User Agreement and Terms

I. MonitorBase End User Agreement

This Lender Feed End User Agreement (“Agreement”) between End User and Lender Feed, LC. dba MonitorBase (“Reseller”)

Definitions:

End User: User of MonitorBase Software or Products. Lender, Credit Union or Bank who is the responsible party making a firm offer of credit as defined by the Fair Credit Reporting Act, and FACT act.

Reseller: End User will enter into an agreement with Lender Feed, LC., an Utah limited liability company located at 10 West Broadway, Suite 450 Salt Lake City, Utah 84101.

Third Party Processor: a firm engaged in the business of providing data processing services, including but not limited to net downs, demographic appending and segmentation, merge / purge processing, and general list cleansing, with respect to direct mail and telemarketing programs.

Periodic Screening Process: The process whereby Reseller. electronically delivers the preselected consumer data from the End Users database to Experian, providing a mechanism for the End User to continuously identify new prospective borrowers in their database that meet their pre-established lending criteria.

Experian Demographic Data: Demographic data is data Experian provides to client or clients Third Party Processor in performing the prescreened services, except that demographic data which client provides Experian.

Experian Data: Any data provided by Experian, including Experian Demographic Data, Credit Data, and Identifying Data.

Lender Feed Data Elements: Any data provided by Reseller, including but not limited to, Automated Valuation Modeling, Profiled Census data, Demographic data overlays.

Lender Feed Data Server: The server that will ultimately store and display the pre-screened list to the end user for download or merging with form letters.

Prescreened list: When Experian completes the prescreening and segmentation of the end users data, Experian will deliver to Reseller’s Third Party Processor an electronic data file containing information that identifies the consumers who meet the eligibility criteria established and approved by the End User (the “Identifying data”) coded credit or derived information (the “Credit Data”) and coded Demographic data about such consumers (the “Prescreened List”).

General Provisions:

1. End users must apply for membership for Experian’s Pre-screened services, if they are already an Experian member, End User may be required to submit a request to Experian allowing Reseller to service their account.
2. Through electronic interface with Reseller, End User will make available their database of consumer records that have been pre-selected and identified by the End User as consumers they wish to include in the Periodic Screening Process. End User agrees to pay all fees agreed upon in the Pricing Addendum (refer to Pricing Addendum).
3. The Credit Data from the Prescreened list will be encoded and truncated, and appended with other Lender Feed Data Elements, and made available for viewing via Reseller’s proprietary software MonitorBase.
4. Lender Feed Data Elements supplied for overlay or enhancement, in conjunction with the services, shall be used solely by End User for direct mail, and telemarketing prescreened solicitations, pursuant to this Agreement.
5. Confidentiality: Each party will maintain internal procedures to minimize the risk of unauthorized disclosure of information delivered hereunder. Both parties will take reasonable precautions to ensure such information will be held in strict confidence and disclosed only to those of their respective employees whose duties reasonably relate to the legitimate business purposes for which the information is requested or used and to no other person. Without limiting the generality of the foregoing, each party will take suitable precautions to prevent loss compromise, or misuse of any data or other media containing consumer credit information while in the possession of either party and while in transport between the parties. Each party shall comply with all federal, state and local laws, rules, regulations and ordinances governing or relating to privacy rights in connection with its performance under this Agreement including, without limitation, the Gramm-Leach-Bliley Act (“GLB”) and its implementing regulations. Each party shall implement such physical and other security measures as shall be necessary to (a) ensure the security and confidentiality of the “nonpublic personal information” of the “customers” and “consumers” (as those terms are defined in GLB) of either party which it holds, (b) protect against any threats or hazards to the security and integrity of such nonpublic personal information, and (c) protect against any unauthorized access to or use of such nonpublic personal information. Each party represents and warrants that it has implemented appropriate measures to meet the objectives of Section 501(b) of GLB and of the applicable standards adopted pursuant thereto, as now or hereafter in effect. Upon request, each party will provide evidence reasonably satisfactory to allow the other party to confirm that the providing party has satisfied its obligations as required under this Section. Without limitation, this may include review of audits, summaries of test results, and other equivalent evaluations of the providing party.
6. Proprietary Business Processes: Under no circumstances will the End User attempt in any manner, directly or indirectly, to discover or reverse engineer any confidential and proprietary business processes of Reseller.
7. License: Reseller endeavors to create marketing and distribution agreements with several software companies, vendors and mortgage lenders that provide solutions to the mortgage industry, and provide pre-screened credit information to their end users. We do not grant any exclusive rights to our system, marketing material, or the Periodic Screening Processes. Nothing contained in this agreement shall be deemed to grant the End User any sublicense copyright interest, proprietary rights, or other claims against or interest in any computer programs, business processes or relationships with data vendors utilized by Reseller.
8. Indemnification of Lender Feed LC: End User will indemnify, defend and hold Reseller harmless from and against any and all liabilities, damages, losses, claims, costs, and expenses, including reasonable attorney’s fees, which may be asserted against or incurred by Reseller arising out of or resulting from the use, disclosure, sale or transfer of services by Reseller or Reseller’s customers, due to End Users negligence or willful misconduct. Reseller will indemnify, defend and hold End User harmless from and against any and all liabilities, damages, losses, claims, costs, and expenses, including reasonable attorney’s fees, which may be asserted against or incurred by End User arising out of or resulting from Reseller’s negligence, willful misconduct or breach of this Agreement.
9. Termination: Notwithstanding any other term in this Agreement, either party may terminate this Agreement by providing thirty (30) days advance written notice to the other. Reseller may unilaterally terminate this agreement immediately, or take any lesser action Reseller deems appropriate, including but not limited to, blocking End User from accessing the services or online databases, if Lender Feed believes in its sole judgment, that End User has failed to comply with any of its obligations in this Agreement. End User agrees to pay all incurred fees (refer to Pricing addendum) including those incurred within the 30 day termination advance notice.
10. Governing Law: This Agreement and the rights and obligations herein shall be governed by and interpreted in accordance with the laws of the state of Utah without giving effect to the principles thereof relating to conflicts of law rules that would direct application of the laws of another jurisdiction.
11. 6. Arbitration. Any controversy or claim arising out of or relating to this Agreement, or the breach thereof, shall be settled by arbitration in accordance of the rules of the American Arbitration Association, and judgment upon the award rendered by the arbitrator(s) shall be entered in any court having jurisdiction thereof. For that purpose, the parties hereto consent to the jurisdiction and venue of an appropriate court located in Salt Lake County, State of Utah. In the event that litigation results from or arises out of this Agreement or the performance thereof, the parties agree to reimburse the prevailing party's reasonable attorney's fees, court costs, and all other expenses, whether or not taxable by the court as costs, in addition to any other relief to which the prevailing party may be entitled. In such event, no action shall be entertained by said court or any court of competent jurisdiction if filed more than one year subsequent to the date the cause(s) of action actually accrued regardless of whether damages were otherwise as of said time calculable.
12. Complete agreement: This Agreement, together with the pricing and data interface addendum, constitutes the entire agreement of the parties and supersedes all prior communications, understandings and agreements relating to the subject matter hereof, whether oral or written.
13. Death Master File: End User acknowledges that many services containing Experian information also contain information from the Death Master File as issued by the Social Security Administration (“DMF”); certify pursuant to Section 203 of the Bipartisan Budget Act of 2013 and 15 C.F.R. § 1110.102 that, consistent with its applicable FCRA or GLB use of Experian information, the End User’s use of deceased flags or other indicia within the Experian information is restricted to legitimate fraud prevention or business purposes in compliance with applicable laws, rules regulations, or fiduciary duty, as such business purposes are interpreted under 15 C.F.R. § 1110.102(a)(1); End User will not take any adverse action against any consumer without further investigation to verify the information from the deceased flags or other indicia within the Experian information. Reseller must use the complete entire wording stated above or language substantially similar within the contract with the end user.

