Exhibit 10.2
AMENDMENT # 2 TO MASTER PROFESSIONAL SERVICES AGREEMENT Reference: CITI-CONTRACT-14084- 2015 Effective Date: 1st May 2017 Party: SERVICE PROVIDER CLIENT Name: Polaris Consulting & Services Limited Citigroup Technology, Inc. Address: # 34, IT Highway, Navallur, Chennai – 600 130, Tamilnadu, India 111 Wall Street, 7th Floor New York, NY 10005 Incorporation: India Delaware Name: Virtusa Corporation Address: 2000 West Park Drive Westborough MA 01581 Incorporation: Delaware Background: I. Polaris Consulting & Services limited (“Service Provider”) and Citigroup Technology, Inc. (“Client”) previously entered into a Master Professional Services Agreement dated 1st July 2015 (including any previous addendum, amendment, supplemental agreement or renewal of the same, collectively “Master Agreement”). II. Service Provider and Client shall jointly be referred to as “the Parties”. III. The Parties agree to amend the terms of the Master Agreement as set out herein. IN CONSIDERATION of the mutual covenants and undertakings contained in the Master Agreement and in this Amendment, and intending to be legally bound, Service Provider and Client agree as follows: 1. COUNTRY ADDENDA 1.1 The country-specific Schedules A to S in Appendix 3.3.1 to the Master Professional Services Agreement dated 1 July 2015 shall be deleted and replaced in their entirety with the revised Asia Pacific Country Schedules (Master Version 6.1 dated 23 March 2017), 1
attached to this Amendment. 2. NO OTHER CHANGES 2.1 Other than the amendments expressly set forth herein, all other provisions of the Master Agreement shall remain unmodified and shall continue to be valid and fully binding and enforceable as they exist as of the date hereof, IN WITNESS WHEREOF, the Parties hereto, through their duly authorized officers, have executed this Amendment as of the Effective Date designated above. Service Provider: Client: Polaris Consulting & Services Limited Citigroup Technology, Inc. By: /s/ NM. Vaidyanathan By: Brian Hagen Name: NM. Vaidyanathan Name: Director Title: Chief Financial Officer Title: Enterprise Supply Chain Asia Pacific Date: 25-04-2017 Date: 15/5/17 Virtusa Corporation By: /s/ Paul D. Tutun Name: Paul D. Tutun Title: EVP: GENERAL COUNSEL Date: 5/4/17 2
Local Country Addenda Legal and Regulatory Requirements - Asia Pacific (LCA Master Version 6.1 - Date: 23 March 2017) INDEX Schedule Country Version Effective Date Page No. A AUSTRALIA 3 12 May 2016 Revalidated 9 January 2017 3 B BANGLADESH 2 14 February 2017 6 C CHINA 6 17 January 2017 8 D HONG KONG 3 26 October 2015 12 E INDIA 5 23 March 2017 21 F INDONESIA 3 17 February 2017 26 G JAPAN 3 6 June 2014 Revalidated: 10 January 2017 30 H KOREA 3 25 February 2016 Revalidated: 17 January 2017 38 I MACAU 2 22 March 2017 41 J MALAYSIA 6 11 January 2017 42 K NEW ZEALAND 2 18 January 2017 48 L PHILIPPINES 2 30 April 2015 Revalidated: 9 January 2017 51 M SINGAPORE 6 17 October 2016 Revalidated: 23 January 2017 54 N SRI LANKA 3 15 February 2017 64 1
O TAIWAN 7 17 January 2017 67 P THAILAND 2 Revalidated: 18 January 2017 76 Q VIETNAM 6 23 March 2017 77 2
SCHEDULE A — AUSTRALIA LAW REQUIREMENTS (Version 3 — 12 May 2016; revalidated 9 January 2017) A. CONTINGENCY PLAN/CONTINUITY OF BUSINESS The Supplier must maintain a Business Continuity Plan. The Business Continuity Plan must enable the Supplier to provide the Services and comply with the terms of the Agreement, notwithstanding an event that disrupts, impairs or prevents the Supplier from otherwise providing the Services or complying with its obligations thereunder. The Business Continuity Plan must include procedures to ensure that the Supplier is able to provide the Services and otherwise comply with its obligations under the Agreement, notwithstanding that an agent, consultant or contractor of the Supplier is incapable of providing the Services to the Supplier. The Business Continuity Plan must be: (a) based upon a formal assessment of the applicable risks; (b) reviewed and updated on a regular basis and at least annually; (c) tested at least annually; and (d) subject to quality assurance review at least annually. B. APRA Where Citi is supervised by the Australian Prudential Regulation Authority (“APRA”), APRA may require information from Citi or the Supplier about the Services, the Supplier or the Agreement. Subject to applicable law or authority in the country in which it is based, the Supplier will give APRA any information relating to the Agreement as soon as possible after Citi or APRA asks the Supplier to do so. Unless prohibited by relevant law or legal authority, the Supplier will promptly inform Citi as soon as practicable after APRA asks the Supplier to provide information under this Section. The Supplier will permit APRA to conduct any on-site visit of the Supplier’s premises that is necessary to APRA’s role as prudential supervisor of Citi. If APRA notifies Citi of its intention to conduct an on-site visit of the Supplier’s premises, Citi will promptly notify the Supplier. Where APRA conducts an on-site visit of the Supplier’s premises, the Supplier must not disclose or advertise that APRA has conducted such a visit without the prior written consent of Citi. The Supplier will use its best endeavours to satisfy APRA about any questions or concerns it may raise about the Services. The Supplier agrees that the existence of, and any information relating to, any investigation, question or concern raised by APRA about the services provided by the Supplier to Citi or in relation to Citi, is Confidential Information. C. DO NOT CALL REGISTER ACT AND TELECOMMUNICATIONS ACT OBLIGATIONS Where telemarketing call services make up any part of the Services provided by the Supplier to Citi under the Agreement, the Supplier must comply with the: (i) Do Not Call Register Act 2006 (Cth); and (ii) Part 6 of the Telecommunications Act 1997 (Cth), and take all reasonable steps to ensure that its employees, agents and subcontractors comply with these Acts. Where fax marketing services make up any part of the Services provided by you to Citigroup under the Agreement, you must comply with Part 6 of the Telecommunications Act 1997 (Cth), and take all reasonable steps to ensure that your Personnel comply with that Act. D. PRIVACY The parties acknowledge and agree that: (a) Citi is subject to the Privacy Act 1988 (Cth) including the Australian Privacy Principles (“APPs”); 3
(b) the APPs require that Citi shall ensure that any recipient of Personal Information (defined below) handles such Personal Information in accordance with the APPs: (c) the Supplier must:- a. only collect use and disclose Personal Information strictly for the purpose for which that Personal Information was disclosed to it; b. unless otherwise instructed by Citi, only store Personal Information for the period necessary to fulfil that purpose and must destroy that information when it is no longer required and upon request from Citi; c. comply with any of Citi’s reasonable requests or directions in respect to the Personal Information; d. protect Personal Information it holds from misuse, interference and loss, as well as maintain/implement systems and processes to ensure the security of personal information; e. reasonably assist Citi to resolve any request for access, correction or a complaint in relation to Personal Information; f. provide individuals with the right to access and seek correction of Personal Information; g. promptly notify Citi if it is aware of any misuse, interference and loss, unauthorised access, modification or disclosure by itself or its personnel; h. only disclose Personal Information to others in compliance with these requirements after obtaining Citi’s consent and in accordance with any conditions Citi reasonably deems fit to impose; i. allow Citi or any applicable regulatory body to audit the Supplier’s compliance of these requirements and any records the Supplier holds containing the Personal Information, subject to the Supplier’s obligations of confidentiality to other parties and any other law or authority with jurisdiction over Supplier; and j. comply with any additional reasonable requirements notified to it by Citi from time to time in respect of Personal Information. (d) For the avoidance of doubt, Personal Information is a form of “Confidential Information” as defined in the Agreement; (e) For the purposes of this section D, “Personal Information” means information or an opinion about an identified individual, or an individual who is reasonably identifiable: (a) whether the information or opinion is true or not; and (b) whether the information or opinion is recorded in a material form or not. E. TAXES Other than as specified below, the Supplier will be responsible for all taxes of any kind in connection with the provision of Services under the Agreement. For the purposes of this clause, “Consideration”, “Creditable Acquisition”, “GST”, “Input Tax Credit”, “Recipient”, “Supply”, “Tax Invoice” and “Taxable Supply” have the same meaning as in the GST Act. 1. This clause applies if one party (the supplier) makes a Taxable Supply to another party (the Recipient) and the Consideration for that Supply (apart from any payable under this clause) is not expressed to be inclusive of GST. 2. If this clause applies, the Recipient must pay the supplier an additional amount on account of GST. 3. The additional amount payable on account of GST is, generally, equal to the Consideration for that Supply (apart from any payable under this clause) multiplied by the prevailing GST rate. 4. To the extent that the Consideration for the Supply (other than that payable under this clause) is payable as a reimbursement for an expense incurred by the supplier as a result of a Creditable Acquisition it makes, the additional amount will be calculated by: (i) first reducing the Consideration for that Creditable Acquisition by any Input Tax Credit to which the supplier is entitled on making the Creditable Acquisition; and 4
