© 2022 Lender Feed, LC ALL RIGHTS RESERVED
I. MonitorBase End User Agreement
This Lender Feed End User Agreement (“Agreement”) between End User and Lender Feed, LC. dba MonitorBase (“Reseller”)
End User: User of MonitorBase Software or Products. Lender, Credit Union or Bank who is the responsible party making a firm offer of credit as defined by the Fair Credit Reporting Act, and FACT act.
Reseller: End User will enter into an agreement with Lender Feed, LC., an Utah limited liability company located at 10 West Broadway, Suite 450 Salt Lake City, Utah 84101.
Third Party Processor: a firm engaged in the business of providing data processing services, including but not limited to net downs, demographic appending and segmentation, merge / purge processing, and general list cleansing, with respect to direct mail and telemarketing programs.
Periodic Screening Process: The process whereby Reseller. electronically delivers the preselected consumer data from the End Users database to Experian, providing a mechanism for the End User to continuously identify new prospective borrowers in their database that meet their pre-established lending criteria.
Experian Demographic Data: Demographic data is data Experian provides to client or clients Third Party Processor in performing the prescreened services, except that demographic data which client provides Experian.
Experian Data: Any data provided by Experian, including Experian Demographic Data, Credit Data, and Identifying Data.
Lender Feed Data Elements: Any data provided by Reseller, including but not limited to, Automated Valuation Modeling, Profiled Censes data, Demographic data overlays.
Lender Feed Data Server: The server that will ultimately store and display the pre-screened list to the end user for download or merging with form letters.
Prescreened list: When Experian completes the prescreening and segmentation of the end users data, Experian will deliver to Reseller’s Third Party Processor an electronic data file containing information that identifies the consumers who meet the eligibility criteria established and approved by the End User (the “Identifying data”) coded credit or derived information (the “Credit Data”) and coded Demographic data about such consumers (the “Prescreened List”).
II. Credit Scoring Services Agreement
This Credit Scoring Services Agreement, (“Agreement”), between End User and Lender Feed, LC. (“Provider”)
WHEREAS, Provider is an authorized reseller of Experian Information Solutions, Inc. (“Experian”); and
WHEREAS, Experian and Fair, Isaac Corporation (“Fair, Isaac”) offer the “Experian/Fair, Isaac Model”, consisting of the application of a risk model developed by Experian and Fair, Isaac which employs a proprietary algorithm and which, when applied to credit information relating to individuals with whom the End User contemplates entering into a credit relationship will result in a numerical score (the “Score” and collectively, “Scores”); the purpose of the models being to rank said individuals in order of the risk of unsatisfactory payment.
NOW, THEREFORE, For good and valuable consideration and intending to be legally bound, End User and Provider hereby agree as follows:
A. Subject of Agreement. The subject of this Agreement is End User’s purchase of Scores produced from the Experian/Fair, Isaac Model from Provider.
B. Application. This Agreement applies to all uses of the Experian/Fair, Isaac Model by End User during the term of this agreement.
C. Term. The term of this Agreement (the “Term”) is the period consisting of the Initial Term and, if this Agreement is renewed, the Renewal Term(s), as follows:
(1) Initial Term. The “Initial Term” is the period beginning at 12:01 a.m. on the date written above and ending at 11:59 p.m. 12 months from the date written above.
(2) Renewal Term(s). This term will automatically renew every 30 days unless one or both of the parties delivers written notice of such party’s (parties’) intent not to renew no later than thirty (30) days before the end of the Initial Term. This Agreement will terminate without further action by either of the parties in the event End User is denied use of the Lender Feed LC. Model due to misuse.
A. Generally. Upon request by End User during the Term, Provider will provide End User with the Scores.
B. Time of Performance. Provider will use commercially reasonable efforts to provide the Lender Feed LC. Model as expeditiously as possible and in a timely manner; provided, however, Provider will have no liability to End User hereunder for delays in providing such Lender Feed LC. Model.
