, payment information, or account information.

Merchant Data” means information (including Personal Information) relating to a Merchant Store, including business, financial, and product information and any Customer Data.

Merchant Store” means Company’s or a Merchant’s (as applicable) commerce presence hosted by Shopify, including their online store and Point of Sale (POS). For clarity, Company or a Merchant may have more than one Merchant Store.

2. Scope of Services

a. NMI will provide a payments application service by which Company (and if Company is a Reseller, its Merchants) may facilitate transactions through Shopify’s payments platform (“Shopify Application“).

3. Representations and Warranties, and Disclaimers

a. NMI represents and warrants that:

i. NMI is solely responsible for the Shopify Application;

ii. Shopify is not liable for any fault in the Shopify Application or any harm that may result from its installation or use;

iii. Except where expressly stated by Shopify, Shopify cannot provide assistance with the installation or use of the Shopify Application; and

iv. NMI is solely responsible for any liability which may arise from Company’s (or, as applicable, its Merchant’s) access to or use of the Shopify Application, including: (A) the development, use, marketing or distribution of or access to the Shopify Application, including support of the Shopify Application; or (B) NMI’s access, use, distribution or storage of Merchant Data.

b. NMI maintains a Privacy Policy located at Privacy Policy that discloses how and why customers’ Personal Data are collected and used in accordance with applicable law, including the uses governed by this Agreement.

Extension — Open Banking

Definitions; Interpretation

  1. Capitalized terms not otherwise defined below have the meaning set forth in the Agreement.
  2. Definitions.

Explicit Consent means an electronic communication with a Person that: (a) provides sufficient notice to such Person regarding how User Data associated with that person will be used, including access, usage, storage, retention, and disposal of such Person’s User Data (including any use of anonymized data derived from the User Data) and the process for the revocation of consent (which process shall enable a Person to readily revoke such consent); and (b) obtains from such Person permission for a specific action that is maintained in a system log or database that ensures completeness, and integrity and permits verification of the consent upon request of the records. Explicit Consent must be consistent with applicable Laws.

Finicity is Finicity Corporation, an entity who provides the Open Banking Services as described within the Order Form.

Finicity Materials means any data or materials provided by or on behalf of Finicity to Company, other than User Data.

Finicity Technology means all of the following (including all Intellectual Property Rights therein): (a) the Finicity Services and the Finicity System, (b) the Finicity Materials, and (c) any and all technology, information, data, know-how, ideas, designs, software, inventions, documentation, resources and all other tangible and intangible items included therein and as provided to Company by Finicity, made, conceived, or received or reduced to practice by Finicity alone, excluding NMI Services and related technology.

Finicity Services means Finicity’s products and services as expressly subscribed to by Company pursuant to an Order Form/ Proposal.

Finicity System means the equipment, APIs, interfaces, and all software and administrative platforms necessary to provide the Finicity Services.

Information Security Incident means any actual or suspected unauthorized processing, loss, use, disclosure, acquisition of, or access to any Personal Information or User Data.

Intellectual Property Rights means, on a worldwide basis, any and all: (a) rights associated with works of authorship and literary property, including copyrights, moral rights of an author of a copyrightable work, and mask-work rights; (b) trademarks, service marks, logos, trade dress, trade names, whether or not registered, and the goodwill associated therewith; (c) rights relating to know-how or trade secrets, including ideas, concepts, methods, techniques, inventions (whether or not developed or reduced to practice); (d) patents, designs, algorithms and other industrial property rights; and (e) other intellectual and industrial property rights of every kind and nature, however designated, whether arising by operation of law, contract, license or otherwise.

Onboarding Procedures means the approval, due diligence requirements and vetting procedures established by Finicity (as the same may be amended from time to time) in order to onboard and approve the Company for the delivery of the Services.

Person means any individual, partnership, joint venture, corporation, company, bank, trust, unincorporated organization, government or any department, agency or instrumentality thereof.

Provider means a financial institution or other entity that possesses account information regarding a User.

Registration Data means User account access information and registration information as provided by Users to NMI or Finicity for the purpose of accessing User Data from a Provider.

Representatives means a Party’s Affiliates, directors, officers, employees, agents, contractors, subcontractors, partners, and third-party service providers.

Territory means the United States of America.

User means any customer of Company that meets the requirements set forth in Section 4.

User Data means data pertaining to a User obtained by Finicity directly as part of the Services provided to Company, and includes Personal Data.

