Terms and Conditions

Terms of Service

1. PREMIER PAYMENT SOLUTIONS LTD
   (Trading as MTBS®, MTBS Global®)
2. The Customer
   Any person/company whose application we approve.

Parties

1. PREMIER PAYMENT SOLUTIONS LTD (trading as MTBS and MTBS Global), incorporated and registered in England and Wales with company number 12565025 whose registered office is at 30 Churchill Place, Canary Wharf, London, E14 5RE (Supplier); and
2. Customer Information
   • incorporated and registered in England and Wales with company number
   • registered office

Introduction

a) The Customer wishes to engage the Supplier to provide the following services (tick those that apply) for the purpose of the Customer’s own business operations and the Supplier agrees to provide such services to the Customer subject to the terms and conditions of this Agreement.

• Payment Accounts & Banking Software-as-a-Service (BaaS)
• Open banking collections & Payment gateway services
• Money Remittance & PSD agency services
• Foreign exchange services
• Software White-label / API Integration Services

b) The Services may incorporate FCA- and PRA-regulated third-party services involving Regulated Services. These activities are carried out by:

1. Payment accounts issuing services – ClearBank Ltd
2. e-Money accounts issuing, foreign exchange & payments services:
   • IFX (UK) Ltd (t/a IFX Payments)
3. Open banking & payment gateway services
   • Leatherback Limited
   • Other Third-parties The Supplier may appoint from time to time.
4. Payment card issuing:
   • Other Third-parties The Supplier may appoint from time to time.

(or such other third-party or third-parties as the Supplier may nominate from time to time) and/or the Supplier’s sub-contractor(s), not the Supplier.

Agreed terms

1. Interpretation

1.1 The definitions and rules of interpretation in the above recitals and in this clause apply in this Agreement.

Agreement

this agreement and any schedule(s) to it.

Business Day

a day (other than a Saturday or Sunday) on which banks in England are open for business (other than for the sole purpose of 24-hour electronic banking).

Charges

any charges, including interest and VAT, due from the Customer to the Supplier for the provision of any Services under this Agreement.

Confidential Information

information relating to the business or affairs of a party to this Agreement which expressly or by its nature is confidential, including, without limitation, as described in clause 12.6 or 12.7.

Consumers

the customers of the Customer, i.e. Customers of the MSBs or of the Other Non-MSB Corporate Customers.

Controller

means a data controller or, with effect from 25 May 2018, a controller within the meaning of the applicable Data Protection Laws.

Customer Business Operations

the business activities of the Customer.

Customer Data

the data, including Payment Information, inputted by the Customer or its Consumers in connection with the Services.

Data Protection Laws

Means:
(a) the Data Protection Act 1998 (as amended);
(b) any other legislation superseding or replacing the Data Protection Act 2018 (as amended);
(c) Privacy and Electronic Communications (EC Directive 2002/58/EC as may be amended or updated from time to time);
(d) any legislation or regulations which implement Directive 95/46/EC and
(i) unless and until the GDPR is no longer directly applicable in the UK, the GDPR(EU 2016/679) and any national implementing laws, regulations and secondary legislation as amended or updated from time to time, in the UK and then
(ii) any successor legislation superseding or replacing the GDPR and
(iii) any privacy or data protection laws (including any statutes, regulations, by-laws, ordinances, mandatory codes of conduct or rules of common law or equity), including the EU Data Protection Laws and the UK Data Protection Laws, which applies to the relevant party.

Documentation

the documents made available by the Supplier online via MTBS (or linked-to therein) or such other web address notified by the Supplier from time to time which set out a description of the Software, technical installation and support information, or user instructions for the Services.

Effective Date

the date of the last signature to this Agreement.

Live Date

the time at which accounts may be applied for by Customer and the Customer’s Consumers and issued to them and communicated by the Third-party Services Provider(s) to the Supplier.

House Account

the account maintained by the Third-party Services Provider or at a duly authorised deposit-taking institutions for the purpose of holding Customers’ funding.

Current Account

means a sort code and account number issued by the Third-party Services Provider to the Customer in accordance with the Third-party service providers terms and conditions.

Payment Account

means a Current Account.

e-Money Account

means a Current Account.

Card Processor

the service provider which manages authorisation and settlement of transactions and Top Ups on behalf of the Third-party Services Provider.

Third-party Services

those services made available by the Supplier which will allow the Customer, and its Consumers, to operate current accounts, pre-paid debit cards and electronic wallets to provide to their customers or use the payment services provided by the Third-party Services Provider as set out in the Third-party Services Specification. The Third-party Services may include Regulated Services.

Third-party Services Provider

means the third party FCA regulated bank, electronic money institute, or payment services firm to which the Supplier sub-contracts the provision of the current accounts, pre-paid debit cards, electronic wallets and payment services from time to time.

Third-party Services Specification

the description of the features and functionality of the Third-party services as set out at Schedule 1 or in the Order Form.

Third-party Services Terms

the Bank’s, Electronic Money Institution’s or Payment Services Firm’s terms and conditions from time to time which govern the use of the Third-party Services, provided by them to the Customer.

FCA

the Financial Conduct Authority.

GDPR

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing directive 95/46/EC.

AML Report

any ‘know your client’ report prepared by the Supplier which details potential money laundering risks of undertaking any transaction, and any services associated with the preparation and provision of the same.

Risk Appetite Statement

a document that clearly defines the amount and type of risk that an organisation is willing to take in order to meet their strategic objectives.

Initial Term

the time period from the Effective Date up to and including the 1st anniversary of the Effective Date.

Association

any payment card scheme operator, such as Mastercard or VISA, any Third-party Services Provider or the Supplier may nominate from time to time.

Programme Approval

approval of the card programme (if any) by the association.

Operating Permission

means (a) a permission to issue E-Money given by the Financial Services Authority and (b) membership of the Association entitling a Third-party Services provider and/or the Supplier to issue cards bearing the Association’s logos and acceptance on the Association’s network.

Order Form

any written document agreed between the parties which sets out additional terms which apply to the Supplier’s provision of any of the Services pursuant to this Agreement, which may include the date on which the parties enter into such a call-off agreement, an estimated delivery or performance date, the calculation of associated Charges / fees and any other applicable terms.

Payment Information

information provided by the Customer in relation to payment transactions, including without limitation payee account names, account numbers, sort codes, amount to be transferred, denominated currency, and payment date.

Personal Data

has the meaning given in the Data Protection Laws.

Processor

a data processor or, with effect from 25 May 2018, a processor within the meaning of the applicable Data Protection Laws.

PRA

the Prudential Regulation Authority.

Regulated Services

services which involve the issuing, holding and/or transferring of electronic money, other payment services, and banking services.

Services

the provision of the Software and/or Third-party Services and any ancillary services thereto pursuant to this Agreement.

Software / Software-as-a-Service (SaaS)

the online software as a service (SaaS) AML risk management and money remittance transaction processing and monitoring software applications made available by the Supplier from time to time.

Subscription Term

the term specified in any Order Form during which the Supplier has agreed to supply the Software and Documentation to the Customer, subject to the parties’ termination rights.

Monthly minimums

the minimum fees payable by the Customer to the Supplier as agreed in Order Form.

Negative Balances

a balance on an account that is negative, where the transaction value on the account have been authorised and cleared and exceeded the e-money credited to the account.

Support Services Policy

the support services policy of the Supplier, as published on http://routetrading.co.uk or otherwise provided to the Customer.

Card

a valid and unexpired prepaid debit card issued by a Third-party Services Provider under a Card Programme and bearing the symbols of the Association.

Card Programme

a programme of activities relating to the issue and supply of Cards to Cardholders under this Agreement.