II. Credit Scoring Services Agreement

This Credit Scoring Services Agreement, (“Agreement”), between End User and Lender Feed, LC. (“Provider”)

WHEREAS, Provider is an authorized reseller of Experian Information Solutions, Inc. (“Experian”); and

WHEREAS, Experian and Fair, Isaac Corporation (“Fair, Isaac”) offer the “Experian/Fair, Isaac Model”, consisting of the application of a risk model developed by Experian and Fair, Isaac which employs a proprietary algorithm and which, when applied to credit information relating to individuals with whom the End User contemplates entering into a credit relationship will result in a numerical score (the “Score” and collectively, “Scores”); the purpose of the models being to rank said individuals in order of the risk of unsatisfactory payment.

NOW, THEREFORE, For good and valuable consideration and intending to be legally bound, End User and Provider hereby agree as follows:

1. General Provisions

   A. Subject of Agreement. The subject of this Agreement is End User’s purchase of Scores produced from the Experian/Fair, Isaac Model from Provider.

   B. Application. This Agreement applies to all uses of the Experian/Fair, Isaac Model by End User during the term of this agreement.

   C. Term. The term of this Agreement (the “Term”) is the period consisting of the Initial Term and, if this Agreement is renewed, the Renewal Term(s), as follows:

   (1) Initial Term. The “Initial Term” is the period beginning at 12:01 a.m. on the date written above and ending at 11:59 p.m. 12 months from the date written above.

   (2) Renewal Term(s). This term will automatically renew every 30 days unless one or both of the parties delivers written notice of such party’s (parties’) intent not to renew no later than thirty (30) days before the end of the Initial Term. This Agreement will terminate without further action by either of the parties in the event End User is denied use of the Lender Feed LC. Model due to misuse.

2. Experian/Fair, Isaac Scores

   A. Generally. Upon request by End User during the Term, Provider will provide End User with the Scores.

   B. Time of Performance. Provider will use commercially reasonable efforts to provide the Lender Feed LC. Model as expeditiously as possible and in a timely manner; provided, however, Provider will have no liability to End User hereunder for delays in providing such Lender Feed LC. Model.

