MBSA Schedule K – Security Procedures

SECURITY PROCEDURES

The Parties agree that certain Bank Services, Entries, payment orders and transactions initiated, processed or submitted in connection with Bank Services are subject to the Security Procedures. Program Manager and Bank agree to the Security Procedures set forth in this Schedule K (Security Procedures). In the event Program Manager does not agree to the Security Procedures set forth in this Schedule K (Security Procedures), Program Manager authorizes Bank, as Program Manager’s limited agent, to adopt security procedures that shall then be considered to be the Security Procedures and shall be considered and deemed adopted by Program Manager as a “security procedure” for purposes of UCC § 4A-201. Program Manager represents, warrants and agrees that the Security Procedures constitute a “security procedure” for purposes of UCC § 4A-201. Program Manager represents and warrants that: (a) it considers itself qualified to have, and has, independently evaluated the risks presented by the Security Procedures; (b) it has determined that the Security Procedures are no less protective than other security procedures in use by similarly situated companies; and (c) the Security Procedures are commercially reasonable under Applicable Law, including within the meaning of UCC § 4A-202, for the initiation, submission, processing and/or origination of Entries, transaction requests, payment orders, and any payment instructions related to the Bank Services (each a, “Covered Transaction” and collectively, “Covered Transactions”).

The Program Manager and Bank shall comply with the Security Procedures with respect to Covered Transactions it submits or will submit to Bank. The Program Manager acknowledges that the purpose of such Security Procedures is to verify authenticity and not to detect an error in the transmission or content of Covered Transactions. No Security Procedures have been agreed upon between Bank and the Program Manager for the detection of any such error. Program Manager shall bear the risk and be solely responsible for all transaction losses, including fraud losses and losses associated with any disputed, unauthorized transaction or error. If Program Manager believes or suspects that any such information or instructions have been known or accessed by unauthorized persons, Program Manager agrees to notify Bank within one (1) Business Day, followed by written confirmation. The occurrence of unauthorized access will not affect any Covered Transactions made in compliance with the Security Procedures prior to receipt of such notification and within a reasonable time period to prevent unauthorized transfers or requests. Program Manager acknowledges and agrees that the Security Procedures include Bank’s Positive Pay service, which prevents unauthorized transfers or requests through debit and credit filters.

Program Manager must ensure that no individual will be allowed to initiate or submit a request for a Covered Transaction in the absence of proper supervision and safeguards, and agrees to take reasonable steps to maintain the confidentiality of the Security Procedures and any passwords, codes, security devices and related instructions provided by Bank in connection with the Security Procedures. If Program Manager believes or suspects that any such information has been accessed by an unauthorized person, Program Manager will verbally notify Bank immediately, followed by written confirmation. The occurrence of unathorized access will not affect any Covered Transactions or any other transfers in connection with Origination Services made in good faith by Bank prior to receipt of notification and within a reasonable time period to prevent unauthorized transfers or transactions.

If a Covered Transaction (or a request for cancellation or amendment of a Covered Transaction) received by Bank purports to be transmitted or authorized by Program Manager, it will be deemed effective as Program Manager’s Covered Transaction (or initiated Entry) and Program Manager shall be obligated to pay Bank the amount of such Covered Transaction (or initiated Entry) even though the Covered Transaction (or initiated Entry) was not authorized by the Program Manager, provided Bank acted in compliance with the Security Procedures. If a Covered Transaction (or request for cancellation or amendment of a Covered Transaction) received by Bank was transmitted or authorized by Program Manager, Program Manager shall be obligated to pay the amount of the Covered Transaction, whether or not Bank complied with the Security Procedures and whether or not that Covered Transaction was erroneous in any respect or that error would have been detected if Bank had complied with such Security Procedures.

If Program Manager has been given access to and otherwise uses the Bank’s API, any Covered Transaction submitted to Bank through the API shall be considered authorized by Program Manager in accordance with this Security Procedure. Program Manager acknowledges and agrees that the submission of a Covered Transaction to Bank’s API using the application program interface of Program Manager shall constitute a commercially reasonable means to verify that authenticity of the Covered Transaction and that such Covered Transaction is that of the Program Manager’s..  No Covered Transaction will be considered delivered to Bank until the Bank’s API receives the Covered Transaction and such Covered Transaction enters the Bank’s environment. Bank may rely on any Covered Transaction submitted through the API.

 

Transmittal of Covered Transactions:

Program Manager will encrypt Files before Program Manager transmits them to Bank.

Program Manager will only transmit files on the dates specified by Bank or as set forth in the Bank Policies.

Program Manager will email Bank for every file transmission in the form or format requested by Bank or as set forth in the Bank Policies.

Should any of the above procedures not be met, the file will be rejected by Bank and Program Manager will be notified.

Computer Transmissions

 

Program Manager will transmit files to Bank and such files will be formatted in compliance with Applicable Law (including, but not limited to NACHA rules) or other pre-approved format. Transmission specifications will be established by Bank and set forth in the Bank Policies.

The Program Manager’s Authorized User will have access to Network systems by utilizing the pre-arranged logon procedures, remote ID, and file ID.

The Program Manager’s Authorized User will provide Program Manager with verification of the totals contained in the transmission by sending an electronic transmission to Bank. In the event the Program Manager’s Authorized User is unable to electronically provide the information, the Program Manager’s authorized representative will telephone Bank with the verification.

Bank will verify that the file totals agree with the Company information given by transmission. In the event of a discrepancy in the totals, Bank will call the specified Program Manager authorized representative designated by Program Manager. If an authorized representative is not available for notification, the file will not be processed until the Program Manager’s authorized representative can be contacted on the next Business Day.

Program Manager is solely responsible for the accurate creation, modification, and deletion of the account information maintained on the Program Manager’s computer(s) used for ACH money transfer. Program Manager agrees to comply with written procedures provided by Bank for the creation, maintenance, and initiation of ACH money transfers.

Program Manager is solely responsible for its employees’ access to the data files maintained on Program Manager’s computer(s).

Program Manager is responsible for operator security procedures on any personal computer licensed for use by Program Manager.