C. Warranty. Provider warrants that the Scores are empirically derived and statistically sound predictors of consumer credit risk on the data from which they were developed when applied to the population for which they were developed. Provider further warrants that so long as it provides the Scores, the Scores will not contain or use any prohibited basis as defined by the federal Equal Credit Opportunity Act, 15 USC Section 1691 et seq. or Regulation B promulgated thereunder. THE FOREGOING WARRANTIES ARE THE ONLY WARRANTIES PROVIDER HAS GIVEN END USER WITH RESPECT TO THE SCORES, AND SUCH WARRANTIES ARE IN LIEU OF ALL OTHER WARRANTIES, EXPRESS OR IMPLIED, PROVIDER MIGHT HAVE GIVEN END USER WITH RESPECT THERETO, INCLUDING, FOR EXAMPLE, WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. End User’s rights under the foregoing warranties are expressly conditioned upon End User’s periodic revalidation of the Experian/Fair, Isaac Model in compliance with the requirements of Regulation B as it may be amended from time to time (12 CFR Section 202 et seq.).
D. Release. End User hereby releases and holds harmless Provider, Fair Isaac and/or Experian and their respective officers, directors, employees, agents, sister or affiliated companies, and any third-party contractors or suppliers of Provider, Fair, Isaac or Experian from liability for any damages, losses, costs or expenses, whether direct or indirect, suffered or incurred by End User resulting from any failure of the Scores to accurately predict that a United States consumer will repay their existing or future credit obligations satisfactorily.
A. Generally. In consideration of Provider’s performance of the Lender Feed LC. Model, End User will pay Provider fees (the “Fees”) as agreed upon in writing by End User and Provider from time to time.
B. Taxes. End User will be solely responsible for all Federal, state, and local taxes levied or assessed in connection with Provider’s performance of the Lender Feed LC. Model, other than income taxes assessed with respect to Provider’s net income, for which income taxes Provider will be solely responsible.
C.Method of Payment. Periodically during the Term, Provider will deliver to End User invoices reflecting Fees (including taxes) for which Subscriber is responsible hereunder. Subscriber will pay Provider the amounts indicated on such invoices within thirty (30) days after the invoice date. End User’s obligation to pay Fees shall be absolute and unconditional and shall not be affected by any circumstance, including, without limitation, set off, counterclaim, recoupment, defense (other than the defense of payment itself) or other right “End User” may have or allege to have against Provider for any reason whatsoever.
A. No License. Nothing contained in this Agreement shall be deemed to grant End User any license, sublicense, copyright interest, proprietary rights, or other claim against or interest in any computer programs utilized by Provider, Experian and/or Fair, Isaac or any third party involved in the delivery of the scoring services hereunder. End User acknowledges that the Experian/Fair, Isaac Model and its associated intellectual property rights in its output are the property of Fair, Isaac.
B. End User Use Limitations. By providing the Scores to End User pursuant to this Agreement, Provider grants to End User a limited license to use information contained in reports generated by the Experian/Fair, Isaac Model solely in its own business with no right to sublicense or otherwise sell or distribute said information to third parties. Before directing Provider to deliver Scores to any third party (as may be permitted by this Agreement), End User agrees to enter into a contract with such third party that (1) limits use of the Scores by the third party only to the use permitted to the End User, and (2) identifies Experian and Fair, Isaac as express third party beneficiaries of such contract.
C. Proprietary Designations. End User shall not use, or permit its employees, agents and subcontractors to use, the trademarks, service marks, logos, names, or any other proprietary designations of Provider, Experian or Fair, Isaac or their respective affiliates, whether registered or unregistered, without such party’s prior written consent.
A. Compliance with Law. In performing this Agreement and in using information provided hereunder, End User will comply with all Federal, state, and local statutes, regulations, and rules applicable to consumer credit information and nondiscrimination in the extension of credit from time to time in effect during the Term. End User certifies that (1) it has a permissible purpose for obtaining the Scores in accordance with the federal Fair Credit Reporting Act, and any similar applicable state statute, (2) any use of the Scores for purposes of evaluating the credit risk associated with applicants, prospects or existing customers will be in a manner consistent with the provisions described in the Equal Credit Opportunity Act (“ECOA”), Regulation B, and/or the Fair Credit Reporting Act, and (3) the Scores will not be used for Adverse Action as defined by the Equal Credit Opportunity Act (“ECOA”) or Regulation B, unless adverse action reason codes have been delivered to the End User along with the Scores.