   C. Warranty. Provider warrants that the Scores are empirically derived and statistically sound predictors of consumer credit risk on the data from which they were developed when applied to the population for which they were developed. Provider further warrants that so long as it provides the Scores, the Scores will not contain or use any prohibited basis as defined by the federal Equal Credit Opportunity Act, 15 USC Section 1691 et seq. or Regulation B promulgated thereunder. THE FOREGOING WARRANTIES ARE THE ONLY WARRANTIES PROVIDER HAS GIVEN END USER WITH RESPECT TO THE SCORES, AND SUCH WARRANTIES ARE IN LIEU OF ALL OTHER WARRANTIES, EXPRESS OR IMPLIED, PROVIDER MIGHT HAVE GIVEN END USER WITH RESPECT THERETO, INCLUDING, FOR EXAMPLE, WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. End User’s rights under the foregoing warranties are expressly conditioned upon End User’s periodic revalidation of the Experian/Fair, Isaac Model in compliance with the requirements of Regulation B as it may be amended from time to time (12 CFR Section 202 et seq.).

   D. Release. End User hereby releases and holds harmless Provider, Fair Isaac and/or Experian and their respective officers, directors, employees, agents, sister or affiliated companies, and any third-party contractors or suppliers of Provider, Fair, Isaac or Experian from liability for any damages, losses, costs or expenses, whether direct or indirect, suffered or incurred by End User resulting from any failure of the Scores to accurately predict that a United States consumer will repay their existing or future credit obligations satisfactorily.

3. Fees. See Pricing on Signature Page above.

   A. Generally. In consideration of Provider’s performance of the Lender Feed LC. Model, End User will pay Provider fees (the “Fees”) as agreed upon in writing by End User and Provider from time to time.

   B. Taxes. End User will be solely responsible for all Federal, state, and local taxes levied or assessed in connection with Provider’s performance of the Lender Feed LC. Model, other than income taxes assessed with respect to Provider’s net income, for which income taxes Provider will be solely responsible.

   C.Method of Payment. Periodically during the Term, Provider will deliver to End User invoices reflecting Fees (including taxes) for which Subscriber is responsible hereunder. Subscriber will pay Provider the amounts indicated on such invoices within thirty (30) days after the invoice date. End User’s obligation to pay Fees shall be absolute and unconditional and shall not be affected by any circumstance, including, without limitation, set off, counterclaim, recoupment, defense (other than the defense of payment itself) or other right “End User” may have or allege to have against Provider for any reason whatsoever.

4. Intellectual Property

   A. No License. Nothing contained in this Agreement shall be deemed to grant End User any license, sublicense, copyright interest, proprietary rights, or other claim against or interest in any computer programs utilized by Provider, Experian and/or Fair, Isaac or any third party involved in the delivery of the scoring services hereunder. End User acknowledges that the Experian/Fair, Isaac Model and its associated intellectual property rights in its output are the property of Fair, Isaac.

   B. End User Use Limitations. By providing the Scores to End User pursuant to this Agreement, Provider grants to End User a limited license to use information contained in reports generated by the Experian/Fair, Isaac Model solely in its own business with no right to sublicense or otherwise sell or distribute said information to third parties. Before directing Provider to deliver Scores to any third party (as may be permitted by this Agreement), End User agrees to enter into a contract with such third party that (1) limits use of the Scores by the third party only to the use permitted to the End User, and (2) identifies Experian and Fair, Isaac as express third party beneficiaries of such contract.

   C. Proprietary Designations. End User shall not use, or permit its employees, agents and subcontractors to use, the trademarks, service marks, logos, names, or any other proprietary designations of Provider, Experian or Fair, Isaac or their respective affiliates, whether registered or unregistered, without such party’s prior written consent.

5. Compliance and Confidentiality

   A. Compliance with Law. In performing this Agreement and in using information provided hereunder, End User will comply with all Federal, state, and local statutes, regulations, and rules applicable to consumer credit information and nondiscrimination in the extension of credit from time to time in effect during the Term. End User certifies that (1) it has a permissible purpose for obtaining the Scores in accordance with the federal Fair Credit Reporting Act, and any similar applicable state statute, (2) any use of the Scores for purposes of evaluating the credit risk associated with applicants, prospects or existing customers will be in a manner consistent with the provisions described in the Equal Credit Opportunity Act (“ECOA”), Regulation B, and/or the Fair Credit Reporting Act, and (3) the Scores will not be used for Adverse Action as defined by the Equal Credit Opportunity Act (“ECOA”) or Regulation B, unless adverse action reason codes have been delivered to the End User along with the Scores.

   B. Confidentiality. End User will maintain internal procedures to minimize the risk of unauthorized disclosure of information delivered hereunder. End User will take reasonable precautions to assure that such information will be held in strict confidence and disclosed only to those of its employees whose duties reasonably relate to the legitimate business purposes for which the information is requested or used and to no other person. Without limiting the generality of the foregoing, End User will take suitable precautions to prevent loss, compromise, or misuse of any tapes or other media containing consumer credit information while in the possession of End User and while in transport between the parties. End User certifies that it will not publicly disseminate any results of the validations or other reports derived from the Scores without each of Experian’s and Fair, Isaac’s express written permission.

   C. Proprietary Criteria. Under no circumstances will End User attempt in any manner, directly or indirectly, to discover or reverse engineer any confidential and proprietary criteria developed or used by Experian and/or Fair, Isaac in performing the scoring services hereunder.

   D. Consumer Disclosure. Notwithstanding any contrary provision of this Agreement, End User may disclose the Scores provided to End User under this Agreement (1) to credit applicants, when accompanied by the corresponding reason codes, in the context of bona fide lending transactions and decisions only, and (2) as clearly required by law.