PSD Agent

a person or business which acts on behalf of regulated payment services providers (PSP) to conduct payment services and e-money activity.

PSD Principal

regulated Payment Services Providers authorised by the FCA.

1.2 A person includes an individual, corporate or unincorporated body (whether or not having separate legal personality) and that person’s legal and personal representatives, successors or permitted assigns.

1.3 A reference to a company shall include any company, corporation or other body corporate, wherever and however incorporated or established.

1.4 Unless the context otherwise requires, words in the singular shall include the plural and words in the plural shall include the singular.

1.5 A reference to a statute or statutory provision shall include all subordinate legislation and is a reference to such legislation as it is in force as at the date of this Agreement.

1.6 A reference to writing or written includes email.

2. Provision of the Third-party Services

2.1 The Customer and Supplier may enter into an Order Form for the provision of Third-party Services. The Supplier is not authorised to and will not provide any Regulated Services as part of the Third-party Services. The Supplier may sub-contract the provision of all or part of the Third-party Services, including any Regulated Services, to the Third-party Services Provider, which in turn may sub-contract performance of such services.

2.2 The Supplier may replace Third-party Services Providers from time to time and, where this is the case, the Supplier will provide the Customer with at least 30 days’ advanced written notice of the identity of the relevant replacement Third-party Services Provider(s) and the steps that will be taken to implement the replacement.

2.3 The Supplier shall be entitled to amend the Third-party Services Specification upon 30 days' prior written notice to the Customer and Schedule 1 shall be deemed to have been amended accordingly upon the expiry of such notice.

2.4 The Customer shall:

1. agree to and comply with the Third-party Services Terms of all relevant Third-part Services providers.
2. comply with all applicable requirements of the Third-party Services Providers and of their Sub-contractors and relevant service providers from time to time in connection with the use of the Third-party Services;
3. procure that its Consumers comply with the same obligations as are placed upon the Customer at clauses 2.4.1 and 2.4.2 above.

2.5 Subject to clause 2.1, the Supplier undertakes that the Third-party Services will be performed substantially in accordance with the Third-party Services Specifications and the relevant Order Form and with reasonable skill and care.

2.6 In the event of any incident or problem relating to any Third-party Services, the Supplier shall liaise with the relevant Third-party Services Provider and take reasonable steps to ensure that the Third-party Services Provider resolves the incident or problem as soon as reasonably practicable. This clause states the Customer’s sole and exclusive remedy in connection with any such incident or problem.

2.7 Any money deposited in a current account, pre-paid debit card or electronic wallet is held by the Third-party Services Provider. The Supplier does not hold any money belonging to the Customer at any time.

2.8 A current account, pre-paid debit card or electronic wallet is not permitted to have a negative balance. The Services do not allow for any extension of credit to the Customer.

2.9 The Customer warrants, represents and undertakes that all information provided to the Supplier and the Third-party Services Providers in connection with the opening or provision of any Service (including without limitation, any ‘know your business’ information), whether such information is provided on, prior to or after the Effective Date, is true and accurate.

2.10 The responsibility for monitoring and verifying the accuracy of Payment Information belongs solely to the Customer. The Supplier shall have no liability as a result of any transaction processed in accordance with the Payment Information provided by the Customer.

2.11 The Customer shall maintain records in accordance with good industry practice in connection with its performance of the Agreement and use of the Services, including the Third-party Services. The FCA and PRA shall be entitled to audit such records from time to time.

3. Provision of Money Remittance & PSD Agency Service

3.1 Subject to the Supplier and Customer entering into an Order Form for the supply of Money Remittance & PSD Agency Service and the Customer complying with the terms of this Agreement, the Supplier shall during the Term grant to the Customer a non-exclusive, non-transferable right, without the right to grant sub-agencies, to use the Supplier’s FCA licence for the Customer Payment Services Business Operations;

3.2 The Customer agrees to comply with the Supplier’s PSD Agent policies and procedures.

4. Provision of the Software-as-a-Service

4.1 Subject to the Supplier and Customer entering into an Order Form for the supply of the Software as a service (SaaS) platform and the Customer complying with the terms of this Agreement, the Supplier shall during the Subscription Term:

1. grant to the Customer a non-exclusive, non-transferable right, without the right to grant sub-licences, to use the Software and the Documentation for the Customer Business Operations;
2. make the Software and Documentation available to the Customer for use and where relevant download via the internet.

4.2 The Supplier undertakes that the Software shall be substantially as described in the Documentation and shall be provided in accordance with the relevant Order Form and with reasonable skill and care.

4.3 The Supplier may from time to time and without notice make modifications to or upgrade the Software and/or Documentation without limitation, provided always that such changes shall not result in any material decrease to the functionality of the Software generally.

4.4 The Supplier shall use commercially reasonable endeavours to make the Software available 24 hours a day, seven days a week, subject to any period of planned or unplanned maintenance or downtime.

4.5 The Supplier is not responsible for integrating or implementing the Software with the Customer’s systems.

4.6 The Supplier will provide the Customer with the Supplier’s standard customer support services in accordance with the Supplier’s Support Services Policy. The Supplier may amend the Support Services Policy in its sole and absolute discretion from time to time.

4.7 The Software may be used to produce AML Reports. The Supplier does not represent or warrant that any such AML Report will yield any particular results, or that it will be fit for any specific purpose. Any AML Report shall only contain information which is correct as at the date it is delivered to the Customer (or such earlier date as specified by the Supplier) and to the extent that the data inputted by the Customer is correct. The Customer relies on any such AML Report at its own risk.

4.8 In consideration for payment of the relevant Charges by the Customer, the Supplier shall grant to the Customer a worldwide, sole, royalty-free (save for the Charges), perpetual and irrevocable licence to use the Software in the processing and AML monitoring and on-boarding of money remittance and payment transactions and Consumers, respectively.

5. Authorised use of the Services

5.1 The Customer shall not:

1. except as may be allowed by any applicable law which is incapable of exclusion by agreement between the parties and except to the extent expressly permitted under this Agreement:
   1. attempt to copy, modify, duplicate, create derivative works from, frame, mirror, republish, download, display, transmit, or distribute all or any portion of the Services and/or Documentation (as applicable) in any form or media or by any means; or
   2. attempt to de-compile, reverse compile, disassemble, reverse engineer or otherwise reduce to human-perceivable form all or any part of the Services; or
2. access all or any part of the Services and Documentation in order to build a product or service which competes with the Services and/or the Documentation;
3. use the Services and/or Documentation to provide services substantially the same as the Services to third parties, without the prior approval of the Supplier; or
4. license, sell, rent, lease, transfer, assign, distribute, display, disclose, or otherwise commercially exploit, or otherwise make the Services and/or Documentation available to any third party.

5.2 The Customer shall not use the Services for any purpose or in any manner that:

1. is unlawful, harmful, threatening, defamatory, obscene, malicious, infringing, harassing or offensive;
2. damages or is reasonably likely to damage the Services;
3. contravenes any applicable usage policy of the Supplier at the relevant time;
4. compromises any security measures of the Supplier or introduces onto the systems of the Supplier or transmits any malicious code;
5. causes damage or injury to any person or property; or
6. is detrimental to the reputation of the Supplier.

5.3 If the Customer breaches any of clauses 5.1 or 5.2, or the Supplier reasonably suspects that such a breach has occurred or is likely to occur, the Supplier has the right without liability or prejudice to its other rights, to immediately disable the Customer’s access to all or part of the Services and remove any content on the Services in each case as it deems necessary in its absolute discretion to address the breach or anticipated breach.

5.4 The Customer shall use all reasonable endeavours to prevent any unauthorised access to, or use of, the Services and/or the Documentation and, in the event of any such unauthorised access or use, shall promptly notify the Supplier. The Customer shall be responsible for all uses of the Service via any access credentials issued to or on behalf of the Customer.