  1. Services. As described within the Order Form.
  2. Users. The Parties agree that a Person is not to be a User until such Person has provided Explicit Consent to Finicity to be legally bound by the Finicity terms and conditions and privacy notice presented through the user experience before accessing the Services in accordance with Finicity Documentation. For the avoidance of doubt, Finicity will be responsible for obtaining and managing the Explicit Consent provided by Users to Finicity for the User Data, including authorizations, revocations, permissions, consents, agreements, and approvals necessary for Finicity to access, use, and disclose the User Data as contemplated by this Agreement. In support of the foregoing, NMI agrees to comply with Finicity Documentation with respect to consents provided by Users. The Parties further agree that the Finicity/Mastercard brand will always be present to the User during the account linking and open banking experiences. NMI is not permitted to provide any technical means or other instruction to any Person to circumvent such requirements to become a User, or to perform the requirements of this Section on behalf of any Person for any reason.

5. Company Obligations.

  1. Company shall fulfill its obligations in accordance with all applicable Laws, including the Foreign Corrupt Practices Act, the UK Bribery Act, and all other applicable anti-corruption and anti-bribery laws. In connection with Company use of Services and cross-border transfer of the Finicity Technology, Company will comply with all applicable export, re-export, and import control laws and regulations of all applicable jurisdictions, and will not export or re-export Finicity Technology. Company will not engage in any activities related to this Agreement or Services with a Person who is identified on a list maintained by the U.S. Treasury Department’s Office of Foreign Assets Control of specially designated nationals and blocked persons subject to financial sanctions. Such list is currently accessible at: www.treasury.gov/ofac.
  2. Company shall use commercially reasonable efforts to prevent unauthorized access to or use of the Finicity Technology, and notify NMI promptly of any such unauthorized access or use;
  3. Except as otherwise explicitly provided in these terms or as may be expressly required by applicable Laws, Company and Users shall (i) use the Finicity Technology only pursuant to these terms; (ii) not attempt to gain unauthorized access to the Finicity Technology or their related systems or networks; (iii) not access and/or engage in any use of the Finicity Technology in a manner that abuses or materially disrupts Finicity’s networks, security systems, and/or websites; (iv) not interfere with or disrupt the integrity or performance of the Finicity Technology or third-party data contained therein; (v) not access or use the Finicity Technology in any manner or for any purpose that infringes, misappropriates or otherwise violates any Intellectual Property Right or other right of any third party; (vi) not access or use the Finicity Technology for purposes of competitive analysis of the Finicity Technology, the development, provision or use of a competing software service or product or any other purpose that is to Finicity’s detriment or commercial disadvantage, except as explicitly permitted by Finicity in writing; (vii not use the Finicity Technology for fraudulent purposes or otherwise in violation of applicable Laws; (viii) except for Users saving their own User credentials, not retain, save or otherwise maintain any User credentials or other Personal Data that could be used to access such User’s financial information and other data; and (x) not use any “screen scraping” process(es) to obtain User Data directly or indirectly from any of Provider from which Finicity obtains User Data on behalf of User through the use of Registration Data (and not APIs or data feeds provided by or on behalf of Finicity as part of the Finicity Technology). If Company becomes aware of any actual or threatened activity prohibited by this Section 4 (c), Company shall  immediately: (I) take all reasonable and lawful measures within their respective control that are necessary to stop the activity or threatened activity and to mitigate its effects (including, where applicable, by discontinuing and preventing any unauthorized access to the Finicity Technology); and (II) notify Finicity of any such actual or threatened activity;
  4. Except to the extent prohibited by applicable legal, regulatory or law enforcement requirements, Company will promptly inform NMI, in each case in writing if any competent authority, regulator or public authority of with jurisdiction over Company requests disclosure of, or information about, the Personal Data that is processed in connection with the Services. Company will, without limiting its rights under applicable Laws, cooperate with Finicity as reasonably necessary to comply with any direction or ruling made by such authorities;
  5. Except to the extent prohibited by applicable Laws or law enforcement requirements, Company will inform NMI in writing of any Information Security Incident within 48 hours of its discovery. For purposes of this provision, “discovery” will mean the first day the Information Security Incident is known to have occurred by any employee, officer or agent of the impacted party. Such notice will summarize in reasonable detail the effect on the other party, if known, of the Information Security Incident and the corrective action taken or to be taken. The applicable party will promptly take all necessary corrective actions, and will cooperate fully with the other in all reasonable and lawful efforts to mitigate the effects such Information Security Incident;

i. notwithstanding anything contained herein or otherwise, except to the extent prohibited by applicable legal, regulatory or law enforcement requirements, Company must obtain the approval of Finicity prior to the publication or communication of any filings, communications, notices, press releases or reports related to any Information Security Incident that expressly mentions Finicity or its Affiliates.