6. Indemnification and Limitations

   A. Indemnification End User will indemnify, defend, and hold each of Provider, Experian and Fair, Isaac harmless from and against any and all liabilities, damages, losses, claims, costs, and expenses (including reasonable attorneys’ fees) arising out of or resulting from any nonperformance by End User of any obligations to be performed by End User under this Agreement, provided that Provider, Experian/Fair, Isaac have given End User prompt notice of, and the opportunity and the authority (but not the duty) to defend or settle any such claim. Provider will indemnity, defend, and hold End User harmless from and against any and all liabilities, damages, losses, claims, costs, and expenses (including reasonable attorney’s fees) arising out of or resulting from any nonperformance by Provider of any obligations to be performed by Provider under this Agreement, provided that End User has given Provider prompt notice of, and the opportunity and the authority (but not the duty) to defend or settle any such claim.

   B. Limitation of Liability. NOTWITHSTANDING ANY OTHER PROVISION OF THIS AGREEMENT, UNDER NO CIRCUMSTANCES WILL PROVIDER, EXPERIAN OR FAIR, ISAAC HAVE ANY OBLIGATION OR LIABILITY TO END USER FOR ANY INCIDENTAL, INDIRECT, SPECIAL OR CONSEQUENTIAL DAMAGES INCURRED BY END USER, REGARDLESS OF HOW SUCH DAMAGES ARISE AND OF WHETHER OR NOT END USER WAS ADVISED SUCH DAMAGES MIGHT ARISE. IN NO EVENT SHALL THE AGGREGATE LIABILITY OF PROVIDER, EXPERIAN OR FAIR, ISAAC TO END USER EXCEED THE FEES PAID BY END USER PURSUANT TO THIS AGREEMENT DURING THE SIX MONTH PERIOD IMMEDIATELY PRECEDING THE DATE OF END USER’S CLAIM.

7. Miscellaneous

   A. Third Parties. End User acknowledges that the Scores results from the joint efforts of Experian and Fair, Isaac. End User further acknowledges that each Experian and Fair, Isaac have a proprietary interest in said Scores and agrees that either Experian or the Fair, Isaac may enforce those rights as required.

8. Complete Agreement. This Agreement sets forth the entire understanding of End User and Provider with respect to the subject matter hereof and supersedes all prior letters of intent, agreements, covenants, arrangements, communications, representations, or warranties, whether oral or written, by any officer, employee, or representative of either party relating thereto.

III. FCRA Requirements

Federal Fair Credit Reporting Act (as amended by the
Consumer Credit Reporting Reform Act of 1996)

Although the FCRA primarily regulates the operations of consumer credit reporting agencies, it also affects you as a user of information. We have included a copy of the FCRA with your membership kit. We suggest that you and your employees become familiar with the following sections in particular:

§ 604. Permissible Purposes of Reports
§ 607. Compliance Procedures
§ 615. Requirement on users of consumer reports
§ 616. Civil liability for willful noncompliance
§ 617. Civil liability for negligent noncompliance
§ 619. Obtaining information under false pretenses
§ 621. Administrative Enforcement
§ 623. Responsibilities of Furnishers of Information to Consumer Reporting Agencies § 628. Disposal of Records

Each of these sections is of direct consequence to users who obtain reports on consumers. As directed by the law, credit reports may be issued only if they are to be used for extending credit, review or collection of an account, employment purposes, underwriting insurance or in connection with some other legitimate business transaction such as in investment, partnership, etc. It is imperative that you identify each request for a report to be used for employment purposes when such report is ordered. Additional state laws may also impact your usage of reports for employment purposes.

We strongly endorse the letter and spirit of the Federal Fair Credit Reporting Act. We believe that this law and similar state laws recognize and preserve the delicate balance between the rights of the consumer and the legitimate needs of commerce.

In addition to the Federal Fair Credit Reporting Act, other federal and state laws addressing such topics as computer crime and unauthorized access to protected databases have also been enacted. As a prospective user of consumer reports, we expect that you and your staff will comply with all relevant federal statutes and the statutes and regulations of the states in which you operate.

We support consumer reporting legislation that will assure fair and equitable treatment for all consumers and users of credit information.

IV. End User Certification of Compliance California Civil Code - Section 1785.14(a) Section 1785.14(a), as amended, states that a consumer credit reporting agency does not have reasonable grounds for believing that a consumer credit report will only be used for a permissible purpose unless all of the following requirements are met:

Section 1785.14(a)(1) states: “If a prospective user is a retail seller, as defined in Section 1802.3, and intends to issue credit to a consumer who appears in person on the basis of an application for credit submitted in person, the consumer credit reporting agency shall, with a reasonable degree of certainty, match at least three categories of identifying information within the file maintained by the consumer credit reporting agency on the consumer with the information provided to the consumer credit reporting agency by the retail seller. The categories of identifying information may include, but are not limited to, first and last name, month and date of birth, driver’s license number, place of employment, current residence address, previous residence address, or social security number. The categories of information shall not include mother’s maiden name.”