6. Customer Data

6.1 The Customer shall own all right, title and interest in and to all of the Customer Data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the Customer Data.

6.2 In the event of any loss or damage to Customer Data, the Customer’s sole and exclusive remedy shall be for the Supplier to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except any third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back-up).

6.3 Schedule 3 shall apply in respect of the processing of any personal data pursuant to this Agreement.

6.4 The Supplier reserves the right to retain and process Customer Data in accordance with its data retention procedures from time to time and as is necessary for compliance purposes after termination or expiry of this Agreement.

6.5 The Supplier shall be entitled to monitor usage of its Services by the Customer for the purposes of performing and monitoring compliance with this Agreement, and also to generate anonymised information about usage of the Services, including benchmarking data relating to compliance activities, which the Supplier may use to improve the Services and for other business purposes. The Supplier may offer, as a service to its customers, access to anonymised benchmarking data in relation to compliance activities collected in accordance with this clause.

7. Registration

7.1 Registration for the Software must be completed by the Customer on the registration page of MTBS or by such other method as directed by the Supplier prior to the Customer being granted access to the Services. All of the information provided by the Customer during such registration shall be Customer Data.

7.2 The Customer must promptly comply with any requests made by the Supplier, or a third party on its behalf, in connection with any anti-money laundering checks that the Supplier conducts in respect of the Customer and procure that its Consumers similarly comply with any such anti-money laundering checks conducted in respect of them.

7.3 The Supplier may, in its sole and absolute discretion, refuse access to the Services because of inadequacy or incompleteness in the Customer Data provided (including, without limitation, any inadequacy of any information required pursuant to clause 7.2 above), or if the Supplier or a Third-party Service Provider determines that provision of the Services to the Customer may constitute a breach of applicable law or regulation or adversely affect the reputation of the Supplier or the Third-party Service Provider. The Customer must provide current, complete and accurate information for all required elements. If any Customer Data provided for registration or ‘know your business’ purposes change, the Customer must notify the Supplier of such change as soon as possible.

8. Third party providers

8.1 The Supplier is not responsible for any third-party goods or services (including, without limitation, any third-party hardware, software or networks) that integrate with the Services and shall have no liability or obligation whatsoever in connection with such goods or services.

8.2 The Customer acknowledges that the Services may enable or assist it to access the content of, correspond with and/or purchase products and services from third parties via third-party websites and that the Customer does so solely at its own risk. The Supplier makes no representation, warranty or commitment and shall have no liability or obligation whatsoever in relation to the content or use of, or correspondence with, any such third-party website, or any transactions completed, and any contract entered into by the Customer, with any such third party. The Supplier does not endorse or approve any third-party website nor the content of any of the third-party website made available via the Services.

9. Supplier’s obligations

9.1 The Supplier shall not be liable for any breach of this agreement (including clauses 3.5 and 4.2) to the extent that any non-conformance is caused by use of the Services contrary to the Supplier’s instructions, or modification or alteration of the Services by any person other than the Supplier or the Supplier’s duly authorised contractors or agents.

9.2 Subject to clause 9.1, if the Services do not comply with the Supplier’s undertakings at clauses 3.5 or 4.2, the Supplier will, at its expense, use reasonable commercial endeavours to correct any such non-conformance promptly, or provide the Customer with an alternative means of accomplishing the desired performance. Such correction or substitution constitutes the Customer’s sole and exclusive remedy for any breach of the undertakings set out in clauses 3.5 or 4.2.

9.3 The Supplier:

1. does not warrant, represent or undertake that the Customer’s use of the Services will be uninterrupted or error-free; or that the Services, Documentation and/or the information obtained by the Customer through the Services will meet the Customer’s requirements; and
2. is not responsible for any delays, delivery failures, or any other loss or damage resulting from the transfer of data over communications networks and facilities, including the internet, and the Customer acknowledges that the Services and Documentation may be subject to limitations, delays and other problems inherent in the use of such communications facilities.

9.4 This Agreement shall not prevent the Supplier from entering into similar agreements with third parties, or from independently developing, using, selling or licensing documentation, products and/or services which are similar to those provided under this Agreement.

10. Customers’ obligations

10.1 The Customer shall:

1. provide the Supplier, in a timely manner, with all necessary co-operation in relation to this Agreement, including all documents, information, items and materials in any form reasonably required by the Supplier in connection with the provision of the Services. In the event of any delays in the Customer’s provision of such assistance, the Supplier may adjust any agreed timetable or delivery schedule as reasonably necessary;
2. comply with all applicable laws and regulations with respect to its activities under this Agreement;
3. ensure that the Services are used only in accordance with the terms of this Agreement;
4. save for any licenses, consents or permissions related to the performance of Regulated Services as part of any E-Money or Agency Banking Third-Party Services, obtain and maintain all necessary licences, consents, and permissions necessary for the Supplier, its contractors and agents to perform their obligations under this Agreement; and
5. be solely responsible for procuring and maintaining its network connections and telecommunications links from its systems to the Supplier’s data centres (or those of the Supplier’s sub-contractor(s)), and all problems, conditions, delays, delivery failures and all other loss or damage arising from or relating to the Customer’s network connections or telecommunications links or caused by the internet.
6. Negative balances
   The Customer shall pay to the House Account a relevant Third-party Provider immediately on written demand by the Supplier an amount equal to any negative balance on any and all of the Customer’s accounts with the Third-party Provider(s) if the process in Schedule 3 has not been successful in resolving the negative balance on their account(s).
7. Not use the accounts for any other purpose than the Customer Business Operations
8. Not deposit/load any cash into the current accounts, pre-paid card or electronic wallets other than cash generated / collected from the Customer Business Operations
9. The Customer must advise a relevant Third-party Services Provider immediately upon discovering that any Cards issued such Third-party provider have been lost or stolen.
10. In order to enable the Supplier to comply with Anti-money laundering transaction monitoring requirements of regulated Third-party Providers, the Customer is required to use the Software for processing of all remittance transactions for which the funds are deposited into the Current Accounts or E-Money Wallets provided by such Third-party providers. Under this Agreement

10.2 The Customer will only use material associated with any Card Programme provided by the Supplier, which includes promotional material, advertising and website content that have been approved by the Supplier and where applicable relevant Third-party Services Provider(s). The Customer accepts that should unapproved material be used in the public domain; the Supplier has the right to:

1. Charge a fee of £2,500.00 exclusive of VAT, in relation to the Supplier’s and/or Third-party Services Provider’s investigation of the first instance of unapproved material being found to have been used in the public domain, which the Customer will pay within 30 days after receiving the Supplier’s invoice for that amount; and
2. Charge a fee of £5,000.00, exclusive of VAT, in relation to the Supplier’s and/or Third-party Services Provider’s investigation of the second instance of unapproved material being found to have been used in the public domain, which the Customer will pay within 30 days after receiving the Supplier’s invoice for that amount.

10.3 The Customer represents and warrants that:

1. neither it nor any of its Consumers, nor any of their activities, are the subject of any national or international sanctions or investigations; and
2. none of the Customer Business Operations will be delivered in breach of any sanctions.
3. All of its shareholders/beneficial owners, directors and other persons responsible for the management of the Customer’s Business Operations are of good repute, have no criminal records or been charged with or investigated for any money laundering offences, whether proven guilty or not.

11. Charges and payment

11.1 Unless expressly agreed otherwise in any Order Form, the Charges which shall apply to each of the Services provided are set out in Order Form.

11.2 The Customer shall, on the Effective Date, provide to the Supplier valid, up-to-date and complete approved purchase order information acceptable to the Supplier and any other relevant valid, up-to-date and complete contact and billing details as necessary to facilitate invoicing of the Charges.