  1. Company shall comply with all applicable Laws, relating in any way to the confidentiality of Personal Data, including applicable laws regulating banking secrecy and outsourcing requirements, to the extent applicable to its business or the Services received under its agreement with NMI;
  2. Company shall develop, maintain and implement a comprehensive written information security program that: (i) complies with the requirements of Section f above; (ii) includes, without limitation, technical, physical, and administrative/organizational safeguards designed to (x) ensure the security and confidentiality of Personal Data; (y) protect against any anticipated threats or hazards to the security and integrity of Personal Data; and (z) protect against any Information Security Incident; and (iii) include, without limitation, regular testing or otherwise monitoring of the effectiveness of each Party’s information safeguards;
  3. Company shall comply at all times with all Applicable Law related to its use of the Services. Without limitation, but only where applicable, Company shall comply with the federal Fair Credit Reporting Act, 15 U.S.C. §1681 et seq. (“FCRA”), and any applicable analogous state law, as well as all applicable regulations and administrative requirements thereunder. Company acknowledges that use of the Services or data obtained or processed using the Services may be subject to the FCRA or analogous state laws. If Company uses or provides through NMI Services any Services that are not labeled as for FCRA use or authorized by Finicity for use in accordance with the FCRA, or obtains through Services data that is not subject to the FCRA, Company shall not use or provide through NMI Services such Services or data for an FCRA-related purpose. Finicity may from time-to-time request additional information from Company regarding its use of Services and/or compliance with the FCRA, and Company agrees to reasonably cooperate with any such requests. Such requests may include, but not be limited to, the examination of Company’s policies and/or procedures for: (a) confirming and documenting “permissible purpose” for FCRA-scoped Services, including due diligence efforts conducted for such confirmation; (b) verifying the identity of end users for FCRA-scoped Services; and (c) processing and resolving FCRA reinvestigations of consumer disputes;
  4. If Company is obtaining Services as the user of a “consumer report” as defined in the FCRA, Company shall use Services solely in connection with the FCRA Permissible Purposes outlined in the Order Form, and for no other purpose. Company acknowledges that it has received notice of legal obligations of users of consumer reports through the following hyperlink: https://www.finicity.com/federal-fair-credit-reporting-act/. Finicity is providing the Services only as requested by and with the Explicit Consent of the User;
  5. Company shall not use or disclose User Data or Registration Data for any purpose that is not expressly permitted under these terms or by an Explicit Consent given to Company by the User to whom such data relates. Without limiting the foregoing, Company shall not sell, license, transfer, or otherwise disclose the User Data or Registration Data to any other party;
  6. Company shall not allow a Person to be a User unless such Person has: (i) agreed to the terms presented through the Finicity Services; (ii) provided Explicit Consent to Finicity to be legally bound by the Finicity terms; and (iii) provided Explicit Consent to Company and/or its Representatives consenting to Company’s specific business purpose;
  7. Unless prohibited by applicable Laws, Company will not permit any person to have access to Finicity Technology or User Data when such person has been convicted of a crime or has agreed to or entered into a pretrial diversion or similar program with: (i) a dishonest act or a breach of trust, as set forth in Section 19 of the Federal Deposit Insurance Act; or (ii) a felony.
  8. Company shall only use, store, host, or process User Data within the Territory. Notwithstanding the foregoing, Company may allow read-only access to such data subject to terms’ confidentiality and security requirements;
  9. Company shall maintain customary insurance with industry standard limits and terms, at its own expense, to cover potential losses and liabilities which may arise in connection with or in any way related to its performance of obligations as described in these terms and promptly provide evidence of such insurance if requested by Finicity or NMI; and
  10. Company shall maintain all necessary documentation to evidence its compliance with these terms and applicable Laws in connection with its use of the Services for a period of six (6) years after the expiration or termination of these terms, or for such longer period as otherwise may be required by applicable Laws. Company shall provide Finicity and NMI with access to such documentation upon request.  Finicity or its authorized representative may, on reasonable notice no more than once every year, audit (i) Company’s activities related to its use of the Services; and (ii) Company’s products and services and the use of such products and services that utilizes Finicity Technology, for compliance with applicable Laws and these terms.