Section 1785.14(a)(2) states: “If the prospective user is a retail seller, as defined in Section 1802.3, and intends to issue credit to a consumer who appears in person on the basis of an application for credit submitted in person, the retail seller must certify, in writing, to the consumer credit reporting agency that it instructs its employees and agents to inspect a photo identification of the consumer at the time the application was submitted in person. This paragraph does not apply to an application for credit submitted by mail.”

Section 1785.14(a)(3) states: “If the prospective user intends to extend credit by mail pursuant to a solicitation by mail, the extension of credit shall be mailed to the same address as on the solicitation unless the prospective user verifies any address change by, among other methods, contacting the person to whom the extension of credit will be mailed.”

In compliance with Section 1785.14(a) of the California Civil Code, End User hereby certifies to Consumer Reporting Agency as follows:

End User certifies that if End User is a Retail Seller who conducts Point of Sale transactions, End User will, beginning on or before July 1, 1998, instruct its employees and agents to inspect a photo identification of the consumer at the time an application is submitted in person.

End User also certifies that it will only use the appropriate End User code number designated by Consumer Reporting Agency for accessing consumer reports for California Point of Sale transactions conducted by Retail Seller.

If End User is not a Retail Seller who issues credit in Point of Sale transactions, End User agrees that if it, at any time hereafter, becomes a Retail Seller who extends credit in Point of Sale transactions, End User shall provide written notice of such to Consumer Reporting Agency prior to using credit reports with Point of Sale transactions as a Retail Seller, and shall comply with the requirements of a Retail Seller conducting Point of Sale transactions, as provided in this certification.

Access Security Requirements for End Users for FCRA and GLB 5A Data

The following information security controls are required to reduce unauthorized access to consumer information. It is your (company provided access to Experian systems or data through Lender Feed, LC, referred to as the “Company”) responsibility to implement these controls. If you do not understand these requirements or need assistance, it is your responsibility to get an outside service provider to assist you. Lender Feed, LC reserves the right to make changes to these Access Security Requirements without prior notification. The information provided herewith provides minimum baselines for information security.

In accessing Lender Feed, LC’s services, Company agrees to follow these Experian security requirements. These requirements are applicable to all systems and devices used to access, transmit, process, or store Experian data:

1. Implement Strong Access Control Measures

1.1 All credentials such as Subscriber Code number, Subscriber Code Passwords, User names/identifiers (user IDs) and user passwords must be kept confidential and must not be disclosed to an unauthorized party. No one from Lender Feed, LC will ever contact you and request your credentials.
1.2 If using third party or proprietary system to access Lender Feed, LC’s systems, ensure that the access must be preceded by authenticating users to the application and/or system (e.g. application based authentication, Active Directory, etc.) utilized for accessing Lender Feed, LC data/systems.
1.3 If the third party or third party software or proprietary system or software, used to access Lender Feed, LC data/systems, is replaced or no longer in use, the passwords should be changed immediately.
1.4 Create a unique user ID for each user to enable individual authentication and accountability for access to Lender Feed, LC’s infrastructure. Each user of the system access software must also have a unique logon password.
1.5 User IDs and passwords shall only be assigned to authorized individuals based on least privilege necessary to perform job responsibilities.
1.6 User IDs and passwords must not be shared, posted, or otherwise divulged in any manner.
1.7 Develop strong passwords that are:
Not easily guessable (i.e. your name or company name, repeating numbers and letters or consecutive numbers and letters)
Contain a minimum of eight (8) alphabetic and numeric characters for standard user accounts
For interactive sessions (i.e. non system-to-system) ensure that passwords/passwords are changed periodically (every 90 days is recommended)
1.8 Passwords (e.g. user/account password) must be changed immediately when:
Any system access software is replaced by another system access software or is no longer used
The hardware on which the software resides is upgraded, changed or disposed
Any suspicion of password being disclosed to an unauthorized party (see section 4.3 for reporting requirements)
1.9 Ensure that passwords are not transmitted, displayed or stored in clear text; protect all end user (e.g. internal and external) passwords using, for example, encryption or a cryptographic hashing algorithm also known as “one-way” encryption. When using encryption, ensure that strong encryption algorithm are utilized (e.g. AES 256 or above).
1.10 Implement password protected screensavers with a maximum fifteen (15) minute timeout to protect unattended workstations. Systems should be manually locked before being left unattended.
1.11 Active logins to credit information systems must be configured with a 30 minute inactive session timeout.
1.12 Ensure that personnel who are authorized access to credit information have a business need to access such information and understand these requirements to access such information are only for the permissible purposes listed in the Permissible Purpose Information section of the membership application.
1.13 Company must NOT install Peer-to-Peer file sharing software on systems used to access, transmit or store Experian data.
1.14 Ensure that Company employees do not access their own credit reports or those reports of any family member(s) or friend(s) unless it is in connection with a credit transaction or for another permissible purpose.
1.15 Implement a process to terminate access rights immediately for users who access Experian credit information when those users are terminated or when they have a change in their job tasks and no longer require access to that credit information.
1.16 Implement a process to perform periodic user account reviews to validate whether access is needed as well as the privileges assigned.
1.17 Implement a process to periodically review user activities and account usage, ensure the user activities are consistent with the individual job responsibility, business need, and in line with contractual obligations.
1.18 Implement physical security controls to prevent unauthorized entry to Company’s facility and access to systems used to obtain credit information. Ensure that access is controlled with badge readers, other systems, or devices including authorized lock and key.