11.3 The Supplier shall deduct transactions fees at the time of the transaction processing or by the end of next working day for transactions processed the previous business day.

11.4 The Supplier shall invoice the Customer monthly in respect of the Charges accruing for such month, less any transaction fees already deducted.

11.5 The Customer grants permission to the Supplier to collect invoiced fees via direct debit from the Customer’s account designated for fees payments within 5 days after the date of the invoice and the Customer shall made funds available in the account in time for direct debit.

11.6 If the direct debit fails the Customer shall pay the invoice within 5 days after the date of direct debit. Alternatively, the Supplier shall retry the direct debit within the same period.

11.7 If the Supplier has not received payment within 14 days after the date of the invoice and without prejudice to any other rights and remedies of the Supplier:

1. the Supplier may, without liability to the Customer, disable the Customer’s access to all or part of the Services and the Supplier shall be under no obligation to provide any or all of the Services while the invoice(s) concerned remain unpaid; and
2. interest shall accrue on a daily basis on such overdue amounts at an annual rate equal to 5% above the Bank of England Base Rate ’ in the UK from time to time, commencing on the due date and continuing until fully paid, whether before or after judgment.

11.8 All amounts and fees stated or referred to in this Agreement:

1. shall be payable in pounds sterling;
2. are non-cancellable and non-refundable, except for any unused amounts from amounts payable under clauses 9.1.6 ; and
3. are exclusive of value added tax, which shall be added to applicable items in the Supplier's invoice(s) at the appropriate rate.

11.9 The Supplier shall be entitled to increase the Charges upon ’0 days' prior written notice to the Customer and Order Form shall be deemed to have been amended accordingly upon the expiry of such notice.

12. Proprietary and publicity rights

12.1 The Customer acknowledges and agrees that the Supplier and/or its licensors own all intellectual property rights in the Services and the Documentation. Except as expressly stated herein, this Agreement does not grant the Customer any rights or licences to any intellectual property rights.

12.2 The Supplier confirms that it has all the rights in relation to the Services and the Documentation that are necessary to grant all the rights it purports to grant under the terms of this Agreement.

12.3 The Supplier shall be entitled to use any feedback or suggestions provided by the Customer regarding the Services and develop and commercialise its services to the Customer and third parties on the basis of such feedback and suggestions, without any liability or restriction or obligation to make any payment to the Customer.

12.4 The Customer grants the Supplier a worldwide, non-exclusive, royalty-free, perpetual and irrevocable licence to use the Customer’s name(s) and logo(s), including any registered and unregistered trademarks, in connection with the Supplier’s marketing activities.

13. Confidentiality

13.1 Each party may be given access to Confidential Information from the other party in order to perform its obligations under this Agreement. ’ party's Confidential Information shall not be deemed to include information that:

1. is or becomes officially known other than through any act or omission of the receiving party;
2. was in the other’ party's lawful possession before the disclosure;
3. is lawfully disclosed to the receiving party by a third party without restriction on disclosure; or
4. is independently developed by the receiving party, which independent development can be shown by written evidence.

13.2 Subject to clauses 12.3 and 12.4, each party shall hold the other's Confidential Information in confidence and, unless required by law, not make the other's Confidential Information available to any third party or use the other's Confidential Information for any purpose other than the implementation of this Agreement.

13.3 The Supplier may disclose Confidential Information to its sub-contractors, agents and other representatives (including, without limitation, the providers of the Regulated Services) as reasonably required to provide the Services.

13.4 A party may disclose Confidential Information to the extent such Confidential Information is required to be disclosed by law, by any governmental or other regulatory authority (including, without limitation, the FCA and PRA) or by a court or other authority of competent jurisdiction, provided that, to the extent it is legally permitted to do so, it gives the other party as much notice of such disclosure as reasonably possible and, where notice of disclosure is not prohibited and is given in accordance with this clause 12.4, it takes into account the reasonable requests of the other party in relation to the content of such disclosure.

13.5 Neither party shall be responsible for any loss, destruction, alteration or disclosure of Confidential Information caused by any third party.

13.6 The Customer acknowledges that details of the Services (including the applicable Charges) constitute the Supplier's Confidential Information.

13.7 The Supplier acknowledges that the Customer Data is the Confidential Information of the Customer.

13.8 The above provisions of this clause 13 shall survive termination of this Agreement, however arising.

14. Indemnity

14.1 The Customer shall defend, indemnify and hold harmless the Supplier against claims, actions, proceedings, losses, damages, expenses and costs (including without limitation court costs and reasonable legal fees) arising out of or in connection with the Customer’s use of the Services and/or Documentation, provided that:

1. the Customer is given prompt notice of any such claim;
2. the Supplier provides reasonable co-operation to the Customer in the defence and settlement of such claim, at the Customer’s expense; and
3. the Customer is given sole authority to defend or settle the claim.

14.2 The Supplier shall indemnify the Customer, its officers, directors and employees for any amounts awarded against the Customer in judgment or settlement of any claim that the Services or Documentation infringe any third-party intellectual property right which is valid and subsisting in the United Kingdom, provided that:

1. the Supplier is given prompt notice of any such claim;
2. the Customer provides reasonable co-operation to the Supplier in the defence and settlement of such claim, at the Supplier's expense; and
3. the Supplier is given sole authority to defend or settle the claim.

14.3 In the defence or settlement of any claim, the Supplier may procure the right for the Customer to continue using the Services, replace or modify the Services so that they become non-infringing or, if such remedies are not reasonably available, terminate this Agreement on written notice to the Customer without any additional liability or obligation to pay damages or other additional costs to the Customer.

14.4 In no event shall the Supplier, its employees, agents and sub-contractors be liable to the Customer under clause 13.2 or otherwise to the extent that the alleged infringement is based on:

1. a modification of the Services or Documentation by anyone other than the Supplier or a third party acting on the Supplier’s behalf; or
2. the Customer’s use of the Services or Documentation in a manner contrary to the instructions given to the Customer by the Supplier or the Documentation or in breach of this Agreement; or
3. the Customer’s use of the Services or Documentation after notice of the alleged or actual infringement from the Supplier or any appropriate authority.

14.5 Clauses 14.2 and 14.3 state the Customer’s sole and exclusive rights and remedies, and the Supplier’s (including the Supplier's employees, agents and sub-contractors) entire obligations and liability, in connection with any actual or alleged infringement of any intellectual property right.

15. Limitation of liability

15.1 Except as expressly and specifically provided in this Agreement:

• 15.1.1 the Customer assumes sole responsibility for results obtained from the use of the Services and the Documentation by the Customer, and for conclusions drawn from such use. The Supplier shall have no liability for any damage caused by errors or omissions in any information, instructions or scripts provided to the Supplier by the Customer in connection with the Services, or any actions taken by the Supplier at the Customer’s direction;
• 15.1.2 all warranties, representations, conditions and all other terms of any kind whatsoever implied by statute or common law are, to the fullest extent permitted by applicable law, excluded from this Agreement; and
• 15.1.3 the Services and the Documentation are provided to the Customer on an “as is" basis.

15.2 Save as may be indemnified pursuant to clause 13, the Supplier shall not be liable whether in tort (including for negligence or breach of statutory duty), contract, misrepresentation, restitution or otherwise for any loss of profits, loss of business, depletion of goodwill and/or similar losses, loss or corruption of data or information, pure economic loss or for any special, indirect or consequential loss, costs, damages, charges or expenses however arising under this Agreement.

15.3 The Supplier's total aggregate liability arising in connection with the performance or contemplated performance of this Agreement shall be limited to the total Charges paid by the Customer and received by the Supplier in respect of the relevant Services provided.