6. Minimum System Security Requirements

Company will, at a minimum, implement the types of security measures set forth below. In no event shall any technical requirement be less protective than the corresponding exemplary requirement in this Section 6. In the event of any potential breach or actual breach of security which has the potential to expose and/or impact information such as User Data, Registration Data, Finicity data, API certificates, tokens or other sensitive data, Company (and Company customers) must immediately advise NMI and Finicity by emailing soc@mastercard.com and calling (636) 722-3600, to notify NMI please refer to clause 4.3 of the General Terms and Conditions. These requirements herein are mandatory for Company, Company’s customers, and any other expressly permitted party that have an API account or that receive User Data and/or Registration Data for any purpose.

  1. Physical access control. Technical and organizational measures to prevent unauthorized persons from gaining access to the data processing systems available in premises and facilities (including, without limitation, databases, application servers and related hardware), where Personal Information is processed, including, without limitation:
  • Establishing security areas, restriction of access paths;
  • Establishing access authorizations for employees and third parties;
  • Access control system (ID reader, magnetic card, chip card);
  • Key management, card-keys procedures;
  • Door locking (electric door openers etc.);
  • Security staff, janitors;
  • Surveillance facilities, video/CCTV monitor (as permitted under local law), alarm system; and
  • Securing decentralized data processing equipment and personal computers.

b. Virtual access control. Technical and organizational measures to prevent data processing systems from being used by unauthorized persons including, without limitation:

  • User identification and authentication procedures;
  • ID/password security procedures (special characters, minimum length, change of password);
  • Automatic blocking (e.g., password or timeout);
  • Monitoring of break-in-attempts and automatic turn-off of the user ID upon several erroneous passwords attempts; and
  • Creation of one master record per user, user master data procedures, per data processing environment.

c. Data access control. Technical and organizational measures to ensure that persons entitled to use a data processing system gain access only to such Personal Information in accordance with their access rights, and that Personal Information cannot be read, copied, modified or deleted without authorization, including, without limitation:

  • Internal policies and procedures;
  • Control authorization schemes;
  • Differentiated access rights (profiles, roles, transactions and objects);
  • Monitoring and logging of accesses;
  • Disciplinary action against employees who access Personal Information without authorization;
  • Reports of access;
  • Access procedure;
  • Change procedure; and
  • Deletion procedure.

d. Disclosure control. Technical and organizational measures to ensure that Personal Information cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media (manual or electronic), and that it can be verified to which companies or other legal entities Personal Information is disclosed, including, without limitation:

  • Tunneling;
  • Logging; and
  • Transport security.

e. Entry control. Technical and organizational measures to monitor whether data have been entered, changed or removed (deleted), and by whom, from data processing systems, including, without limitation:

  • Logging and reporting systems;
  • Audit trails and documentation; and
  • Rate limiting or reduction in the amount of sub-accounts that can be created or linked to (max 8 recommended).

f. Availability control. Technical and organizational measures to ensure that Personal Information is protected against accidental destruction or loss (physical/logical) including, without limitation:

  • Backup procedures;
  • Mirroring of hard disks (e.g., RAID technology);
  • Uninterruptible power supply (UPS);
  • Remote storage;
  • Antivirus/firewall systems; and
  • Disaster recovery plan.

g. Separation control. Technical and organizational measures to ensure that Personal Information collected for different purposes can be processed separately including, without limitation:

  • Separation of databases;
  • “Internal client” concept / limitation of use;
  • Segregation of functions (production/testing); and
  • Procedures for storage, amendment, deletion, transmission of data for different purposes.

h. End Point control. Technical and organizational measures to ensure that end points involved in touching, storing or accessing Personal Information are protected against unauthorized access or penetration, including, without limitation:

  • Industry standard anti-malware solutions;
  • Encryption of data at rest using AES256 bit as a minimum; and
  • Routing penetration testing and/or vulnerability management and review.

7. Company Consent.

  1. Company consents to:

i. Finicity display of Company’s name, marks, and services (including logo) within Finicity’s User consent and disclosure platform currently called “Finicity Connect” and share the name, marks, and services of Company to Provider to identify Company as a NMI of Services; and

ii. Providers’ (and their authorized technology service providers) display of Company’s name, marks, and services (including logo) within their user authentication and consent management platforms.

8.Representations and Warranties, and Disclaimers.

  1. Company hereby represents and warrants to NMI that the documents, information, responses, and materials provided to NMI and/or Finicity by Company in connection with Finicity’s On-Boarding Procedures/ Finicity Services are true and accurate in all material respects. Company agrees that Finicity may provide such information to Providers.