(ii) then applying the prevailing GST rate to that reduced amount. 5. The additional amount is to be paid when the Recipient pays or provides any of the Consideration for the Supply, provided always that such amount will only be payable if a Tax Invoice for the Supply is provided to the Recipient. F. LEGALLY REQUIRED DISCLOSURES Where the Supplier is required to disclose Citi’s Confidential Information under any applicable law, regulation or an order from a court, regulatory agency or other governmental authority having competent jurisdiction, and is further required to notify Citi of the order, the Supplier must promptly send a copy of the order and accompanying documentation by facsimile transmission to the General Counsel, Citigroup Pty Limited, +612 8225 5238. G. ADDITIONAL TERMINATION RIGHTS In addition to any right available to Citi under the Agreement, Citi may terminate the Work Order immediately upon the occurrence of an “Event of Default” by the Supplier. Any right of termination will not limit Citi from exercising any other rights or remedies it may have at law or in equity. For the purposes of this clause F, “Event of Default” means the occurrence of any one of the following: (i) a representation or warranty of the Supplier is false or misleading in any material respect when it was made; (ii) the Supplier: a. suspends payment of its debts generally; b. becomes insolvent within the meaning of the Corporations Act 2001; c. enters into or resolve to enter into any arrangement, composition or compromise with, or assignment for the benefit of, its creditors or any class of them; d. has a receiver, receiver and manager, controller, managing controller, administrator, official manager, trustee of provisional or official liquidator appointed over its assets and/or undertakings; or e. is the subject of an application that is filed or an order that is made or a resolution that is passed for its winding up or dissolution other than for the purposes of reconstruction or amalgamation. H. SCOPE OF SERVICES Unless expressly stated in the Work Order, the Supplier agrees that: (i) the Agreement and/or Work Order is not an exclusive arrangement between Citi and the Supplier; (ii) Citi may purchase services similar to the Services from other suppliers; and (iii) Citi does not commit to purchase any volume or dollar amount of Services. I. GOVERNING LAW AND JURISDICTION Notwithstanding any term to the contrary in the Agreement and/or Addendum, the governing law and jurisdiction clause as it applies to Work Orders entered into by Affiliates and branches of Citibank, NA located in Australia, is varied as follows: “The validity of this Agreement as it applies to the Work Order, the construction and enforcement of its terms, and the interpretation of the rights and duties of the parties to the Work Order shall be governed by the laws of New South Wales, Australia. The Parties to the Work Order submit to the non-exclusive jurisdiction of the courts of New South Wales and of the Commonwealth of Australia.” 5
SCHEDULE B — BANGLADESH LAW REQUIREMENTS (version 2 - 14 February 2017) A. GENERAL The requirements set out hereunder which are imposed by the Bangladesh Bank (the central bank of Bangladesh) and may change from time to time, including by BRPD Circular No-02 dated 19 January 2015 attached hereto as Annexure A as a reference, shall be applicable to the Services and the Deliverables under the Agreement. B. AUDIT, INSPECTION AND MONITORING Supplier agrees that the Services it performs and the Deliverables it provides are subject to examination and regulation of the Bangladesh Bank or any competent court of law, or other judicial, quasi-judicial, statutory, regulatory or supervisory authority or any agent appointed by any of them. Citi shall be entitled to access all books, records and information relevant to the activities of Supplier in relation to Citi, and conduct audits thereof. Citi shall be entitled to monitor continuously, and assess the performance of Supplier so that any necessary corrective measures can be taken immediately. Supplier shall provide all material and information in the form and format Citi may require. Supplier confirms that it has all relevant approvals from all relevant authorities and that no additional approval from anybody in any jurisdiction will be required for Citi, Bangladesh regulators or anybody engaged/ approved by Citi or the Bangladesh regulator for conducting any on-site/ off-site audit, review or control activity. C. RESTRICTION ON TYPE OF SERVICES The Services to be provided by Supplier are subject to the approval from the Bangladesh Bank. Pursuant to Section 12 of the Bank Companies Act, 1991 and BRPD Circular No-02 dated 19 January 2015, issued by the Banking Regulation and Policy Department of the Bangladesh Bank, Citi shall not remove and/or transfer any records and/or documents (including any information retained by electronic means) relating to Citi’s business to a place outside Bangladesh, without the prior permission in writing of the Bangladesh Bank. Similar approvals may be required from other applicable regulatory authorities of Citi. For example:Section 19 of The Securities and Exchange Ordinance, 1969, Section 35 (e) (f) of The Merchant Banking Rules, Section 11 of The Custody Rules 2003 restrict sharing customers’ information without approval of the Bangladesh Securities and Exchange Commission. Supplier shall not allow access to Citi’s data by any person other than those authorized by Citi. Supplier shall contact Citi to confirm such authorization by Citi. Supplier shall obtain consent from Citi for any sub-contracting or sub-outsourcing of 6
the activities to be carried out by Supplier in relation to Citi, or for making any direct contact with a customer of Citi. D. RESTRICTION ON THE REMOVAL/TRANSFER OF CITI’S RECORDS/DOCUMENTS The Supplier and its Affiliates shall not transfer and/or allow access to Citi’s records and/or documents (including any memory dump), to any other party, outside the premises of the Supplier and its Affiliates, without ensuring Citigroup standard information security measures being in place. The Supplier shall inform Citi’s Branch Information Security Officer (BISO) of such actions giving details of security measures taken. E. RESTRICTION ON THE REMITTANCE OF FEES BY CITI Due to Section 5 of the Foreign Exchange Regulation Act 1947, Citi shall not remit any fees or any other payment to Supplier. Citi shall only make such payment if there is a specific prior approval of the Bangladesh Bank. F. CONTINGENCY ARRANGEMENTS Supplier shall establish and maintain appropriate contingency plans, including a plan for disaster recovery and periodic testing of backup facilities. G. INSOLVENCY AND MATERIAL CORPORATE CHANGE The Agreement shall be terminated in the event of Supplier filing an application for being declared insolvent or is adjudged insolvent by a competent authority. Any material change in the corporate structure of Supplier must be notified to Citi. Annexure A: Guidelines on Outsourcing Arrange 7
SCHEDULE C — CHINA LAW REQUIREMENTS (Version 6 — 17 January 2017) [NOTE: According to China’s regulatory requirement on outsourcing, besides those provided in this China Law Requirements, the following provisions shall also be covered by the service contract, and please ensure they are so covered: (1) the scope and standards of the outsourcing service; (2) the arrangements for the confidentiality and safety of the outsourcing service; (3) the settlement mechanism for the outsourcing disputes; and (4) the liabilities for breach of contract. If the Master Agreement and/or the Work Order does not cover the above provisions, it should be added to this Schedule of China Law Requirements.] 1. Cooperation for Outsourcing Due Diligence Prior to the outsourcing of any Services by Citi to Supplier, the Supplier shall reasonably cooperate with Citi to fulfill all legal and regulatory requirements in respect of the Services for the purpose of Citi’s due diligence of the Supplier. 2. Audit and Inspection Right 2.1 Citi, its auditors, or its authorized regulator shall have the right to audit the Supplier to ensure compliance with the Master Agreement and/or the relevant Work Order in relation to the Services. Supplier shall cooperate with Citi’s internal and external auditors and regulators. Supplier shall keep complete and accurate records of all of its work and expenses in providing the Services to Citi for a period not less than two (2) years from the date which the record was created or such other longer period as requested by Citi in writing. 2.2 The Supplier shall require any subcontractor appointed (if applicable) to also maintain complete and accurate records of all of its work and expenses in relation to the Service subcontracted to it. Supplier shall ensure and procure that these requirements are set forth in its arrangements with any subcontractor. 2.3 The Supplier shall allow Citi, its auditors and/or its regulators to (i) to obtain records and documents of transactions and information of Citi given to, stored at or processed by Supplier, (ii) access any report and findings made on the Supplier in conjunction with the Services performed for Citi, (iii) access to the business premises of the Supplier in the exercise of its rights herein; and (iv) inspect, examine and audit the Supplier’s operations and records insofar as they are relevant to the Services. 3. Cross-border Outsourcing1 3.1 For any cross-border outsourcing, the Supplier shall be, and shall ensure its sub-contractor(s) be in one of the countries or jurisdictions set forth in the attached Appendix A, representing those countries or jurisdictions where the regulator(s) have signed a memorandum of understanding or other agreement (the “MOU”) with PRC banking regulators. No cross-border outsourcing shall take place in any country or jurisdiction not listed in the attached Appendix A without the prior written consent of Citi. 4. Controls 4.1 The Supplier shall regularly report Service related matters to Citi in accordance with Citi’s reasonable requirements. 1 This provision is only applicable when the Supplier is incorporated outside of mainland China. 8
4.2 The Supplier shall promptly notify Citi of any issue which may affect the provisions of the Services or of any problems, accidents or disruptions which may have a material impact on the Services. 4.3 Except for the Services provided in the Master Agreement and/or the relevant Work Order, the Supplier shall not conduct any other activity in the name of Citi. 4.4 The Supplier shall ensure that the software and/or hardware (if any) applied to the Service shall not infringe upon any patent, copyright, trademark, trade secret or other proprietary right of Citi and any third party. 4.5 The Supplier shall logically segregate and separate its service resources related to the Services provided to Citi from those of Supplier’s other clients or customers, and ensure that only Citi has the highest access authority to Citi’s business system and data. 5. Continuity of Business 5.1 The Supplier and Citi shall each use reasonable efforts to develop, maintain and adhere to a plan providing measures to be taken by the Supplier in the event of various contingencies, in order to ensure the Supplier’s ability to continue providing the Services. The Supplier’s established service continuity plans and its agreed targets therein shall be consistently managed by Supplier, and shall in all circumstances satisfy the requirements of business continuity of Citi. 6. Termination 6.1 Where the Supplier is found to be unable to protect Citi’s customer information or Citi’s customer rights are jeopardized due to Supplier’s failure to protect Citi’s customer information, Citi shall have the right, in addition to others rights or remedies that are available to Citi under the Master Agreement and/or the Work Order and/or applicable law, to terminate, with immediate effect upon notice, the services provided to or for the benefit of Citi in the People’s Republic of China under any Work Order or relevant agreement. 7. Transition Services 7.1 Upon the termination of the Master Agreement and/or the relevant Work Order for any reason whatsoever (including a default by either party), each party shall provide such information, cooperation and assistance to the other party, as such other party may reasonably request, to assure an orderly return or transfer to the requesting party or its designee of all proprietary data (and related records and files) materials and/or facilities (if any) of the requesting party. 7.2 If the Master Agreement and/or the relevant Work Order is terminated for any reason other than a circumstance which could expose the Supplier to ongoing damages or liability, the Supplier shall provide such assistance to Citi as Citi reasonably requests to transition to another service provider of Citi’s choice, subject to Citi’s agreement to pay the Supplier’s reasonable costs and expense for such transition assistance. 8. Assignment and Subcontracting 8.1 The Supplier is prohibited from (i) completely transferring/assigning or outsourcing all of the Services to a third party and /or, (ii) sub-contracting any key part of the Services to a third party. Additionally, the Supplier shall ensure that its sub-contractor(s) does not further transfer/assign the sub-outsourced business to any third party. 9