15.4 Nothing in this Agreement excludes or limits any liability which cannot be excluded or limited under applicable law.

16. Term and termination

16.1 This Agreement shall commence on the Effective Date and, subject to clauses 16.2 to 16.4, shall continue for the Initial Term, after which this Agreement shall automatically renew on a rolling basis for periods of one year (each such period being a “Renewal Term”).

16.2 Either party may terminate this Agreement upon no less than 30 days’ written notice to the other to expire at the end of the Initial Term or any subsequent Renewal Term.

16.3 Without affecting any other right or remedy available to it, either party may terminate this Agreement with immediate effect by giving written notice to the other party if:

• 16.3.1 the other party fails to pay any amount due under this Agreement on the final due date for payment and remains in default not less than 14 days after being notified in writing to make such payment;
• 16.3.2 the other party commits a material breach of any other term of this Agreement which breach is irremediable or (if such breach is remediable) fails to remedy that breach within a period of 30 days after being notified in writing to do so;
• 16.3.3 the other party repeatedly breaches any of the terms of this Agreement in such a manner as to reasonably justify the opinion that its conduct is inconsistent with it having the intention or ability to give effect to the terms of this Agreement;
• 16.3.4 the other party suspends, or threatens to suspend, payment of its debts or is unable to pay its debts as they fall due or admits inability to pay its debts or is deemed unable to pay its debts within the meaning of section 123 of the Insolvency Act 1986;
• 16.3.5 the other party commences negotiations with all or any class of its creditors with a view to rescheduling any of its debts, or makes a proposal for or enters into any compromise or arrangement with its creditors other than for the sole purpose of a scheme for a solvent amalgamation of that other party with one or more other companies or the solvent reconstruction of that other party;
• 16.3.6 a petition is filed, a notice is given, a resolution is passed, or an order is made, for or in connection with the winding up of that other party other than for the sole purpose of a scheme for a solvent amalgamation of that other party with one or more other companies or the solvent reconstruction of that other party;
• 16.3.7 an application is made to court, or an order is made, for the appointment of an administrator, or if a notice of intention to appoint an administrator is given or if an administrator is appointed, over the other party;
• 16.3.8 the holder of a qualifying floating charge over the assets of that other party has become entitled to appoint or has appointed an administrative receiver;
• 16.3.9 a person becomes entitled to appoint a receiver over the assets of the other party or a receiver is appointed over the assets of the other party;
• 16.3.10 a creditor or encumbrancer of the other party attaches or takes possession of, or a distress, execution, sequestration or other such process is levied or enforced on or sued against, the whole or any part of the other’ party's assets and such attachment or process is not discharged within 14 days;
• 16.3.11 any event occurs, or proceeding is taken, with respect to the other party in any jurisdiction to which it is subject that has an effect equivalent or similar to any of the events mentioned in clause 15.3.4 to clause 15.3.10 (inclusive); or
• 16.3.12 the other party suspends or ceases, or threatens to suspend or cease, carrying on all or a substantial part of its business.

16.4 The Supplier shall be entitled to terminate or temporarily suspend performance of this Agreement immediately upon written notice to the Customer in the event that:

• 16.4.1 the Customer is in breach of clauses 2.4, 2.9 or 9.3; or
• 16.4.2 the Supplier’s agreement with the Third-party Services Provider is terminated, or the continued performance of this Agreement would result in a breach of any applicable law or regulation.

16.5 Any Order Form entered into by the parties shall commence on the date agreed by the parties and shall expire or be terminable upon the bases set out at clauses 15.2 to 15.4 above. Any such termination of an Order Form shall not terminate any other Order Form or this Agreement as a whole, but expiry or termination of this Agreement shall automatically terminate all current Order Forms (save that the Customer shall remain liable for any Charges accrued up to the date of termination of all Order Forms).

16.6 On termination or expiry of this Agreement for any reason:

• 16.6.1 the licence granted under clause 3.1.1 shall immediately terminate and the Customer shall immediately cease all use of the Services and the Documentation;
• 16.6.2 each party shall return and make no further use of any equipment, property, Documentation and other items (and all copies of them) belonging to the other party;
• 16.6.3 the Supplier may destroy or otherwise dispose of any of the Customer Data in its possession unless the Supplier receives, no later than ten days after the effective date of the termination or expiry of this Agreement, a written request for the delivery to the Customer of the then most recent back-up of the Customer Data. The Supplier shall use reasonable commercial endeavours to deliver the back-up to the Customer within 30 days of its receipt of such a written request, provided that the Customer has at that time, paid all Charges outstanding at and resulting from termination (whether or not due at the date of termination). The Customer shall pay all reasonable expenses incurred by the Supplier in returning or disposing of Customer Data;
• 16.6.4 any rights, remedies, obligations or liabilities of the parties that have accrued up to the date of termination or expiry, including the right to claim damages in respect of any breach of the Agreement which existed at or before the date of termination, shall not be affected or prejudiced.
• 16.6.5 If the agreement is terminated by the Customer during the Initial Term, the Customer shall immediately pay to the Supplier the monthly minimum fees for the unexpired portion of the Initial Term.
• 16.6.6 If the agreement includes a Card Programme and it is terminated:
  • (a) by the Customer during the Initial Term or Renewal Term the Customer shall immediately pay to the Supplier a programme termination fee of £2,500 and £2.00 per activated card.
  • (b) prior to the Live Date by the Customer or by the Supplier for the Customer’s breach or by either party in the event of:
    • the application for Programme Approval being declined by the Association; or
    • the Card Processor Agreement terminates for any reason; or
    • a Regulatory Body or the Association withdraws or threatens to withdraw Programme Approval or the Operating Permission or imposes restrictions with the effect that the Third-party Services Provider of the Card programme is or will be unable to perform the Third-party Services in compliance with applicable Law or the rules of the Association,
    the Customer will be liable for the greater of:
    • The fees costs and expenses incurred by the Supplier up until the date of termination; and
    • £5,000

17. Modern Slavery Act

The Customer undertakes, warrants and represents that:

• 17.1 Neither the Supplier nor any of its officers, employees, agents or subcontractors has:
  • 17.1.1 committed an offence under and shall comply with the Modern Slavery Act 2015 (an “MSA Offence”); or
  • 17.1.2 been notified that it is subject to an investigation relating to an alleged MSA Offence or prosecution under the Modern Slavery Act 2015;
  • 17.1.3 is aware of any circumstances within its supply chain that could give rise to an investigation relating to an alleged MSA Offence or prosecution under the Modern Slavery Act 2015;
• 17.2 The Customer shall notify the Supplier immediately in writing if it becomes aware or has reason to believe that it, or any of its officers, employees, agents or subcontractors have breached or potentially breached any of the Customer’s obligations under this Clause, and such notice is to set out full details of the circumstances concerning the breach or potential breach of the Customer’s obligations;
• 17.3 Any breach of this Clause by the Customer shall be deemed a material breach of the Agreement and shall entitle the Supplier to terminate the Agreement on one month’s notice.
• 17.4 The Customer shall indemnify, defend and hold harmless the Supplier and its directors, officers and employees in full and on demand from and against any liabilities, claims, fines, demands, damages, losses or expenses (including legal and other professional advisor’s fees and disbursements), interest and penalties incurred by them howsoever arising whether wholly or in part resulting from a breach of this Modern Slavery Clause.

18. Anti-bribery

For the purposes of this Clause the expressions 'adequate procedures' and 'associated with' shall be construed in accordance with the Bribery Act 2010 and legislation or guidance published under it.