B. Confidentiality. End User will maintain internal procedures to minimize the risk of unauthorized disclosure of information delivered hereunder. End User will take reasonable precautions to assure that such information will be held in strict confidence and disclosed only to those of its employees whose duties reasonably relate to the legitimate business purposes for which the information is requested or used and to no other person. Without limiting the generality of the foregoing, End User will take suitable precautions to prevent loss, compromise, or misuse of any tapes or other media containing consumer credit information while in the possession of End User and while in transport between the parties. End User certifies that it will not publicly disseminate any results of the validations or other reports derived from the Scores without each of Experian’s and Fair, Isaac’s express written permission.
C. Proprietary Criteria. Under no circumstances will End User attempt in any manner, directly or indirectly, to discover or reverse engineer any confidential and proprietary criteria developed or used by Experian and/or Fair, Isaac in performing the scoring services hereunder.
D. Consumer Disclosure. Notwithstanding any contrary provision of this Agreement, End User may disclose the Scores provided to End User under this Agreement (1) to credit applicants, when accompanied by the corresponding reason codes, in the context of bona fide lending transactions and decisions only, and (2) as clearly required by law.
A. Indemnification End User will indemnify, defend, and hold each of Provider, Experian and Fair, Isaac harmless from and against any and all liabilities, damages, losses, claims, costs, and expenses (including reasonable attorneys’ fees) arising out of or resulting from any nonperformance by End User of any obligations to be performed by End User under this Agreement, provided that Provider, Experian/Fair, Isaac have given End User prompt notice of, and the opportunity and the authority (but not the duty) to defend or settle any such claim. Provider will indemnity, defend, and hold End User harmless from and against any and all liabilities, damages, losses, claims, costs, and expenses (including reasonable attorney’s fees) arising out of or resulting from any nonperformance by Provider of any obligations to be performed by Provider under this Agreement, provided that End User has given Provider prompt notice of, and the opportunity and the authority (but not the duty) to defend or settle any such claim.
B. Limitation of Liability. NOTWITHSTANDING ANY OTHER PROVISION OF THIS AGREEMENT, UNDER NO CIRCUMSTANCES WILL PROVIDER, EXPERIAN OR FAIR, ISAAC HAVE ANY OBLIGATION OR LIABILITY TO END USER FOR ANY INCIDENTAL, INDIRECT, SPECIAL OR CONSEQUENTIAL DAMAGES INCURRED BY END USER, REGARDLESS OF HOW SUCH DAMAGES ARISE AND OF WHETHER OR NOT END USER WAS ADVISED SUCH DAMAGES MIGHT ARISE. IN NO EVENT SHALL THE AGGREGATE LIABILITY OF PROVIDER, EXPERIAN OR FAIR, ISAAC TO END USER EXCEED THE FEES PAID BY END USER PURSUANT TO THIS AGREEMENT DURING THE SIX MONTH PERIOD IMMEDIATELY PRECEDING THE DATE OF END USER’S CLAIM.
A. Third Parties. End User acknowledges that the Scores results from the joint efforts of Experian and Fair, Isaac. End User further acknowledges that each Experian and Fair, Isaac have a proprietary interest in said Scores and agrees that either Experian or the Fair, Isaac may enforce those rights as required.