8.2 If the Services are sub-outsourced, the Supplier shall monitor the subcontractor and shall, in accordance with the provisions of the Master Agreement and/or the relevant Work Order, obtain prior approval from or provide notice to Citi regarding the changes of subcontractor (if any). 8.3 All provisions of the Master Agreement and/or the relevant Work Order shall be binding upon and shall inure for the benefit of the Supplier and Citi and their legal successors and permitted assigns. 9. Protection of Personal Information 9.1 Personal information relating to Citi’s customer shall include personal financial information, which means the personal information obtained, processed or stored by Citi through business operation or through access to credit report systems, payment system and other systems, including the following: (1) Personal identification information, including name, gender, nationality, form of ID, ID number, expiration date of ID, occupation, contact, marriage status, family information, residential address, work address, photo, etc. (2) Personal property information, including income, real estate ownership, vehicle ownership, tax amount, housing fund payment, etc. (3) Personal account information, including account number, account opening time, account opening bank, account balance, account transaction information, etc. (4) Personal credit information, including credit card repayment information, loan repayment information and other information formed in personal economic activities which can reflect such person’s credit condition. (5) Personal financial transaction information, including personal information obtained, preserved or stored by Citi in its payment and settlement, wealth management, security box businesses and the personal information disclosed when Citi’s customer does business with insurance company, security company, fund company and other third party institution through Citi. (6) Derivative information, including personal consumption habit, investment willingness, and other information derived from processing and analyzing the original information which can reveal a person’s particular features. (7) Other personal information obtained or stored through establishment of business relationship with a person. (hereinafter called “Personal Information”) 9.2 The Supplier agrees to take effective measure to protect the Personal Information obtained through the provision of the Service, ensure information security, confidentiality and avoid unauthorized disclosure or misuse during the collection, transmission, processing, storage and usage of such Personal Information. 9.3 The Supplier agrees not to send Personal Information (which was obtained in China) outside of China, and ensure the storage, processing and analysis of Personal Information is conducted within China. 10
9.4 Upon the termination of the Master Agreement and/or the relevant Work Order, the Supplier shall destroy or return to Citi, subject to Citi’s instruction, all personal financial information of Citi’s customer obtained through providing the Services to Citi. 10. Governing Law and Jurisdiction Where both Citi and Supplier are entities incorporated in China, the governing law shall be the PRC law, and all claims or disputes arising out of or in connection with Master Agreement and/or the relevant Work Order shall be submitted to the PRC court where Citi is located. Appendix A — Memorandum of Understanding List (As of June 2016) MOU List as of June 30 2016.xlsx 11
SCHEDULE D — HONG KONG LAW REQUIREMENTS (Version 3 — 26 October 2015) [Note: it is assumed that Services provided by the Supplier under the Agreement do not involve its provision / marketing of banking services / product to customers, sale / transfer of personal data or deployment of any online tracking (i.e., collection by website operators / owners of information regarding users’ online interaction with the websites). If the Services involve any of the above, please contact Hong Kong legal counsel as additional provisions (such as PDPO and the related Info Leaflet “Online Behavioural Tracking”) would need to be incorporated into the Agreement.] Where Services and/or Deliverables are provided by Supplier or its Affiliates (collectively, “Supplier”) to or for the benefit of Citi and/or its Affiliates in Hong Kong, this Schedule E shall be added to and deemed to be expressly incorporated into the Agreement (and any work order or purchase order (as applicable, “Work Order”) executed by Citi and/or its Affiliates for work to be performed in Hong Kong): 1. Provision of Services and/or Deliverables. (a) During the term of the Agreement, each Party shall designate their respective representatives who will be the key contacts for coordinating management meetings/visits and addressing issues relating to the Services and/or Deliverables and such other arrangements or transactions as contemplated under the Agreement. (b) Supplier agrees to participate in and report to Citi on performance reviews to be conducted on a regular basis as reasonably required by Citi. (c) Supplier shall render Services and/or furnish Deliverables with due care according to its security and operation control process, which are designed to ensure accuracy and timeliness on all its service delivery. (d) Supplier shall ensure that any records and reports (including but not limited to the invoices) in whatever form prepared by Supplier in accordance with the Agreement and any of Citi’s Confidential Information shall be subject to Citi’s document retention policy (a copy of which shall be provided by Citi to Supplier). Such records, reports and information shall be made available for Citi’s inspection at any time provided that sufficient prior written notice shall be given to Supplier. (e) The Agreement shall be reviewed and revised as needed by the parties on an annual basis. However, if the Agreement is not reviewed and/or revised in a year, the then current Agreement shall continue to apply. 2. Fees and Expenses. The fees charged by the Supplier to Citi in respect of the provision of the Services and/or Deliverables shall be reviewed and agreed by Supplier and Citi on an annual basis. However, if such fees are not revised in a year, then the previously agreed fees shall continue to apply. 3. Confidential Information. (a) Without prejudice to the confidentiality provisions under the Agreement, the Receiving Party may also disclose the Disclosing Party’s Confidential Information to any relevant Affiliate which is bound to comply with the obligations of confidentiality at least as stringent as those set forth in the Agreement. 12
(b) If the Receiving Party shall be under a legal, regulatory, administrative or judicial obligation to disclose any Confidential Information, such party shall, where it is practical and legally able to do so, give the Disclosing Party prompt notice thereof. (c) Supplier shall ensure that Citi’s Confidential Information shall be segregated or compartmentalized from Supplier’s own or its other customers’ Personal Information. (d) The Receiving Party acknowledges and agrees that the unauthorized disclosure or use of any Confidential Information of the Disclosing Party may cause irreparable damage to such other party which could not be adequately compensated by monetary damages. The Receiving Party, to the extent possible, therefore authorizes the Disclosing Party to seek any temporary or permanent injunctive relief necessary to prevent such disclosure or use, or threat of disclosure or use, without proof of actual damages. The provisions of this subsection shall survive the termination of the Agreement. (e) To the extent that Supplier receives, obtains or generates Citi’s Confidential Information as a result of the performance of its obligations under this Agreement, and notwithstanding anything to the contrary contained in this Agreement, Supplier agrees that it will, and will ensure that each of its Personnel will, comply with the following requirements: (i) not disclose, transfer or use any of Citi’s Confidential Information except to the extent necessary to carry out its obligations under or permitted by this Agreement and for no other purpose; (ii) not disclose or transfer any of Citi’s Confidential Information to any third party, including, without limitation, its third party service providers without the prior written consent of Citi and subject to the further requirements of this section and (to the extent Citi’s Confidential Information constitutes Personal Data (as defined below)) Section 4; (iii) host and use Citi’s Confidential Information only in Hong Kong and not export or transmit Citi’s Confidential Information to any other jurisdiction without the prior written consent of Citi; (iv) employ appropriate administrative, technical and physical safeguards to prevent unauthorized or accidental access, disclosure, transfer, processing, erasure, loss or use of Citi’s Confidential Information received by it. (v) comply with all the obligations of confidentiality at least as stringent as those applicable to Supplier and all applicable rules and regulations concerning confidentiality to ensure that Citi’s Confidential Information is protected against unauthorized or accidental access, disclosure, transfer, processing, erasure, loss or use; (vi) promptly provide such information regarding its privacy and information security systems, policies and procedures as Citi may request from time to time; and (vii) not keep any of Citi’s Confidential Information for longer than is necessary for processing of such data. Upon the request by Citi or the cessation of the provision of certain Services and/or Deliverables to Citi, or at any time after any of such information has been processed by Supplier, Supplier will, at Citi’s option, as soon as reasonably practicable return or securely destroy any such Information in its possession or under its control. Supplier will certify in writing that it has fully complied with its obligations under this subsection (and that no copies of such information have been retained) within seven (7) calendar days following the date it receives a request from Citi for such a certification. 13