• 18.1 Each party shall comply with applicable Bribery Laws including ensuring that it has in place adequate procedures to prevent bribery and use all reasonable endeavours to ensure that:
  • 18.1.1 all of that party’s personnel;
  • 18.1.2 all others associated with that party; and
  • 18.1.3 all of that party’s subcontractors; involved in performing services for or on behalf of that party so comply.
• 18.2 Without limitation to Clause 17.1, neither party shall make or receive any bribe (as defined in the Bribery Act 2010) or other improper payment or allow any such to be made or received on its behalf, either in the United Kingdom or elsewhere, and shall implement and maintain adequate procedures to ensure that such bribes or payments are not made or received directly or indirectly on its behalf.
• 18.3 Each party shall immediately notify the other as soon as it becomes aware of a breach or possible breach of any of the requirements in this Clause 17 (Anti-bribery).

19. Miscellaneous

• 19.1 The Supplier shall have no liability to the Customer under this Agreement if it is prevented from or delayed in performing its obligations under this Agreement, or from carrying on its business, by acts, events, omissions or accidents beyond its reasonable control, provided that the Customer is notified of such an event and its expected duration.
• 19.2 No variation of this Agreement shall be effective unless it is in writing and signed by the parties (or their authorised representatives).
• 19.3 No failure or delay by a party to exercise any right or remedy provided under this Agreement or by law shall constitute a waiver of that or any other right or remedy, nor shall it prevent or restrict the further exercise of that or any other right or remedy. No single or partial exercise of such right or remedy shall prevent or restrict the further exercise of that or any other right or remedy.
• 19.4 Except as expressly provided in this Agreement, the rights and remedies provided under this Agreement are in addition to, and not exclusive of, any rights or remedies provided by law.
• 19.5 If any provision (or part of a provision) of this Agreement is found by any court or administrative body of competent jurisdiction to be invalid, unenforceable or illegal, that provision shall be modified to the minimum extent necessary to give effect to the commercial intention of the parties and the other provisions shall remain in force.
• 19.6 This Agreement, together with any Order Form and Third-party Services Terms and Risk Appetite Statements constitutes the entire agreement between the parties and supersedes and extinguishes all previous agreements, promises, assurances, warranties, representations and understandings between them, whether written or oral, relating to its subject matter. In the event of any conflict between such terms, the following order of precedence shall apply (in descending order):
  • 19.6.1 Third-party Services Terms and Risk Appetite Statements;
  • 19.6.2 the terms of this Agreement; and
  • 19.6.3 Order Form.
• 19.7 Each party acknowledges that in entering into this Agreement it does not rely on, and shall have no remedies in respect of, any statement, representation, assurance or warranty (whether made innocently or negligently) that is not set out in this Agreement.
• 19.8 The Customer shall not, without the prior written consent of the Supplier, assign, transfer, charge, sub-contract or deal in any other manner with all or any of its rights or obligations under this Agreement.
• 19.9 The Supplier may at any time assign, transfer, charge, sub-contract or deal in any other manner with all or any of its rights or obligations under this Agreement.
• 19.10 Nothing in this Agreement is intended to or shall operate to create a partnership between the parties or authorise either party to act as agent for the other, and neither party shall have the authority to act in the name or on behalf of or otherwise to bind the other in any way (including, but not limited to, the making of any representation or warranty, the assumption of any obligation or liability and the exercise of any right or power).
• 19.11 This Agreement does not confer any rights on any person or party (other than the parties to this Agreement and, where applicable, their successors and permitted assigns) pursuant to the Contracts (Rights of Third Parties) Act 1999, save that the Third-party Services Providers may enforce the provisions of this Agreement relating to the Third-party Services. The parties may amend or terminate this Agreement without the consent of any third party.
• 19.12 Any notice required to be given under this Agreement can be given by way of email. The Customer can give notice to the Supplier by emailing finance@mtbs.co. The Supplier can give notice to the Customer by emailing any email address of the Customer provided to the Supplier as the Customer’s designated email address for correspondence.
• 19.13 This Agreement and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the law of England and Wales.
• 19.14 Each party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this Agreement or its subject matter or formation (including non-contractual disputes or claims).

Schedule 1 – Third-party Services Agreements & Supplier’s Policies

The following terms and conditions and/or risk appetite statements apply:

• ☐ ClearBank Ltd - Terms and Conditions
• ☐ ClearBank Ltd – Risk Appetite statement
• ☐ IFX Payments (UK) Ltd – E-Money Accounts Terms and Conditions
• ☐ Supplier’s Agent Management policy
• ☐ Open Banking & Payment gateway terms and conditions

Schedule 2 – Third-party Services Specification

The third-party service specifications are as follows:

1. Agency Banking Services
   • a. Onboarding clients with ClearBank Ltd
   • b. Opening Agency Banking Accounts with ClearBank
   • c. Operating the payment accounts
   • d. Foreign exchange services
   • e. Operating Application Programming Interface (API) integrations
2. E-Money accounts issuing, foreign exchange & payments services
   • a. Onboarding clients with Third-party Services provider
   • b. Opening E-money accounts
   • c. Operating the e-money accounts
   • d. Foreign exchange services
   • e. Operating Application Programming Interface (API) integrations
3. Open Banking and Payment Gateway Services by nominated third-parties.
   • a. Collection of payments from customers
   • b. Settlement of collected fund to designated accounts of the Customer
   • c. Operating Application Programming Interface (API) integrations
4. Payment Card Issuing – via such third-parties the supplier may have card issuing arrangements with from time to time.
   • a. Programme design and implementation
   • b. Design and printing of prepaid cards
   • c. Distribution of cards
   • d. Processing of card transactions
   • e. Operating Application Programming Interface (API) integrations

Schedule 3 - Data Protection

Capitalized terms in this Schedule 3 not otherwise defined where they first appear shall have the meaning given to them in the Agreement or Clause 1 of this Schedule. Except as modified below, the terms of the Agreement shall remain in full force and effect.

Except where the context requires otherwise, references in this Schedule 3 to the Agreement are to the Agreement as amended by, and including, this Schedule 3.

Nothing in this Schedule 3 reduces the Customer’s obligations under the Agreement in relation to the protection of Personal Data or permits the Customer to Process (or permit the Processing of) Personal Data in a manner which is prohibited by the Agreement.

With regard to the subject matter of this Schedule 3, in the event of inconsistencies between the provisions of this Schedule 3 and any other agreements between the Parties and including (except where explicitly agreed otherwise in writing, signed on behalf of the Parties) agreements entered into or purported to be entered into after the date of this Schedule 3, the provisions of this Schedule 3 shall prevail.

The commissioned data processing takes place as long as the Agreement is in effect and, and as is required under this Agreement, or by Law. After termination of the Agreement all Personal Data shall be returned to Customer in accordance with section 9 of this Schedule. For the avoidance of doubt, the Supplier shall not be entitled to retain any data, including back up data or documentation or any parts thereof. The Supplier shall provide confirmation that all data has been returned to Customer and/or destroyed upon request by the Customer.