2. Maintain a Vulnerability Management Program

2.1 Keep operating system(s), firewalls, routers, servers, personal computers (laptops and desktops) and all other systems current with appropriate system patches and updates.
2.2 Configure infrastructure such as firewalls, routers, servers, tablets, smart phones, personal computers (laptops and desktops), and similar components to industry best security practices, including disabling unnecessary services or features, and removing or changing default passwords, IDs and sample files/programs, and enabling the most secure configuration features to avoid unnecessary risks.
2.3 Implement and follow current best security practices for computer virus detection scanning services and procedures:
Use, implement and maintain a current, commercially available anti-virus software on all systems, if applicable anti-virus technology exists. Anti-virus software deployed must be capable to detect, remove, and protect against all known types malicious software such as viruses, worms, spyware, adware, Trojans, and root-kits.
Ensure that all anti-virus software is current, actively running, and generating audit logs;
ensure that anti-virus software is enabled for automatic updates and performs scans on a regular basis.
If you suspect an actual or potential virus infecting a system, immediately cease accessing the system and do not resume the inquiry process until the virus has been eliminated.

3. Protect Data

3.1 Develop and follow procedures to ensure that data is protected throughout its entire information lifecycle (from creation, transformation, use, storage and secure destruction) regardless of the media used to store the data (i.e., tape, disk, paper, etc.).
3.2 Experian data is classified Confidential and must be secured to in accordance with the requirements mentioned in this document at a minimum.
3.3 Procedures for transmission, disclosure, storage, destruction and any other information modalities or media should address all aspects of the lifecycle of the information.
3.4 Encrypt all Experian data and information when stored electronically on any system including but not limited to laptops, tablets, personal computers, servers, databases using strong encryption such AES 256 or above.
3.5 Experian data must not be stored locally on smart tablets and smart phones such as iPads, iPhones, Android based devices, etc.
3.6 When using smart tablets or smart phones to access Experian data, ensure that such devices are protected via device pass-code.
3.7 Applications utilized to access Experian data via smart tablets or smart phones must protect data while in transmission such as SSL protection and/or use of VPN, etc.
3.8 Only open email attachments and links from trusted sources and after verifying legitimacy.
3.9 When no longer in use, ensure that hard-copy materials containing Experian data are crosscut shredded, incinerated, or pulped such that there is reasonable assurance the hard-copy materials cannot be reconstructed.
3.10 When no longer in use, electronic media containing Experian data is rendered unrecoverable via a secure wipe program in accordance with industry-accepted standards for secure deletion, or otherwise physically destroying the media (for example, degaussing).

4. Maintain an Information Security Policy

4.1 Develop and follow a security plan to protect the confidentiality and integrity of personal consumer information as required under the GLB Safeguards Rule.
4.2 Suitable to complexity and size of the organization, establish and publish information security and acceptable user policies identifying user responsibilities and addressing requirements in line with this document and applicable laws and regulations.
4.3 Establish processes and procedures for responding to security violations, unusual or suspicious events and similar incidents to limit damage or unauthorized access to information assets and to permit identification and prosecution of violators. If you believe Experian data may have been compromised, immediately notify Lender Feed, LC within twenty-four (24) hours or per agreed contractual notification timeline (See also Section 8).
4.4 The FACTA Disposal Rules requires that Company implement appropriate measures to dispose of any sensitive information related to consumer credit reports and records that will protect against unauthorized access or use of that information.
4.5 Implement and maintain ongoing mandatory security training and awareness sessions for all staff to underscore the importance of security in the organization.
4.6 When using third party service providers (e.g. application service providers) to access, transmit, store or process Experian data, ensure that service provider is compliant with the Experian Independent Third Party Assessment (EI3PA) program, and registered in Experian’s list of compliant service providers. If the service provider is in the process of becoming compliant, it is Company’s responsibility to ensure the service provider is engaged with Experian and an exception is granted in writing. Approved certifications in lieu of EI3PA can be found in the Glossary section.

5. Build and Maintain a Secure Network

5.1 Protect Internet connections with dedicated, industry-recognized firewalls that are configured and managed using industry best security practices.
5.2 Internal private Internet Protocol (IP) addresses must not be publicly accessible or natively routed to the Internet. Network address translation (NAT) technology should be used.
5.3 Administrative access to firewalls and servers must be performed through a secure internal wired connection only.
5.4 Any stand-alone computers that directly access the Internet must have a desktop firewall deployed that is installed and configured to block unnecessary/unused ports, services, and network traffic.
5.5 Change vendor defaults including but not limited to passwords, encryption keys, SNMP strings, and any other vendor defaults.
5.6 For wireless networks connected to or used for accessing or transmission of Experian data, ensure that networks are configured and firmware on wireless devices updated to support strong encryption (for example, IEEE 802.11i) for authentication and transmission over wireless networks.
5.7 When using service providers (e.g. software providers) to access Lender Feed, LC systems, access to third party tools/services must require multi-factor authentication.