III. FCRA Requirements
Federal Fair Credit Reporting Act (as amended by the
Consumer Credit Reporting Reform Act of 1996)
Although the FCRA primarily regulates the operations of consumer credit reporting agencies, it also affects you as a user of information. We have included a copy of the FCRA with your membership kit. We suggest that you and your employees become familiar with the following sections in particular:
§ 604. Permissible Purposes of Reports
§ 607. Compliance Procedures
§ 615. Requirement on users of consumer reports
§ 616. Civil liability for willful noncompliance
§ 617. Civil liability for negligent noncompliance
§ 619. Obtaining information under false pretenses
§ 621. Administrative Enforcement
§ 623. Responsibilities of Furnishers of Information to Consumer Reporting Agencies § 628. Disposal of Records
Each of these sections is of direct consequence to users who obtain reports on consumers. As directed by the law, credit reports may be issued only if they are to be used for extending credit, review or collection of an account, employment purposes, underwriting insurance or in connection with some other legitimate business transaction such as in investment, partnership, etc. It is imperative that you identify each request for a report to be used for employment purposes when such report is ordered. Additional state laws may also impact your usage of reports for employment purposes.
We strongly endorse the letter and spirit of the Federal Fair Credit Reporting Act. We believe that this law and similar state laws recognize and preserve the delicate balance between the rights of the consumer and the legitimate needs of commerce.
In addition to the Federal Fair Credit Reporting Act, other federal and state laws addressing such topics as computer crime and unauthorized access to protected databases have also been enacted. As a prospective user of consumer reports, we expect that you and your staff will comply with all relevant federal statutes and the statutes and regulations of the states in which you operate.
We support consumer reporting legislation that will assure fair and equitable treatment for all consumers and users of credit information.
IV. End User Certification of Compliance California Civil Code - Section 1785.14(a) Section 1785.14(a), as amended, states that a consumer credit reporting agency does not have reasonable grounds for believing that a consumer credit report will only be used for a permissible purpose unless all of the following requirements are met:
Section 1785.14(a)(1) states: “If a prospective user is a retail seller, as defined in Section 1802.3, and intends to issue credit to a consumer who appears in person on the basis of an application for credit submitted in person, the consumer credit reporting agency shall, with a reasonable degree of certainty, match at least three categories of identifying information within the file maintained by the consumer credit reporting agency on the consumer with the information provided to the consumer credit reporting agency by the retail seller. The categories of identifying information may include, but are not limited to, first and last name, month and date of birth, driver’s license number, place of employment, current residence address, previous residence address, or social security number. The categories of information shall not include mother’s maiden name.”
Section 1785.14(a)(2) states: “If the prospective user is a retail seller, as defined in Section 1802.3, and intends to issue credit to a consumer who appears in person on the basis of an application for credit submitted in person, the retail seller must certify, in writing, to the consumer credit reporting agency that it instructs its employees and agents to inspect a photo identification of the consumer at the time the application was submitted in person. This paragraph does not apply to an application for credit submitted by mail.”
Section 1785.14(a)(3) states: “If the prospective user intends to extend credit by mail pursuant to a solicitation by mail, the extension of credit shall be mailed to the same address as on the solicitation unless the prospective user verifies any address change by, among other methods, contacting the person to whom the extension of credit will be mailed.”
In compliance with Section 1785.14(a) of the California Civil Code, End User hereby certifies to Consumer Reporting Agency as follows:
End User certifies that if End User is a Retail Seller who conducts Point of Sale transactions, End User will, beginning on or before July 1, 1998, instruct its employees and agents to inspect a photo identification of the consumer at the time an application is submitted in person.
End User also certifies that it will only use the appropriate End User code number designated by Consumer Reporting Agency for accessing consumer reports for California Point of Sale transactions conducted by Retail Seller.
If End User is not a Retail Seller who issues credit in Point of Sale transactions, End User agrees that if it, at any time hereafter, becomes a Retail Seller who extends credit in Point of Sale transactions, End User shall provide written notice of such to Consumer Reporting Agency prior to using credit reports with Point of Sale transactions as a Retail Seller, and shall comply with the requirements of a Retail Seller conducting Point of Sale transactions, as provided in this certification.