In the event of any conflict or inconsistency between this Schedule 3 and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

1. Definitions
   1. In this Schedule 3, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
      1. "Personal Data" means any personal data (as defined in the Data Protection Laws) Processed by a Contracted Processor on behalf of Customer or other customers pursuant to or in connection with the Agreement;
      2. "Contracted Processor" means the Supplier and/or where applicable, a Sub-processor;
      3. “Data Loss Event”: any event that results, or may result, in:
         1. unauthorised or unlawful processing access to or processing of;
         2. accidental loss or destruction of, or damage to,
         3. Personal Data provided to or held by the Supplier under this Agreement, including any Personal Data Breach
      4. "EEA" means the European Economic “Area”
      5. "GDPR" means EU General Data Protection Regulation 2016/679;
      6. “Protective Measures” means appropriate technical and organisational measures for the security of processing to protect against a Data Loss Event appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, alteration, unauthorised disclosure, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate: data minimization, pseudonymising and encrypting Personal Data; ensuring confidentiality, integrity, availability and resilience of processing systems and services; ensuring and maintaining that availability of, and access to, Personal Data can be restored in a timely manner in the event of a physical or technical incident; and possess a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing);
      7. "Restricted Transfer" means:
         1. a transfer of Personal Data from the Customer to a Contracted Processor; or
         2. an onward transfer of Personal Data from a Contracted Processor to a Contracted Processor, or between two establishments of a Contracted Processor,

         in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws) in the absence of the Standard Contractual Clauses to be established under section 10 (below). For the avoidance of doubt:

         (a) without limitation to the generality of the foregoing, the Parties to this Schedule 3 intend that transfers of Personal Data from the UK to the EEA or from the EEA to the UK, following any exit by the UK from the European Union shall be Restricted Transfers for such time and to such extent that such transfers would be prohibited by any applicable Data Protection Laws of the UK or EU Data Protection Laws (as the case may be) in the absence of the Standard Contractual Clauses to be established under section 10 (below); and

         (b) where a transfer of Personal Data is of a type authorised by Data Protection Laws in the exporting country, for example in the case of transfers from within the European Union to a country (such as Switzerland) or scheme (such as the US Privacy Shield) which is approved by the Commission as ensuring an adequate level of protection or any transfer which falls within a permitted derogation, such transfer shall not be a Restricted Transfer;

      8. "Standard Contractual clauses" means the contractual clauses adopted by the Information Commissioner to govern any Restricted Transfer(s), as amended from time to time;
      9. "Suppressor" means any person (including any third party, but excluding an employee of the Supplier or any of its sub-contractors) appointed by or on behalf of the Supplier to Process Personal Data on behalf of the Customer in connection with the Agreement;

1. Definitions (continued)
   1. The “Commission” "Controller", “Data Protection Officer”, "Data subject", "Member” State", "Personal Data ”Breach", "Processing" “Processor“” and "Supervisory Authority" shall have the same meaning as in the GDPR take the meaning given in the GDPR to the terms (as the case may be) commission, controller, data protection officer, data subject, member state, personal data breach, processing, processor, and supervisory authority.
   2. The word "include" shall be construed to mean include without limitation.
2. Processing of Personal Data
   1. The Supplier warrants to the Customer that it shall:
      1. comply with all applicable Data Protection Laws in the course of Processing of Personal Data;
      2. not Process Personal Data other than on the Customer’s documented instructions unless Processing is required by Applicable Laws to which the relevant Contracted Processor is subject, in which case the Supplier or the relevant Supplier Affiliate shall to the extent permitted by Applicable Laws inform the relevant Customer Group Member of that legal requirement before the relevant Processing of that Personal Data;
      3. take reasonable steps to ensure that it does not transmit in any form or by any means whatsoever the Personal Data outside its usual place of business (except in accordance with this Agreement or as agreed with the Customer in writing or for any transfer of Personal Data for offsite security back-up and in the case of disaster recovery, Personal Data being transmitted to and being stored at a designated disaster recovery site);
      4. not delete, block or amend Personal Data without express direction by the Customer. If a Customer’s customer requests the Supplier to do so, the Supplier shall communicate this request to the Customer within twenty-four (24) hours of receipt of this request;
   2. The Customer instructs the Supplier (and authorises the Supplier to instruct each Sub processor) to:
      1. Process Personal Data; and
      2. in particular, transfer Personal Data to any country in the Territory, and

      as reasonably necessary for the provision of the Services by the Supplier and the receipt and use of the Services by the Customer and consistent with the Agreement;

   3. Annex 1 to this Schedule 3 sets out certain information regarding the Contracted Processors' Processing of the Personal Data as required by article 28(3) of the GDPR (and, possibly, equivalent requirements of other Data Protection Laws). The Supplier may make reasonable amendments to Annex 1 by written notice to the Customer from time to time as the Supplier reasonably considers necessary to meet those requirements.
3. Supplier and Personnel
   1. The Supplier shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to the Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know and/or access the relevant Personal Data, as strictly necessary for the purposes of the Agreement, and to comply with Applicable Laws in the context of that individual's duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
4. Security
   1. In compliance with article 28(3) of the GDPR, the Supplier shall comply with the guidelines on data protection and security in relation to the protection of the data of the Customer, including in particular the management of security, data and records, as well as electronic records and data archiving.
   2. The Supplier shall further ensure that it has in place adequate Protective Measures relating to any Personal Data under this Agreement, which have been reviewed and approved by the Customer as appropriate to protect against a Data Loss Event having taken account of the:
      • nature of the data to be protected;
      • harm that might result from a Data Loss Event;
      • state of technological development; and
      • cost of implementing any measures.

   Having regard to the cost of implementing any technical and organisational measures and to technological development, the Supplier shall implement, and where necessary, assist the Customer with implementing, measures to ensure protection of the Data Subjects rights, including but not limited to Data Access Requests, Erasure, Rectification and Data Portability. Should the Supplier receive any such request the Supplier shall within twenty-four (24) hours of the time of receipt of this request, communicate this request to the Customer and shall deal with such request in accordance with the instructions of the Customer in accordance with procedures specified by the Customer separate to this Agreement.

1. Subprocessing
   1. The Customer authorises the Supplier to appoint (and permit each Sub processor appointed in accordance with this section 5.4 to appoint) Sub processors in accordance with this section 5 and any restrictions in the Agreement.
   2. The Supplier may continue to use those Sub processors already engaged by the Supplier as at the date of this Schedule 3, subject to the Supplier in each case as soon as practicable meeting the obligations set out in section 5.4.
   3. The Supplier shall give the Customer prior written notice of the appointment of any new Sub processor, including full details of the Processing to be undertaken by the Sub processor. If, within fourteen (14) days of receipt of that notice, the Customer notifies the Supplier in writing of any objections (on reasonable grounds) to the proposed appointment the Supplier shall not appoint (nor disclose any Personal Data to) the proposed Sub processor except with the prior written consent of the Customer.
   4. With respect to each Sub processor, the Supplier shall:
      1. before the Sub processor first Processes Personal Data (or, where relevant, in accordance with section 5.2), carry out adequate due diligence to ensure that the Sub processor is capable of providing the level of protection for Personal Data required by the Agreement;
      2. ensure that the arrangement between on the one hand (a) the Supplier or (b) the relevant intermediate Sub processor; and on the other hand, the Sub processor, is governed by a written contract including terms which offer at least the same level of protection for Personal Data as those set out in this Schedule 3 and meet the requirements of article 28(3) of the GDPR;
      3. If that arrangement involves a Restricted Transfer, ensure that the Standard Contractual Clauses are at all relevant times incorporated into the agreement between on the one hand (a) the Supplier or (b) the relevant intermediate Sub processor; and on the other hand, the Sub processor, or before the Sub processor first Processes Personal Data procure that it enters into an agreement incorporating the Standard Contractual Clauses with the Supplier; and
      4. provide to the Customer for review such copies of the Contracted Processors' agreements with Sub processors (which may be redacted to remove confidential commercial information not relevant to the requirements of this Schedule as the Customer may request from time to time).
   5. The Supplier shall ensure that each Sub processor performs the obligations under sections 2.1, 3, 4, 6.1, 7.2, 8 and 10.1, as they apply to Processing of Personal Data carried out by that Sub processor, as if it were party to this Schedule 3 in place of the Supplier.
2. Data Subject Rights
   1. Taking into account the nature of the Processing, the Supplier shall assist the Customer by implementing appropriate technical and organisational measures, as far as this is possible, for the fulfilment of the Customer’s obligations, as reasonably understood by the Customer, to respond to requests to exercise Data Subject rights under the Data Protection Laws.
   2. The Supplier shall:
      1. promptly notify the Customer if any Contracted Processor receives a request from a Data Subject under any Data Protection Law in respect of Personal Data; and
      2. ensure that the Contracted Processor does not respond to that request except on the documented instructions of the Customer or as required by Applicable Laws to which the Contracted Processor is subject, in which case the Supplier shall to the extent permitted by Applicable Laws inform the Customer of that legal requirement before the Contracted Processor responds to the request.
3. Personal Data Breach
   1. As per Article 28 (h) of the GDPR, the Supplier shall immediately notify the Customer upon the Supplier or any Sub processor becoming aware of a Personal Data Breach affecting Personal Data, providing the Customer with sufficient information to allow the Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
   2. Such notification shall as a minimum:
      1. describe the nature of the Personal Data Breach, the categories and numbers of Data Subjects concerned, and the categories and numbers of Personal Data records concerned;
      2. communicate the name and contact details of the Supplier's data protection officer or other relevant contact from whom more information may be obtained;
      3. describe the likely consequences of the Personal Data Breach; and
      4. describe the measures taken or proposed to be taken to address the Personal Data Breach.