The Supplier warrants that its Personnel have been properly trained in respect of the handling of Citi’s Confidential Information such that they will comply with the relevant requirements under the Agreement. If Supplier engages any third party, whether within or outside Hong Kong, to process personal data on behalf of Supplier, Supplier shall adopt contractual or other means (i) to prevent any personal data transferred to such third party from being kept longer than is necessary for processing of the data; and (ii) to prevent unauthorized or accidental access, processing, erasure, loss or use of the data transferred to such third party for processing. (f) At all times during the duration of this Agreement, Supplier will have in place, and will regularly and thoroughly test, security arrangements which are sufficient to: (i) protect the integrity and security of any of Citi’s Confidential Information which has been disclosed to, processed by, generated by or otherwise handled by Supplier or any of its Personnel in the course of the performance of Supplier’s obligations under this Agreement and any other agreement; and (ii) ensure that any of Citi’s Confidential Information is not lost, destroyed, accessed, transferred, , processed, used or disclosed without appropriate authorization or by accident while it is in the possession or under the control of Supplier or any of its Personnel. On request from Citi, Supplier will use all commercially reasonable efforts to demonstrate to Citi its compliance with this subsection, and will ensure that each of its relevant Personnel does so. (g) Supplier will, as part of the Services and/or Deliverables provided, conduct an audit reviewable by Citi of the security arrangements in place in the format and frequency set forth in the applicable Work Order, to ensure that the security arrangements comply with the relevant policies in place to safeguard Citi’s Confidential Information. (h) If Supplier becomes aware that the security of any of Citi’s Confidential Information has been (or may be) compromised, then it will immediately: (i) inform Citi; (ii) take whatever action is necessary to minimize the impact of the security breach, correct the causes of the breach to the fullest extent possible and advise Citi of the status of its remedial actions; and (iii) promptly investigate the underlying causes of the breach and prepare and deliver to Citi a written report which details the causes, and sets out the measures Supplier proposes to implement to prevent reoccurrence of the breach. (i) If Supplier is required under any relevant laws or regulations to supply any of Citi’s Confidential Information to any government authority outside Hong Kong for examination, Supplier shall inform Citi of such examination and shall seek written consent from Citi before releasing / disclosing such data and information to such governmental authority, as the case may be. Citi shall not unreasonably withhold or delay to provide to Supplier such written consent if it is required, subject to obtaining the necessary consent from the Hong Kong Monetary Authority (“HKMA”) or other relevant government authorities, if applicable. (j) Notwithstanding anything herein to the contrary, this Section 3 shall survive termination of this Agreement. 14
4. Personal Data (a) In this Section 4: (i) “Personal Data” means any data (1) relating directly or indirectly to a living individual, (2) from which it is practicable for the identity of the individual to be directly or indirectly ascertained, and (3) in a form in which access to or processing of the data is practicable; for present purposes Personal Data includes names, addresses, emails, dates of birth, telephone numbers. (ii) “Data Subject” means an individual who is the subject of any part of the Transfer Data, and for present purposes Data Subjects include Citi’s past and present customers whose personal data is transferred to Supplier (for the avoidance of doubt, “past customers” refer to customers who cease their banking relationship with Citi after personal data is transferred to Supplier); (iii) “Transfer Purposes” means purposes for which Personal Data is transferred by Citi and/or its Affiliates in Hong Kong to Supplier, and includes enabling Supplier to provide the Services and perform the Work Order; and (iv) “Transfer Data” means any Personal Data relating to Citi’s customers transferred or to be transferred by Citi and/or its Affiliate(s) in Hong Kong to Supplier in connection with the Agreement or any Work Order. (b) Supplier acknowledges that Citi is subject to the Personal Data (Privacy) Ordinance (Cap. 486 of the Laws of Hong Kong) (“PDPO”) including without limitation the Data Protection Principles (“DPP”) therein. Supplier agrees that it shall, and shall ensure that each of its Personnel shall, comply with the PDPO and other requirements imposed by the Privacy Commissioner of Personal Data from time to time. (c) For the avoidance doubt, Personal Data may be Confidential Information and vice versa, depending on the nature of the information in question. In the event that certain information constitutes both Personal Data and Confidential Information, both Sections 3 and 4 shall apply. (d) Supplier shall not collect any Personal Data for and on behalf of Citi unless Citi has approved in writing the collection and specified a Personal Data collection form and Personal Data collection statement to be used for such collection. If Citi has given its aforesaid approval, Personal Data collected by the Supplier on behalf of Citi shall be regarded as part of the Transfer Data for the purposes of this Schedule, and the collection and use of such Personal Data shall be conducted by Supplier strictly in accordance with the Personal Data collection statement and other directions given by Citi from time to time. (e) Supplier shall not transfer or provide any Transfer Data to any party without Citi’s prior written consent. (f) If Supplier engages any third party, whether within or outside Hong Kong, to process the Transfer Data on behalf of Supplier (and Citi’s prior written consent has been obtained), Supplier shall adopt contractual or other means (i) to prevent any Transfer Data transferred to such third party from being kept longer than is necessary for processing of the data; and (ii) to prevent unauthorized or accidental access, processing, erasure, loss or use of the Transfer Data transferred to such third party for processing. (g) Supplier represents, warrants and undertakes the following:- (i) Supplier shall process or use the Transfer Data for the Transfer Purposes to the exclusion of any other purpose. Where the Transfer Data is to be used for a new 15
purpose, Supplier shall, with Citi’s permission, obtain the prescribed consent of the Data Subject under the PDPO; (ii) Supplier shall hold the Transfer Data securely in accordance with the requirements of DPP4 of the PDPO. Supplier shall have in place appropriate technical and organizational measures and standards to protect the Transfer Data against unauthorized or accidental access, processing, erasure, loss or use, including without limitation:- (A) having robust policies and procedures in place and providing adequate training for its staff; and (B) adopting physical and computer security measures; (iii) Supplier shall not retain the Transfer Data longer than is necessary for the fulfillment of the Transfer Purposes (including any directly related purpose(s)). (iv) Supplier shall use the Transfer Data exclusively for the Transfer Purposes and shall not transfer or disclose, either free of charge or in return for any benefits, the Transfer Data to any third party, except when it is compelled to do so under the applicable laws. (v) Supplier shall immediately rectify, erase or return the Transfer Data on receiving instructions to this effect from Citi. Supplier undertakes in particular to rectify, erase or return all or part of the Transfer Data or other Personal Data if it appears that such measures are required by the requirements of the PDPO. (vi) Supplier has and shall at all times have in place accessible documents which clearly specify its policies and practices in relation to Personal Data. (vii) Supplier shall ensure that Data Subjects have rights of access to and correction of their Personal Data in the same way as they would have had under the PDPO. (viii) Supplier shall not disclose, transfer or allow access to the Transfer Data to a third party data user or data processor (“Sub-transferee”) located outside Hong Kong unless it has obtained the prior written consent from Citi and: (A) the sub-transfer is made to a place that has in force any law which is substantially similar to, or serves the same purposes as the PDPO; (B) such Sub-transferee becomes a signatory to this agreement or another written data transfer agreement which imposes the same obligations on it as are imposed on Supplier under this Section 4; or (C) adopted all reasonable non-contractual measures and auditing mechanisms to the reasonable satisfaction of Citi to monitor the Sub-transferee’s compliance with the obligations under this Section 4 as if they are applicable to that Sub-transferee. (h) Upon Citi’s request, Supplier shall submit its data processing facilities, policies and procedures, data files, documentation and any other relevant information for reviewing, auditing and/or certifying by Citi or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by Citi, to ascertain compliance with its warranties and undertakings in this Schedule. (i) Without prejudice to the confidentiality provisions of the Agreement and Section 3 hereunder, Supplier acknowledges and agrees that Citigroup may maintain computer systems in data centers and in various countries throughout the world and that Citigroup and its Personnel 16