Access Security Requirements for End Users for FCRA and GLB 5A Data
The following information security controls are required to reduce unauthorized access to consumer information. It is your (company provided access to Experian systems or data through Lender Feed, LC, referred to as the “Company”) responsibility to implement these controls. If you do not understand these requirements or need assistance, it is your responsibility to get an outside service provider to assist you. Lender Feed, LC reserves the right to make changes to these Access Security Requirements without prior notification. The information provided herewith provides minimum baselines for information security.
In accessing Lender Feed, LC’s services, Company agrees to follow these Experian security requirements. These requirements are applicable to all systems and devices used to access, transmit, process, or store Experian data:
1. Implement Strong Access Control Measures
1.1 All credentials such as Subscriber Code number, Subscriber Code Passwords, User names/identifiers (user IDs)
and user passwords must be kept confidential and must not be disclosed to an unauthorized party. No one from
Lender Feed, LC will ever contact you and request your credentials.
1.2 If using third party or proprietary system to access Lender Feed, LC’s systems, ensure that the access must be preceded by authenticating users to the application and/or system (e.g. application based authentication, Active Directory, etc.) utilized for accessing Lender Feed, LC data/systems.
1.3 If the third party or third party software or proprietary system or software, used to access Lender Feed, LC data/systems, is replaced or no longer in use, the passwords should be changed immediately.
1.4 Create a unique user ID for each user to enable individual authentication and accountability for access to Lender Feed, LC’s infrastructure. Each user of the system access software must also have a unique logon password.
1.5 User IDs and passwords shall only be assigned to authorized individuals based on least privilege necessary to perform job responsibilities.
1.6 User IDs and passwords must not be shared, posted, or otherwise divulged in any manner.
1.7 Develop strong passwords that are:
Not easily guessable (i.e. your name or company name, repeating numbers and letters or consecutive numbers and letters)
Contain a minimum of eight (8) alphabetic and numeric characters for standard user accounts
For interactive sessions (i.e. non system-to-system) ensure that passwords/passwords are changed periodically (every 90 days is recommended)
1.8 Passwords (e.g. user/account password) must be changed immediately when:
Any system access software is replaced by another system access software or is no longer used
The hardware on which the software resides is upgraded, changed or disposed
Any suspicion of password being disclosed to an unauthorized party (see section 4.3 for reporting requirements)
1.9 Ensure that passwords are not transmitted, displayed or stored in clear text; protect all end user (e.g. internal and external) passwords using, for example, encryption or a cryptographic hashing algorithm also known as “one-way” encryption. When using encryption, ensure that strong encryption algorithm are utilized (e.g. AES 256 or above).
1.10 Implement password protected screensavers with a maximum fifteen (15) minute timeout to protect unattended workstations. Systems should be manually locked before being left unattended.
1.11 Active logins to credit information systems must be configured with a 30 minute inactive session timeout.
1.12 Ensure that personnel who are authorized access to credit information have a business need to access such information and understand these requirements to access such information are only for the permissible purposes listed in the Permissible Purpose Information section of the membership application.
1.13 Company must NOT install Peer-to-Peer file sharing software on systems used to access, transmit or store Experian data.
1.14 Ensure that Company employees do not access their own credit reports or those reports of any family member(s) or friend(s) unless it is in connection with a credit transaction or for another permissible purpose.
1.15 Implement a process to terminate access rights immediately for users who access Experian credit information when those users are terminated or when they have a change in their job tasks and no longer require access to that credit information.
1.16 Implement a process to perform periodic user account reviews to validate whether access is needed as well as the privileges assigned.
1.17 Implement a process to periodically review user activities and account usage, ensure the user activities are consistent with the individual job responsibility, business need, and in line with contractual obligations.
1.18 Implement physical security controls to prevent unauthorized entry to Company’s facility and access to systems used to obtain credit information. Ensure that access is controlled with badge readers, other systems, or devices including authorized lock and key.
2. Maintain a Vulnerability Management Program
2.1 Keep operating system(s), firewalls, routers, servers, personal computers (laptops and desktops) and all
other systems current with appropriate system patches and updates.