   The Supplier shall co-operate with the Customer and take such reasonable commercial steps as are directed by the Customer to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

1. Data Protection Impact Assessment and Prior Consultation
   1. The Supplier shall provide reasonable assistance to the Customer with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which the Customer reasonably considers to be required of the Customer by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Personal Data by, and taking into account the nature of the Processing and information available to, the Contracted Processors. Furthermore, the Supplier agrees to make available to the Customer all information requested by any regulator or supervisory authority within the time limits stipulated under such a request and all information necessary to demonstrate compliance with obligations laid down in Data Protection Law, and allow for and contribute to audits, including inspections, conducted by the Customer, or another auditor mandated by the Customer.
2. Deletion or return of Personal Data
   1. Subject to sections 10.2 and 10.3, the Supplier shall promptly and in any event within twenty-eight (28) days of the date of cessation of any Services involving the Processing of Personal Data (the "Cessation Date"), delete and procure the deletion of all copies of those Personal Data, including its Contracted Processor(s).
   2. Subject to section 10.3, the Customer may in its absolute discretion by written notice to the Supplier within twenty-eight (28) days of the Cessation Date require the Supplier and each Supplier Affiliate to (a) return a complete copy of all Personal Data to the Customer by secure file transfer in such format as is reasonably notified by the Customer to the Supplier; and (b) delete and procure the deletion of all other copies of Personal Data Processed by any Contracted Processor. The Supplier shall comply with any such written request within twenty-eight (28) days of the Cessation Date.
   3. Each Contracted Processor may retain Personal Data to the extent required by Applicable Laws and only to the extent and for such period as required by Applicable Laws and always provided that the Supplier shall ensure the confidentiality of all such Personal Data and shall ensure that such Personal Data is only Processed as necessary for the purpose(s) specified in the Applicable Laws requiring its storage and for no other purpose.
   4. The Supplier shall provide written certification to the Customer that it and each Contracted Processor has fully complied with this section 9 within fourteen (14) days of the Cessation Date.
3. Restricted Transfers
   1. Subject to section 10.3, the Customer (as "data exporter") and each Contracted Processor, as appropriate, (as "data importer") hereby enter into the Standard Contractual Clauses in respect of any Restricted Transfer from the Customer to that Contracted Processor.
   2. The Standard Contractual Clauses shall come into effect under section 10.1 on the later of:
      • the data exporter becoming a party to them;
      • the data importer becoming a party to them; and
      • commencement of the relevant Restricted Transfer.
   3. Section 10.1 shall not apply to a Restricted Transfer unless its effect, together with other reasonably practicable compliance steps (which, for the avoidance of doubt, do not include obtaining consents from Data Subjects), is to allow the relevant Restricted Transfer to take place without breach of applicable Data Protection Law.
   4. The Supplier warrants and represents that, before the commencement of any Restricted Transfer to a Sub processor, the Supplier’s entry into the Standard Contractual Clauses under section 10.1, as agent for and on behalf of that Sub processor will have been duly and effectively authorised (or subsequently ratified) by that Sub processor.

1. Liability
   1. Any breach of this Schedule 3 is a material breach of the Agreement. Notwithstanding the foregoing, the Supplier indemnifies the Customer from and against any Liabilities (as hereinafter defined) incurred by the Customer arising out of or in connection with a breach by the Supplier of this Schedule 3. In this Schedule 3, "Liabilities” means any liability, cost, loss or expense (including legal costs and fees) including any amount paid for compensation for an interference or breach of the privacy or data protection rights or a Data Subject, provided that the Customer did not contribute to the incurred liability by acting negligently or wilfully.
2. General Terms

Changes in Data Protection Laws, etc.

1. The Customer may by at least 30 (thirty) calendar days written notice to the Supplier from time to time:
   • replace or make any variations to the Standard Contractual Clauses (including any Standard Contractual Clauses), as they apply to Restricted Transfers which are subject to a particular Data Protection Law, which are required, as a result of any change in, or decision of a competent authority under, that Data Protection Law, to allow those Restricted Transfers to be made (or continue to be made) without breach of that Data Protection Law;
   • amend this Schedule 3 to ensure that it complies with the requirements of any Data Protection Law and/or any guidance issued by a competent supervisory authority; and
   • replace this Schedule 3 with any applicable controller-to-processor standard clauses or similar terms forming party of an applicable certification scheme (which shall apply when replaced by attachment to the Agreement).
2. If the Customer gives notice for the reasons specified herein this Schedule:
   1. The Supplier and each Supplier Affiliate shall promptly co-operate (and ensure that any affected Sub processors promptly co-operate) to ensure that equivalent variations are made to any agreement put in place under section 5.4.3;
   2. The Customer shall not unreasonably withhold or delay agreement to any consequential variations to this Schedule 3 proposed by the Supplier to protect the Contracted Processors against additional risks associated with the variations made under section 12.1.
3. The Supplier warrants that they will implement privacy by design and will notify the Customer of any process and/or system deficiency which is likely to result in a high risk to the rights and freedoms of natural persons under this Agreement.

ANNEX 1: Details of Processing of Personal Data

This Annex 1 includes certain details of the Processing of Personal Data as required by Article 28(3) GDPR.

1. Subject matter and duration of the Processing of Personal Data
   The subject matter and duration of the Processing of the Personal Data are set out in the Agreement and this Schedule 3.
2. The nature and purpose of the Processing of Personal Data
   • Providing services as per our contractual obligations
   • Processing account information
   • To comply with our legal obligations for the prevention of fraud, money laundering, counter terrorist financing or misuse of services
   • Verifying identity
   • Contact regarding our service
   • Where requested by law enforcement for investigation of crime
3. The types of Personal Data to be Processed
   • First Name and Surname with title;
   • Address;
   • Date of birth;
   • Gender;
   • Email;
   • Telephone number;
   • Bank Account details;
   • Transactional Information;
   • ID Documents;
   • Proof of Address documents;
   • Other personal information such as telephone recordings; security questions, user ID; and
   • CCTV footage where Cardholders visit physical offices or branches
4. The duration of the Processing
   For the term of the Agreement and for a reasonable period thereafter as required to satisfy legal and/or regulatory requirements under Applicable Law.
5. The categories of Data Subject to whom the Personal Data relates:
   • Cardholder Data
   • Payment services users
   • Employees and owners of the Customer
6. Personal Data in the EU - A Data Subject whose personal data is being collected, held or processed.
7. The obligations and rights of Supplier and Supplier Affiliates
8. The obligations and rights of Supplier and Supplier Affiliates are set out in the Agreement and this Schedule 3.