may collect, store, process, disseminate or use the Personal Information in manner that causes it to be transferred or accessed from computer systems owned or operated by or on behalf of Citigroup or its Personnel throughout its global computer network provided that the PDPO (if applicable) is complied with. (j) Supplier has no reason to believe that there are currently in force any local laws that would have adverse effect on its warranties or undertakings above, and Supplier shall notify Citi if it becomes aware of any such laws. (k) Supplier has the legal capacity and the authority to give the warranties and undertakings in this Section 4. (I) Supplier shall promptly inform Citi of its inability to fulfill any of its obligations in this Section 4. (m) Supplier shall promptly notify Citi about any abnormalities or any loss, accidental or unauthorized access or processing, erasure or other use of the Transfer Data. (n) Supplier shall deal with promptly and properly all reasonable enquiries from Citi relating to the fulfillment of its obligations hereunder and Supplier shall abide by the reasonable instructions and advice (if any) of Citi or any supervisory authority in this regard. (o) Supplier shall ensure its staff who handles the Transfer Data will carry out the security measures and obligations specified in this Section 4. (p) Supplier shall notify Citi about Supplier’s contact person in relation to the handling of the Transfer Data, and shall cooperate with Citi, Data Subjects and relevant authorities concerning all enquiries within reasonable time. 5. Compliance with Applicable Laws. (a) Supplier agrees to cooperate with Citi’s internal and external auditors and the relevant regulatory authorities including, but without limitation, the HKMA, the Hong Kong Securities and Futures Commission, and the Hong Kong Privacy Commissioner for Personal Data for their (or any person appointed by them) review, supervision, audit, or inspection of materials or the status of operation by Supplier in connection with the Services and/or Deliverables provided by Supplier pursuant to the Agreement. Supplier shall notify Citi of any overseas regulatory authorities which seek access to any of Citi’s Confidential Information. (b) Supplier shall report to Citi if there is any material change in the Services and/or Deliverables or any material problems, incidents, accidents or disruption which has/have a material impact on the Services and/or Deliverables. 6. Inspection and Right to Audit. (a) Supplier agrees that the Services it performs and/or the Deliverables it furnishes for a branch of U.S. bank in The Hong Kong Special Administrative Region of the People’s Republic of China (“Hong Kong”) are subject to examination of the HKMA and the Office of the Comptroller of the Currency (“OCC”). Supplier shall, upon reasonable notice, allow Citi, its management, its auditors and/or its regulators, the opportunity of obtaining, inspecting, examining and auditing Supplier’s operations, contingency plans and the business records (including but not limited to copies of the independent audit and financial review report) which are relevant to the Services and/or Deliverables provided hereunder by Supplier including but not limited to Supplier’s critical processes to confirm that Supplier’s processes meet or exceed industry standards in such area of contingency 17
planning, continuity of business plans, software engineering and test processes, change control procedures, critical staff succession planning and compliance with applicable laws and regulations. Supplier shall cooperate fully with Citi’s internal or external auditors to ensure a prompt and accurate audit. If Citi provides recommendations for enhancing Supplier’s critical processes, Supplier shall use its best effort to implement the recommended and/or corrective measures and/or correct any practices which are found to be deficient as a result of any such audit within a reasonable time after receipt of Citi’s audit. Supplier shall notify Citi, within reasonable time, any changes to any of the aforesaid plans. (b) If an audit leads Citi to conclude that Supplier has breached the provisions of this Agreement or that any of Supplier’s business or professional practices related to its performance of Services and/or its furnishing of Deliverables presents a risk of unauthorized disclosure of Citi’s Confidential Information, Supplier and Citi shall use their best efforts to reach a mutually satisfactory resolution. Supplier shall also use its best efforts to correct any practices which are found to be deficient as a result of any such audit within a reasonable time after receipt of Citi’s audit report. (c) Citi shall be entitled to enter all or any of Supplier’s premises from time to time to inspect and examine Supplier’s operations and to check that Supplier is complying with its obligations under this Agreement. Citi shall endeavour to give reasonable notice of its exercise of its rights hereunder but in circumstances where Citi is of the view that it would prejudice Citi’s interests to give such notice, no prior notice shall be required to be given by Citi. Citi’s rights under this Section may be exercisable by Citi from time to time without Supplier’s consent and Citi is empowered to take all necessary or reasonable steps in order to exercise its rights under this Section fully. (d) Supplier will submit a yearly financial report audited by a certified accountant to Citi for the assessment of Supplier’s financial health in supporting the Services and/or Deliverables. (e) Under no circumstances shall Supplier have any lien over any or all of the properties that are proprietary to Citi herein stipulated; Supplier shall at all times hold the documents available for Citi to use, take, or move at Citi’s sole discretion. 7. Continuity of Business. (a) If any of the disaster or disruption events occurs, shall have occurred, happened or come into effect; namely the circumstances are beyond the reasonable control of the Supplier, which affects the provision or receipt of the whole or any of the Services and/or Deliverables, the Supplier must: (i) immediately notify and consult Citi; and (ii) provide recovery services and otherwise do everything reasonably necessary to reestablish the provision of the Services and/or the Deliverables. (b) If a party receives advance warning or notice of the possibility of the occurrence of any disaster or disruption, that party shall notify the other party and the parties shall use their best endeavours to make such alternative or emergency arrangements as may be necessary or desirable in order to ensure that the Services and/or the Deliverables are continuously provided in accordance with this Agreement. 18
8. Subcontracting (a) Supplier may not subcontract the performance of any of its obligations in the Agreement without the prior written consent of Citi. To the extent that Supplier subcontracts to third parties any of its obligations set forth in the Agreement with the consent of Citi, Supplier shall remain fully responsible for such obligations and for all acts or omissions of its subcontractors or agents. Nothing in the Agreement shall be construed to create any contractual relationship between Citi and the subcontractors or agents aforementioned, except as may be otherwise required by law. (b) For purposes of this Section 9, the use by Supplier of individual independent contractors who are designated or assigned to perform the Services and/or to furnish the Deliverables under the direct management and supervision of Supplier and subject to Citi’s policies and standards of confidentiality undertaking shall not constitute an assignment, transfer or subcontracting, and shall not require Citi’s prior approval. 9. Amendment. Notwithstanding any terms under the Agreement to the contrary, to the extent that any term in the Agreement is in conflict with any applicable Hong Kong laws and regulations, the HKMA’s Outsourcing Guidelines or Citi’s Outsourcing Policy, Citi shall notify Supplier with a suggested amendment to the Agreement to the extent necessary to comply with such laws and regulations, Guidelines and Policy, and Supplier shall have the option either to accept such amendments (which shall become effective upon notification) or to terminate the Agreement by giving 30 days’ notice in writing to Citi. 10. Termination. Citi shall have the right to terminate any Work Order (which has been or shall be entered into with any relevant Citi entity in Hong Kong) or the services provided to or for the benefit of any relevant Citi entity in Hong Kong (or the provision of any part of the relevant Services and/or Deliverables to Hong Kong) under any Work Order or relevant agreement with immediate effect and without penalty by giving three (3) days prior written notice to the other party in the event that the HKMA or any other competent authority requires Citi to do so, or to make alternative arrangements in relation thereto (it being agreed that a certificate from the relevant party that this has occurred shall be conclusive of that fact). The right of termination in this paragraph is in addition and independent to those in the Agreement. 11. Governing law. This Schedule shall be governed by, and construed in accordance with, the laws of Hong Kong, and the parties hereby agree to submit to the non-exclusive jurisdiction of the Hong Kong courts. 12. Privacy disputes Without prejudice to Section 12, in the event of a dispute or claims brought by a Data Subject or the privacy enforcement authority concerning the processing of the Transfer Data against any or all parties hereto, the parties shall inform each other about any such disputes or claims, and shall cooperate with a view to settling them amicably in a timely fashion. 13. Third party rights 19
Nothing in this Schedule, whether expressed or implied, is intended to, or will, confer on any person any benefit or any right to enforce any term which such person would not have but for the Contracts (Rights of Third Parties) Ordinance (Cap. 623 of the Laws of Hong Kong). 20