2.2 Configure infrastructure such as firewalls, routers, servers, tablets, smart phones, personal computers (laptops and desktops), and similar components to industry best security practices, including disabling unnecessary services or features, and removing or changing default passwords, IDs and sample files/programs, and enabling the most secure configuration features to avoid unnecessary risks.
2.3 Implement and follow current best security practices for computer virus detection scanning services and procedures:
Use, implement and maintain a current, commercially available anti-virus software on all systems, if applicable anti-virus technology exists. Anti-virus software deployed must be capable to detect, remove, and protect against all known types malicious software such as viruses, worms, spyware, adware, Trojans, and root-kits.
Ensure that all anti-virus software is current, actively running, and generating audit logs;
ensure that anti-virus software is enabled for automatic updates and performs scans on a regular basis.
If you suspect an actual or potential virus infecting a system, immediately cease accessing the system and do not resume the inquiry process until the virus has been eliminated.
3. Protect Data
3.1 Develop and follow procedures to ensure that data is protected throughout its entire information lifecycle
(from creation, transformation, use, storage and secure destruction) regardless of the media used to store the
data (i.e., tape, disk, paper, etc.).
3.2 Experian data is classified Confidential and must be secured to in accordance with the requirements mentioned in this document at a minimum.
3.3 Procedures for transmission, disclosure, storage, destruction and any other information modalities or media should address all aspects of the lifecycle of the information.
3.4 Encrypt all Experian data and information when stored electronically on any system including but not limited to laptops, tablets, personal computers, servers, databases using strong encryption such AES 256 or above.
3.5 Experian data must not be stored locally on smart tablets and smart phones such as iPads, iPhones, Android based devices, etc.
3.6 When using smart tablets or smart phones to access Experian data, ensure that such devices are protected via device pass-code.
3.7 Applications utilized to access Experian data via smart tablets or smart phones must protect data while in transmission such as SSL protection and/or use of VPN, etc.
3.8 Only open email attachments and links from trusted sources and after verifying legitimacy.
3.9 When no longer in use, ensure that hard-copy materials containing Experian data are crosscut shredded, incinerated, or pulped such that there is reasonable assurance the hard-copy materials cannot be reconstructed.
3.10 When no longer in use, electronic media containing Experian data is rendered unrecoverable via a secure wipe program in accordance with industry-accepted standards for secure deletion, or otherwise physically destroying the media (for example, degaussing).
4. Maintain an Information Security Policy
4.1 Develop and follow a security plan to protect the confidentiality and integrity of personal consumer
information as required under the GLB Safeguards Rule.
4.2 Suitable to complexity and size of the organization, establish and publish information security and acceptable user policies identifying user responsibilities and addressing requirements in line with this document and applicable laws and regulations.
4.3 Establish processes and procedures for responding to security violations, unusual or suspicious events and similar incidents to limit damage or unauthorized access to information assets and to permit identification and prosecution of violators. If you believe Experian data may have been compromised, immediately notify Lender Feed, LC within twenty-four (24) hours or per agreed contractual notification timeline (See also Section 8).
4.4 The FACTA Disposal Rules requires that Company implement appropriate measures to dispose of any sensitive information related to consumer credit reports and records that will protect against unauthorized access or use of that information.
4.5 Implement and maintain ongoing mandatory security training and awareness sessions for all staff to underscore the importance of security in the organization.
4.6 When using third party service providers (e.g. application service providers) to access, transmit, store or process Experian data, ensure that service provider is compliant with the Experian Independent Third Party Assessment (EI3PA) program, and registered in Experian’s list of compliant service providers. If the service provider is in the process of becoming compliant, it is Company’s responsibility to ensure the service provider is engaged with Experian and an exception is granted in writing. Approved certifications in lieu of EI3PA can be found in the Glossary section.
5. Build and Maintain a Secure Network
5.1 Protect Internet connections with dedicated, industry-recognized firewalls that are configured and managed
using industry best security practices.
5.2 Internal private Internet Protocol (IP) addresses must not be publicly accessible or natively routed to the Internet. Network address translation (NAT) technology should be used.