6. Regularly Monitor and Test Networks

6.1 Perform regular tests on information systems (port scanning, virus scanning, internal/external vulnerability scanning). Ensure that issues identified via testing are remediated according to the issue severity (e.g. fix critical issues immediately, high severity in 15 days, etc.)
6.2 Ensure that audit trails are enabled and active for systems and applications used to access, store, process, or transmit Experian data; establish a process for linking all access to such systems and applications. Ensure that security policies and procedures are in place to review security logs on daily or weekly basis and that follow-up to exceptions is required.
6.3 Use current best practices to protect telecommunications systems and any computer system or network device(s) used to provide Services hereunder to access Lender Feed, LC systems and networks. These controls should be selected and implemented to reduce the risk of infiltration, hacking, access penetration or exposure to an unauthorized third party by: protecting against intrusions; securing the computer systems and network devices; and protecting against intrusions of operating systems or software.

7. Mobile and Cloud Technology

7.1 Storing Experian data on mobile devices is prohibited. Any exceptions must be obtained from Experian in writing; additional security requirements will apply.
7.2 Mobile applications development must follow industry known secure software development standard practices such as OWASP and OWASP Mobile Security Project adhering to common controls and addressing top risks.
7.3 Mobile applications development processes must follow secure software assessment methodology which includes appropriate application security testing (for example: static, dynamic analysis, penetration testing) and ensuring vulnerabilities are remediated.
7.4 Mobility solution server/system should be hardened in accordance with industry and vendor best practices such as Center for Internet Security (CIS) benchmarks, NIS, NSA, DISA and/or other.
7.5 Mobile applications and data shall be hosted on devices through a secure container separate from any personal applications and data. See details below. Under no circumstances is Experian data to be exchanged between secured and non-secured applications on the mobile device.
7.6 In case of non-consumer access, that is, commercial/business-to-business (B2B) users accessing Experian data via mobile applications (internally developed or using a third party application), ensure that multi-factor authentication and/or adaptive/risk-based authentication mechanisms are utilized to authenticate users to application.
7.7 When using cloud providers to access, transmit, store, or process Experian data ensure that:

Appropriate due diligence is conducted to maintain compliance with applicable laws and regulations and contractual obligations

Cloud providers must have gone through independent audits and are compliant with one or more of the following standards, or a current equivalent as approved/recognized by Experian:
ISO 27001
PCI DSS
EI3PA
SSAE 16 – SOC 2 or SOC3
FISMA
CAI / CCM assessment

8. General

1. Lender Feed, LC may from time to time audit the security mechanisms Company maintains to safeguard access to Experian information, systems and electronic communications. Audits may include examination of systems security and associated administrative practices
2. In cases where the Company is accessing Experian information and systems via third party software, the Company agrees to make available to Lender Feed, LC upon request, audit trail information and management reports generated by the vendor software, regarding Company individual authorized users.
3. Company shall be responsible for and ensure that third party software, which accesses Lender Feed, LC information systems, is secure, and protects this vendor software against unauthorized modification, copy and placement on systems which have not been authorized for its use.
4. Company shall conduct software development (for software which accesses Lender Feed, LC information systems; this applies to both in-house or outsourced software development) based on the following requirements:
   
   4.1 Software development must follow industry known secure software development standard practices such as OWASP adhering to common controls and addressing top risks.
   
   4.2 Software development processes must follow secure software assessment methodology which includes appropriate application security testing (for example: static, dynamic analysis, penetration testing) and ensuring vulnerabilities are remediated.
   
   4.3 Software solution server/system should be hardened in accordance with industry and vendor best practices such as Center for Internet Security (CIS) benchmarks, NIS, NSA, DISA and/or other.
5. Reasonable access to audit trail reports of systems utilized to access Lender Feed, LC systems shall be made available to Lender Feed, LC upon request, for example during breach investigation or while performing audits
6. Data requests from Company to Lender Feed, LC must include the IP address of the device from which the request originated (i.e., the requesting client’s IP address), where applicable.
7. Company shall report actual security violations or incidents that impact Experian to Lender Feed, LC within twenty-four (24) hours or per agreed contractual notification timeline. Company agrees to provide notice to Lender Feed, LC of any confirmed security breach that may involve data related to the contractual relationship, to the extent required under and in compliance with applicable law. Telephone notification is preferred at 888-795-6575, Email notification will be sent to Support@monitorbase.com.
8. Company acknowledges and agrees that the Company (a) has received a copy of these requirements, (b) has read and understands Company’s obligations described in the requirements, (c) will communicate the contents of the applicable requirements contained herein, and any subsequent updates hereto, to all employees that shall have access to Lender Feed, LC services, systems or data, and (d) will abide by the provisions of these requirements when accessing Experian data.
9. Company understands that its use of Lender Feed, LC networking and computing resources may be monitored and audited by Lender Feed, LC, without further notice.
10. Company acknowledges and agrees that it is responsible for all activities of its employees/authorized users, and for assuring that mechanisms to access Lender Feed, LC services or data are secure and in compliance with its membership agreement.
11. When using third party service providers to access, transmit, or store Experian data, additional documentation may be required by Lender Feed, LC.

    Record Retention: The Federal Equal Credit Opportunity Act states that a creditor must preserve all written or recorded information connected with an application for 25 months. In keeping with the ECOA, Experian requires that you retain the credit application and, if applicable, a purchase agreement for a period of not less than 25 months. When conducting an investigation, particularly following a consumer complaint that your company impermissibly accessed their credit report, Experian will contact you and will request a copy of the original application signed by the consumer or, if applicable, a copy of the sales contract.