SCHEDULE E — INDIA LAW REQUIREMENTS (Version 5 — 23 March 2017) 1. SUPPLIER REPRESENTATIONS Supplier represents, warrants and covenants to Citi that: the Services shall be executed, and provided to Citi, taking due and proper note of Citi’s requirements; Supplier shall employ same standards of care for the Services as that is expected of Citi; Supplier complies with all applicable law (including but not limited to all information technology and data privacy laws in India), has, and shall at all relevant times, have the requisite and valid licenses and permissions from all regulatory and statutory authorities, for provision of the Services; there is no litigation or proceeding or dispute pending or threatened against it or any of its Affiliate which may affect its ability to provide the Services in accordance with the terms of the Agreement and/or have an adverse impact on the Services or the quality and integrity thereof, in any manner; it shall promptly inform Citi of any event or situation which may effect its ability to provide Services effectively, including but not limited to situations of financial distress faced by the Supplier or events resulting in material change in strategic goals or significant changes in Supplier Personnel. 2. STANDARD OF SERVICES Supplier represents, warrants and covenants that: (i) apart from Citi, the Supplier renders similar services to various Corporates and as part of normal course of business activity of the Supplier, the Supplier deploys/rotates its employees/personnel/representatives amongst various Corporates. Accordingly, at all points of times, it will be the obligation of Supplier to ensure that the presence of its employees/personnel/representatives in Citi and/or its affiliates/subsidiaries/Citi group entity shall not exceed 238 days in a calendar year (unless otherwise agreed to in writing by Citi, and which could enhance the period to a maximum of three calendar years); (ii) the Services the Deliverables, and any information or materials provided to Citi in connection with this Agreement will be provided, in a timely and professional manner, by qualified and skilled individuals with appropriate expertise, and in conformity with standards generally accepted in Supplier’s industry and the financial services industry, and (iii) the Services will conform to the Services description set forth in this Agreement, including any applicable Work Orders. If Supplier fails to provide the Services as warranted and Citi so notifies Supplier within thirty (30) Business Days following the date Supplier declares the Services to have been completed, then Supplier will re-perform the Services at no additional charge. In the event, the Services are received by a customer of Citi, the Supplier agrees to forward to Citi any service complaint it receives from the customers of Citi in a prompt and timely manner. The Supplier also warrants to remedy the complaints it receives from the customers as a part of its Services rendered to Citi hereunder. If Supplier is unable or unwilling to re-perform the Services as warranted, then Citi shall be entitled to address such customer complaints (directly or through other supplier) and recover the fees paid to Supplier for the deficient Services or the amount paid to other supplier whichever is higher. 21
3. INDEPENDENT SERVICE PROVIDER Supplier shall provide the Services as an independent service provider on a non-exclusive basis. Service Provider shall not use subcontractors for all or part of the Service without prior consent of Citi, such consent shall be provided by Citi only after review of such subcontracting agreements. Nothing contained in the Agreement or otherwise shall be deemed to create any partnership, joint venture, employment, or relationship of principal and agent, or master and servant between the Parties hereto or any of their respective employees, affiliates, subsidiaries, related business entities, agents, contractors or subcontractors or to provide either Party with any right, power or authority, whether express or implied, to create any duty or obligation on behalf of the other Party. Supplier acknowledges that the Services provided are solely within its control, and confirms that neither Supplier nor any Supplier Personnel, including contractors or subcontractors of Supplier (if any), will hold out as anything but that (i) Supplier is an independent and nonexclusive service provider to Citi, and (ii) that the employees of Supplier are employees solely of Supplier and that other representatives, agents, contractors or subcontractors of Supplier are those of Supplier. Supplier shall cooperate with, and extend support to, the foregoing position, in the event of any finding related to an employment, partnership or joint venture relationship between Supplier or any of its employees, representatives, agents, contractors or subcontractors on the one hand and Citi on the other hand. Supplier asserts that upon employing/engaging with any persons, Supplier shall, at that time, clearly communicate to such persons that Supplier is the sole employer of such persons. Supplier declares and agrees (i) that it has the inalienable and exclusive right, and at all times retains that right, to exercise full control of and supervision over the performance of Supplier’s obligations hereunder and full control over the employment, direction, compensation and discharge of all its employees and other Supplier Personnel; (ii) that it will be solely responsible for all matters relating to payment of salaries and wages of all its employees and other Supplier Personnel, and for due and proper compliance with compensation and benefits requirements for all its employees and other Supplier Personnel under applicable laws, insurance, fidelity insurance and such other insurance, social security withholding, and all other laws, rules and regulations governing such matters and for the redressal of grievances of its employees and other Supplier Personnel; (iii) that it shall be responsible for its own acts and those of it employees and other Supplier Persons including contractors (if any) and subcontractors (if any) during the performance of Supplier’s obligations to Citi under this Agreement. Supplier and Supplier Personnel are not entitled to unemployment insurance benefits from Citi as a result of the Services or this Agreement. Supplier and Citi agree that the Agreement shall not be construed as an agreement for establishing a joint venture or partnership between Citi and Supplier. Supplier further warrants that it will not do or purport to do any act, deed, thing or matter which will prejudice the interests of Citi, in any manner whatsoever. 4. CONTINUITY OF BUSINESS The Supplier agrees and confirms that it has in place a robust contingency and business 22
resumption plan, including adequate resources, systems and all other infrastructure requirements, in place, to ensure that Services would not be adversely affected in any manner on account of any factors including but not limited to systems break-downs and/or natural and/or man-made disasters, which may cause disruption in the normal functioning of the Supplier. Additionally, the Supplier shall conduct periodic testing to check the effectiveness, satisfactory state and readiness of the aforesaid continuity of business plan. The Supplier shall, if so requested by Citi, permit Citi to conduct joint testing of the aforesaid continuity of business plan along with the Supplier. 5. POST-TERMINATION OBLIGATIONS Commencing upon notice by either Party of expiration or termination of this Agreement and continuing through the effective date of expiration or termination, the Supplier confirms that the Supplier shall not deny Citi reasonable termination assistance as requested by Citi to allow the use of Services without interruption or adverse effect and to facilitate the orderly transfer of the subject matter of the Agreement as desired by Citi. If requested by Citi in this regard, the Supplier undertakes that the Supplier will also reasonably co-operate with a third party service provider in connection with the preparation and implementation of a transition plan by such third party and/or Citi upon the termination or expiration of this Agreement. It is hereby clarified that such termination assistance shall be provided to Citi by the Supplier at no additional costs except to the extent of fee for Services as may be calculated on any pro-rata basis that is applicable. 6. INSPECTION AND RIGHT TO AUDIT 6.1 The Supplier shall keep complete and accurate records of all operations and expenses in connection with the Services. All the said records shall be kept on file by the Supplier for a period of 8 (Eight) years from the date the record is made or as otherwise set forth by applicable law, and in any event, shall not be excised without first having duly and adequately and timely informed Citi in writing and also providing Citi with the option of having such records transferred into the custody of Citi. 6.2 The Supplier shall, at reasonable hours, allow Citi, its management, its auditors and/or regulators (including Indian and United States regulators and Citigroup auditors), the opportunity of inspecting, examining and auditing the Supplier’s operations, including its security practices and control processes, including practices and procedures in relation to data security, and business records directly relevant to the Services, and financial agreements, its balance-sheet and profit and loss account and audit reports, and all other documents which the Supplier may be called upon to produce for the purposes of ascertaining the financial viability of the Supplier as a service provider. The Supplier shall, as and when requested by Citi , provide access to and make available to any of Citi’s officers / employees/ management or internal / external auditors, regulators and their representatives, the necessary records for inspection / examination / audit, and cooperate to the fullest extent so as to clarify on any activities and to assure a prompt and accurate audit related to the Services. 6.3 The Supplier shall co-operate with Citi’s internal or external auditors, and regulators to assure a prompt and accurate audit/inspection. The Supplier shall also co-operate in good faith with Citi to correct any practices, which are found to be deficient as a result of any such audit, within a reasonable time after receipt of reports. 23
Such audits or reviews will be at the expense of Citi. However, if the audit discovers discrepancies or overcharges, then upon completion of such audit or review, the Supplier shall be bound and liable to promptly reimburse to Citi for such discrepancies or overcharges, and for the cost of the audit. 6.4 In addition to what is provided hereinabove, the Supplier shall on an year-on-year basis provide to its independent auditors (“Auditors”) access at reasonable hours to Supplier Personnel and to Supplier’s records and other pertinent information, all to the extent relevant to the performance of Supplier’s financial, regulatory and Service obligations under the Agreement. Such access shall be provided for the purpose of performing audits and inspections by the Auditors. The Supplier shall without delay submit the audit report to Citi. Citi and the Supplier shall develop and agree upon an action plan to promptly address and resolve any deficiencies, concerns and/or recommendations in such audit report in relation to the Services, and the Supplier, at its own expense, shall undertake remedial action in accordance with such action plan. The audit fees incurred under this clause shall be to the Supplier’s sole account. 7. MONITORING RESPONSIBILITY Except as otherwise directed by Citi, the Supplier agrees to meet with Citi, on a monthly basis, for the purpose of reviewing the Services provided by Supplier pursuant to the requirements of the Agreement. The Supplier shall submit a monthly report to Citi which shall include, but not be limited to, the following information, (i) a status report on Services provided during the month, identifying, in particular, any performance standards not met; and (ii) any other information requested by Citi. The Supplier agrees to meet with Citi on a quarterly basis to review all aspects of the Services provided and/or any other matters of mutual interest to the Supplier and Citi. Further, the Supplier agrees to meet with Citi at anytime at the request of Citi to review the Services provided by Supplier. The Supplier agrees to provide Citi with any and all information requested by Citi for the purpose of documenting and/or analyzing the Services provided. Citi will select, at its sole discretion, the information reports necessary for its management information needs. 8. CONSENT FOR DISCLOSURE Unless consent is prohibited by law, Supplier hereby consents to the transfer and disclosure by Citi of any information relating to the Supplier or any Service (i) to and between the branches, representative offices, affiliates and agents of Citi and third parties selected by any of them, wherever situated, for confidential use (including in connection with the provisions of any service and for data processing, statistical and risk analysis purposes); and (ii) to any person to (or through) whom Citi transfers or assigns (or may potentially transfer or assign) all or any of its rights, benefits and obligations hereunder, or with (or through) whom Citi enters into (or may potentially enter into) any sub-participation or the like in relation to, or any other transaction under which Services are to be made or received by reference to, the Agreement and this Addendum. Citi and any branch, representative office, affiliate, agent or third party may transfer and disclose any such information as required by law, court, regulator or legal process. Further, this provision shall be in addition to, and not in substitution for, any other provision agreed to between the parties (whether before or after the date hereof) which gives broader rights of disclosure to either party than contained herein. 24