5.3 Administrative access to firewalls and servers must be performed through a secure internal wired connection only.
5.4 Any stand-alone computers that directly access the Internet must have a desktop firewall deployed that is installed and configured to block unnecessary/unused ports, services, and network traffic.
5.5 Change vendor defaults including but not limited to passwords, encryption keys, SNMP strings, and any other vendor defaults.
5.6 For wireless networks connected to or used for accessing or transmission of Experian data, ensure that networks are configured and firmware on wireless devices updated to support strong encryption (for example, IEEE 802.11i) for authentication and transmission over wireless networks.
5.7 When using service providers (e.g. software providers) to access Lender Feed, LC systems, access to third party tools/services must require multi-factor authentication.
6. Regularly Monitor and Test Networks
6.1 Perform regular tests on information systems (port scanning, virus scanning, internal/external vulnerability
scanning). Ensure that issues identified via testing are remediated according to the issue severity (e.g. fix
critical issues immediately, high severity in 15 days, etc.)
6.2 Ensure that audit trails are enabled and active for systems and applications used to access, store, process, or transmit Experian data; establish a process for linking all access to such systems and applications. Ensure that security policies and procedures are in place to review security logs on daily or weekly basis and that follow-up to exceptions is required.
6.3 Use current best practices to protect telecommunications systems and any computer system or network device(s) used to provide Services hereunder to access Lender Feed, LC systems and networks. These controls should be selected and implemented to reduce the risk of infiltration, hacking, access penetration or exposure to an unauthorized third party by: protecting against intrusions; securing the computer systems and network devices; and protecting against intrusions of operating systems or software.
7. Mobile and Cloud Technology
7.1 Storing Experian data on mobile devices is prohibited. Any exceptions must be obtained from Experian in
writing; additional security requirements will apply.
7.2 Mobile applications development must follow industry known secure software development standard practices such as OWASP and OWASP Mobile Security Project adhering to common controls and addressing top risks.
7.3 Mobile applications development processes must follow secure software assessment methodology which includes appropriate application security testing (for example: static, dynamic analysis, penetration testing) and ensuring vulnerabilities are remediated.
7.4 Mobility solution server/system should be hardened in accordance with industry and vendor best practices such as Center for Internet Security (CIS) benchmarks, NIS, NSA, DISA and/or other.
7.5 Mobile applications and data shall be hosted on devices through a secure container separate from any personal applications and data. See details below. Under no circumstances is Experian data to be exchanged between secured and non-secured applications on the mobile device.
7.6 In case of non-consumer access, that is, commercial/business-to-business (B2B) users accessing Experian data via mobile applications (internally developed or using a third party application), ensure that multi-factor authentication and/or adaptive/risk-based authentication mechanisms are utilized to authenticate users to application.
7.7 When using cloud providers to access, transmit, store, or process Experian data ensure that:
Appropriate due diligence is conducted to maintain compliance with applicable laws and regulations and contractual obligations
Cloud providers must have gone through independent audits and are compliant with one or more of the following
standards, or a current equivalent as approved/recognized by Experian:
SSAE 16 – SOC 2 or SOC3
CAI / CCM assessment
Record Retention: The Federal Equal Credit Opportunity Act states that a creditor must preserve all written or recorded information connected with an application for 25 months. In keeping with the ECOA, Experian requires that you retain the credit application and, if applicable, a purchase agreement for a period of not less than 25 months. When conducting an investigation, particularly following a consumer complaint that your company impermissibly accessed their credit report, Experian will contact you and will request a copy of the original application signed by the consumer or, if applicable, a copy of the sales contract.
“Under Section 621 (a) (2) (A) of the FCRA, any person that violates any of the provisions of the FCRA may be liable for a civil penalty of not more than $3,500 per violation.”
Internet Delivery Security Requirements
In addition to the above, following requirements apply where Company and their employees or an authorized agent/s acting on behalf of the Company are provided access to Lender Feed, LC provided services via Internet (“Internet Access”).
Roles and Responsibilities
Lender Feed, LC.
310 E 4500 S, Suite 270
Murray, UT 84107