    “Under Section 621 (a) (2) (A) of the FCRA, any person that violates any of the provisions of the FCRA may be liable for a civil penalty of not more than $3,500 per violation.”

    Internet Delivery Security Requirements

    In addition to the above, following requirements apply where Company and their employees or an authorized agent/s acting on behalf of the Company are provided access to Lender Feed, LC provided services via Internet (“Internet Access”).

    General requirements:

    1. The Company shall designate in writing, an employee to be its Head Security Designate, to act as the primary interface with Lender Feed, LC on systems access related matters. The Company’s Head Security Designate will be responsible for establishing, administering and monitoring all Company employees’ access to Lender Feed, LC provided services which are delivered over the Internet (“Internet access”), or approving and establishing Security Designates to perform such functions.
    2. The Company’s Head Security Designate or Security Designate shall in turn review all employee requests for Internet access approval. The Head Security Designate or its Security Designate shall determine the appropriate access to each Lender Feed, LC product based upon the legitimate business needs of each employee. Lender Feed, LC shall reserve the right to terminate any accounts it deems a security threat to its systems and/or consumer data.
    3. Unless automated means become available, the Company shall request employee's (Internet) user access via the Head Security Designate/Security Designate in writing, in the format approved by Lender Feed, LC. Those employees approved by the Head Security Designate or Security Designate for Internet access ("Authorized Users") will be individually assigned unique access identification accounts ("User ID") and passwords/passphrases (this also applies to the unique Server-to-Server access IDs and passwords/passphrases). Lender Feed, LC’s approval of requests for (Internet) access may be granted or withheld in its sole discretion. Lender Feed, LC may add to or change its requirements for granting (Internet) access to the services at any time (including, without limitation, the imposition of fees relating to (Internet) access upon reasonable notice to Company), and reserves the right to change passwords/passphrases and to revoke any authorizations previously granted. Note: Partially completed forms and verbal requests will not be accepted.
    4. An officer of the Company agrees to notify Lender Feed, LC in writing immediately if it wishes to change or delete any employee as a Head Security Designate, Security Designate, or Authorized User; or if the identified Head Security Designate, Security Designate or Authorized User is terminated or otherwise loses his or her status as an Authorized User.

    Roles and Responsibilities

    1. Company agrees to identify an employee it has designated to act on its behalf as a primary interface with Lender Feed, LC on systems access related matters. This individual shall be identified as the "Head Security Designate." The Head Security Designate can further identify a Security Designate(s) to provide the day to day administration of the Authorized Users. Security Designate(s) must be an employee and a duly appointed representative of the Company and shall be available to interact with Lender Feed, LC on information and product access, in accordance with these Experian Access Security Requirements for Reseller End-Users. The Head Security Designate Authorization Form must be signed by a duly authorized representative of the Company. Company’s duly authorized representative (e.g. contracting officer, security manager, etc.) must authorize changes to Company’s Head Security Designate. The Head Security Designate will submit all requests to create, change or lock Security Designate and/or Authorized User access accounts and permissions to Lender Feed, LC’s systems and information (via the Internet). Changes in Head Security Designate status (e.g. transfer or termination) are to be reported to Lender Feed, LC immediately.
    2. As a Client to Lender Feed, LC’s products and services via the Internet, the Head Security Designate is acting as the duly authorized representative of Company.
    3. The Security Designate may be appointed by the Head Security Designate as the individual that the Company authorizes to act on behalf of the business in regards to Lender Feed, LC product access control (e.g. request to add/change/remove access). The Company can opt to appoint more than one Security Designate (e.g. for backup purposes). The Company understands that the Security Designate(s) it appoints shall be someone who will generally be available during normal business hours and can liaise with Lender Feed, LC’s Security Administration group on information and product access matters.
    4. The Head Designate shall be responsible for notifying their corresponding Lender Feed, LC representative in a timely fashion of any Authorized User accounts (with their corresponding privileges and access to application and data) that are required to be terminated due to suspicion (or actual) threat of system compromise, unauthorized access to data and/or applications, or account inactivity.

    Designate

    1. Must be an employee and duly appointed representative of Company, identified as an approval point for Company’s Authorized Users.
    2. Is responsible for the initial and on-going authentication and validation of Company’s Authorized Users and must maintain current information about each (phone number, valid email address, etc.).
    3. Is responsible for ensuring that proper privileges and permissions have been granted in alignment with Authorized User's job responsibilities.
    4. Is responsible for ensuring that Company’s Authorized Users are authorized to access Lender Feed, LC products and services.
    5. Must disable Authorized User ID if it becomes compromised or if the Authorized User's employment is terminated by Company.
    6. Must immediately report any suspicious or questionable activity to Lender Feed, LC regarding access to Lender Feed, LC’s products and services.
    7. Shall immediately report changes in their Head Security Designate's status (e.g. transfer or termination) to Lender Feed, LC.
    8. Will provide first level support for inquiries about passwords/passphrases or IDs requested by your Authorized Users.
    9. Shall be available to interact with Lender Feed, LC when needed on any system or user related matters.

    By:
    Lender Feed, LC.
    310 E 4500 S, Suite 270
    Murray, UT 84107