9. GOVERNING LAW AND JURISDICTION Where both Citi (or Affiliate) and/or Supplier are located in or entities incorporated in the India, the governing law shall be the laws of India, and all claims or disputes arising out of or in connection with Agreement and/or the relevant Work Order shall be submitted to the court in India where Citi (or Affiliate) is located. 25
SCHEDULE F — INDONESIA LAW REQUIREMENTS (Version 3 — 17 February 2017) 1. PROVISIONS REQUIRED BY LOCAL LAWS OR REGULATIONS For the purposes of the Agreement and each Work Order made between the Supplier and Citi (or Affiliate) in Indonesia, the following wording shall be added to the Agreement in its entirety: 2. GENERAL REQUIREMENTS FOR ALL SERVICES(2) The following provisions shall apply to all Services provided by the Supplier to Citi: 2.1 Examinations or Audits by Regulators of the Supplier(3) Supplier shall notify Citi of any examination or audit by regulators of the Supplier which impacts the Services of Citi or the confidential information (including Indonesia data) of Citi. The notice must be addressed to Citi’s Country Compliance and must be received by Citi 3 (three) weeks before the examination or the audit commences. The Supplier should not release any Indonesia data without the approval of Citi. 2.2 Audits by Financial Services Authority / Otoritas Jasa Keuangan (“OJK”) (or any successor authority) on Citi(4) In the event of an audit conducted by OJK (or any successor authority) on Citi, any data requested to the Supplier must be provided by the Supplier to Citi within 5 (five) Indonesia business days from the date of request by Citi. 2.3 Critical Event(5) The Supplier agrees to also, as soon as possible, notify Citi of the occurrence of any critical event in regard to Citi, i.e. an event which may result in a financial loss to Citi and/or impede the smooth running of Citi’s operations. 2.4 Assignment and Subcontracting(6) The Supplier shall provide prior notification to Citi in the form of Appendix I hereof, for any assignment or subcontracting by the Supplier of any of its rights, obligations or responsibilities under the Agreement and the Work Order. If agreed by Citi, the notification can be made through e-mail to the designated person of Citi. 2.5 Classification of Services where Citi is Citibank, N.A., Indonesia In the case where Citi is Citibank, N.A., Indonesia, depending on whether or not a specific Service is classified by Citibank, N.A., Indonesia as an Information Technology Service (2) Regulations: a. OJK Regulations No 9/ POJK.03/2016 on Outsourcing (“OJK Reg. No 9/ 2016”). b. OJK Regulations No 38/ POJK.03/2016 on Risk Management Implementation on Information Technology (“OJK Reg. No 38/2016”) c. SEBI No 9/30/2007 on Risk Management Implementation on Information Technology (SEBI no 9/2007) d. SEBI No 14/20/DPNP/2012 on Prudential Principal on Outsourcing. (3) Section 10.3.3.1 of SEBI no 9/2007 (4) Section 10.3.3.1 of SEBI no 9/2007 (5) Section 10.3.3.1 of SEBI no 9/2007 (6) Section 10.3.3.1 of SEBI no 9/2007 26
pursuant to the regulation of OJK(7) (or any successor authority), different requirements may apply to the Service. The Supplier shall obtain confirmation from Citibank, N.A., Indonesia on the classification of Services provided under the Agreement. Reference should also be made in any Work Order. 3. SPECIFIC REQUIREMENTS FOR INFORMATION TECHNOLOGY SERVICES(8) In addition to the requirements as, set forth in Section 2 above, the provisions under Section 3 of this Schedule shall apply to the Services where it is identified as Information Technology Services in the Agreement or in any Work Order. 3.1 Definitions(9) a. Information Technology is a technology to gather, organize, keep, process, announce, analyze, and/or publish information; which are related to computer, telecommunication and other electronics means used to operate financial data and/or provide banking services; b. Data Centre is a main facility for data processing for Citi by Supplier, consisting of hardware and software to support the operational activities of Citi continuously; c. Disaster Recovery Centre is a substitute facility, in the event the Data Centre experiences a disturbance or dysfunction, among others due to: no electricity to the computer room, fire, explosion or computer damage, temporarily used during the recovery of the Supplier’s Data Centre, to ensure business continuity; d. Technology-based-Transaction Processing is an activity in the form of addition, amendment, deletion of data and/or data authorization to be performed on the application system(s) used to process Citi transactions. 3.2 Information Technology Services For all Services that are identified as Information Technology Services, the following requirements shall apply:(10) a. The Supplier must apply reasonable information technology control principles (the application of both physical and logical security measures) which shall be evidenced by an independent audit report commissioned by Supplier. b. The Supplier shall provide technical document(s) to Citi in relation to the Information Technology Services being provided, which include among others the Information Technology processes and data base structure. c. The Supplier shall provide qualified and competent personnel in accordance with the Information Technology Services being provided. The Supplier must do transfer of knowledge to Citi, so that there will be a personnel in Citi that understands the Information Technology processes and applications provided by the Supplier, which may be done among others by way of providing trainings to Citi. d. The Supplier must report to Citi of any request for access or disclosure of the confidential information, to the extent that such confidential information must be disclosed under applicable laws. (7) OJK. Reg No 38/2016 (8) OJK Reg No 38/2016 (9) In accordance to Section 1 of OJK Reg. No. 38/2016 (10) Section 10.3.3.1 of SEBI no 9/2007 27
e. The Supplier must report to Citi in the event of any change of situation which may limit or hinder the rights of Citi or OJK (or any successor authority) to access information in regard to the Information Technology Services. f. Upon request by Citi, the Supplier shall provide Citi with report of the monitoring result on its performance related to a Work Order. g. In addition and without prejudice to the business continuity or disaster recover provisions of the Master Agreement, the Supplier shall ensure that the Disaster Recovery Plan is tested from time to time. For Information Technology Services that are specifically identified as maintenance of a Data Centre, Disaster Recovery Services and/or Technology-based Transaction Processing Services, additional requirements as set forth in Subsection 3.3 of this Schedule shall apply. 3.3 Data Centre, Disaster Recovery Services and Technology-based Transaction Processing Services For Information Technology Services that are specifically identified as maintenance of Data Centre or Disaster Recovery Services and/or Technology-based Transaction Processing Services, in addition to the requirement of Subsection 3.2 of this Schedule, the following requirements shall apply:(11) a. Submission of Documents Prior to Initiation of Services As part of the requirement for Citi to apply to OJK (or any successor authority) for approval of the outsourcing of Data Centre, Disaster Recovery Services and/or Technology-based Transaction Processing Services to Supplier, the Supplier shall submit to OJK (or any successor authority) via Citi a written confirmation from the regulatory or statutory authority having local jurisdiction over the Supplier that: (i) Supplier is within its supervisory jurisdiction; (ii) the authority shall allow OJK (or any successor authority), at a reasonable time, to examine Supplier’s provision of services to Citi. In the event there is no authority having jurisdiction over the Supplier, the Supplier shall advise Citi of the circumstance. Citi shall seek advice from OJK (or any successor authority) of a confirmation acceptable to OJK (or any successor authority) in lieu of the above written confirmation. b. Risk Management Controls: Supplier shall provide Citi, on an annual basis, an appraisal on the risk management controls in effect at the Supplier. The foregoing report must be submitted no later than a month after the completion of such review. For the purpose of this clause Appendix II hereto is a summary of the least coverage to be observed in a technology risk management pursuant to the prevailing regulation. c. Submission of Independent Audit Report The Supplier shall submit an independent audit report on Data Centre, Disaster Recovery Services and/or Technology-based Transaction Processing Services to OJK (or any successor authority) via Citi on an annual basis. The report must be submitted to OJK (or any successor authority) within 2 (two) months after the completion of the audit. d. Data Transmission (11) Section 10.3.3.1 of SEBI no 9/2007 28
The Supplier shall ensure the availability of online means of communication, security on data access and transmission from and to the Data Centre, Disaster Recovery Centre and Technology-based Transaction Processing Centre and shall have clear stipulations regarding security in the submission of necessary source document to and from Data Centre, Disaster Recovery Centre, and Technology-based Transaction Processing Centre. 4. WITHHOLDING TAXES AND TAX RECEIPTS The Supplier shall upon Citi’s request furnish Citi with a Certificate of Residence issued by the competent tax authority of the Supplier on an annual basis. 5. LANGUAGE(12) The Supplier agrees that to the extent that Law No. 24 of 2009 of the Republic of Indonesia (“Law No.24/2009”) on Flag, Language, State Emblem and National Anthem applies to this Agreement (as an agreement to which an Indonesian entity is a party), the Supplier shall, within 30 (thirty) days after being requested by Citi (or Affiliate) from time to time, or if required by any implementing regulations under Law No. 24/2009, translate this Agreement into Indonesian language and ratify the Indonesian language translation. An Indonesian language version of this Agreement is only intended for compliance with the above mentioned Law No.24/2009 as a reference between the parties to this Agreement. The parties agree that in the event of any inconsistency between the English language and the Indonesian language version, the English language version shall prevail. The Supplier acknowledges that it fully understands the language and the content of this Agreement and the Supplier agrees that it will not use the provisions under Law No.24/2009 to invalidate this Agreement. 6. GOVERNING LAW AND JURISDICTION Where both Citi (or Affiliate) and Supplier are located in or entities incorporated in the Republic of Indonesia, the governing law shall be the laws of the Republic of Indonesia, and all claims or disputes arising out of or in connection with Master Agreement and/or the relevant Work Order shall be submitted to the court in Indonesia where Citi (or Affiliate) is located. Appendix I Appendix II (12) Law No. 24 of 2009 of the Republic of Indonesia on Flag, Language, State Emblem and National Anthem. 29
SCHEDULE G — JAPAN LAW REQUIREMENTS (Version 3 — 6 June 2014; re-validated 10 January 2017) I. General 1.1 Unless otherwise a separate Work Order, Statements of Work or any additional ancillary agreement (collectively “Work Order”) is directly made and entered into by and between the Supplier or its local Affiliate (collectively, the “Supplier”) and any Affiliate of Citi in Japan (“Citi”), the Supplier shall be subject to Section II of this Schedule in connection with providing the Services to Citi or for the benefit (whether direct or indirect) of Citi. 1.2 Where necessary or appropriate, in Citi’s determination, for Citi to receive the Services in Japan, the Supplier and Citi will enter into a separate Work Order setting forth such additional terms and conditions applicable in Japan. The Japanese local agreements may address as necessary any specific legal, regulatory, human resource or procedural requirements necessary for compliance with applicable Japanese laws, due to variations in practices or as otherwise agreed to by the Parties. If a separate Japanese local agreement is made and entered into by and between the Supplier and Citi, such Japanese local agreement shall supersede this Addendum including this Schedule. II. Provisions required by JAPANESE laws or regulations If Citi receives the Services from the Supplier, or if the Services are for the benefit (whether direct or indirect) of Citi, the following additional terms and conditions shall be applied to provision of the Services in addition to the master agreement to which this Schedule applies (“Master Agreement”). 1. Protected Information If Citi or its affiliates is required to furnish, supply, disclose, or make available the Protected Information (defined below) to Supplier in connection with provision of the Services, the following additional terms and conditions shall be applied to the Parties in addition to the Master Agreement: 1.1 The “Protected Information” means and includes personal information of a natural person (the “Personal Information”) within the meaning of the Act on the Protection of Personal Information of Japan (Law No. 57 of 2003, as amended from time to time. Hereinafter referred to as the “PIP”) and non-public information of an artificial person held by Citi. 1.2 If Citi or its affiliates furnishes, supplies or discloses to Supplier Citi’s Protected Information in connection with the Services or otherwise, and the Supplier obtains or 30
accesses such Protected Information, the Supplier shall take the following necessary and appropriate measures to prevent divulgence, loss, or destruction of the Protected Information in accordance with the PIP and other laws and regulations of Japan (collectively, the “Japanese Laws”). (1) The organizational security measures to ensure that the Supplier will disclose the Protected Information only to those of the Supplier’s personnel who have a need to know such Protected Information (only to the extent necessary) in order to fulfill the purposes contemplated by the Work Order, and set forth internal rules for use of and access to the Protected Information, which is subject to the Supplier’s periodical review; (2) The individual security measures to ensure that the Supplier will instruct and supervise its personnel who uses or has access to the Protected Information to prohibit the personnel from committing unauthorized disclosure, access, use and misappropriation of the Protected Information; and (3) The technological security measures to ensure that the Supplier will implement systems to limit access to the Protected Information and monitor such access. 1.3 Pursuant to the Japanese Laws, the Supplier acknowledges and agrees that: (1) Citi reserves the rights to supervise and audit the Supplier in connection with the provision of the Services and the Protected Information disclosed to the Supplier; (2) Citi reserves the rights not to furnish, supply, disclose, or make available the Protected Information to the Supplier in connection with provision of the Services IF the Supplier fails to comply with the terms and conditions set forth in this Schedule; (3) The Supplier shall use the Citi’s Protected Information only for the purpose of providing the Services and shall not destroy, alter, misappropriate, reproduce, or store the Protected Information nor divulge or disclose the Protected Information, in any form or manner, to a third party without the prior written consent of Citi; and (4) The Supplier shall be responsible for damages arising out of, or relating to divulgence, loss, alteration, misappropriation, and/or unauthorized disclosure of the Protected Information caused by the Supplier. 1.4 Notwithstanding Section 2 hereof, the Supplier shall not outsource handling of Citi’s Protected Information to the Supplier’s subcontractor UNLESS the Supplier satisfies all of the following requirements in addition to Sections 2 and 3 of this Schedule: 31
(1) The Supplier shall obtain the prior written consent of Citi; and (2) The Supplier shall cause its subcontractor to adopt the adequate security measures as set forth in Section 1.2 of this Schedule. 1.5 Except as otherwise expressly provided for by the Master Agreement and the Work Order, upon the request of Citi at any time during the term of the applicable Work Order or after the termination thereof, the Supplier shall promptly return or destroy the Protected Information or its duplicates supplied to, or otherwise obtained by, the Supplier in connection with the Services, in the form or manner specifically instructed by Citi. If the Protected Information was stored or saved in the Supplier’s computers, servers, or any other electromagnetic medium, the Supplier also shall delete or purge such stored or saved Protected Information in the form or manner specifically instructed by Citi. 1.6 Where the Supplier is required to disclose Citi’s Protected Information under any applicable law, regulation or an order from a court, regulatory agency or other governmental authority having competent jurisdiction, and is further required to notify Citi, the Supplier must promptly send a copy of the order and accompanying documentation by facsimile transmission to Citi. 2. Subcontracting 2.1 The Supplier shall not subcontract any part of the Services to a third party, including its Affiliates, without the prior written consent of Citi. 2.2 If the Supplier subcontracts any part of the Services to a third party, the Supplier shall select a subcontractor which meets satisfactory criteria, including but not limited to, all of the following three (3) criteria: (1) A subcontractor who, in light of Citi’s coherent business operations, is able to provide Citi and Supplier with the Services at the reasonably sufficient level in the industry; (2) A subcontractor whose financial and management conditions are sufficient enough to provide Citi and Supplier with the Services in accordance with the Master Agreement, applicable Work Order, this Schedule and subcontracting agreement, and to indemnify Citi for damages arising out of, or relating to the Services; and (3) A subcontractor will not risk the reputation of Citi. 2.3 A subcontracting agreement to be entered into by and between the Supplier and a subcontractor shall contain satisfactory stipulations, including but not limited to, all of the following four, (4) terms and conditions: 32
(1) Description of the services to be subcontracted, the service level standards for providing the services, and procedures for terminating the subcontracting agreement; (2) The subcontractor’s liability for damages arising out of subcontractor’s failure to perform the services in accordance with the subcontracting agreement or subcontractor’s breach of the subcontracting agreement (placing a security deposit, collateral, or lien if necessary); (3) Items to be reported by the subcontractor to the Supplier in connection with the provision of the services and subcontractor’s management conditions; and (4) Cooperation with internal and external auditors and regulators of Citi and/or the Supplier. 2.4 A subcontracting agreement to be entered into by and between the Supplier and a subcontractor shall not violate the applicable Japanese Laws. 2.5 The Supplier shall adopt sufficient internal control measures, including but not limited to, designating a project manager who is responsible for the subcontracted services, monitoring a subcontractor and its performance, and establishing audit functions. 2.6 A subcontractor shall provide the Supplier with a periodical report on the status of subcontracted services and the subcontractor, upon request of Citi and/or the Supplier, must provide Citi and/or the Supplier with necessary information in a prompt manner. 2.7 The Supplier shall audit a subcontractor periodically to ensure that such subcontractor complies with applicable Japanese Laws and all terms and conditions set forth in the Master Agreement, applicable Work Order and this Schedule. 2.8 The Supplier shall prepare a continuity of business plan in order to provide Citi with continuous Services in case of emergency or subcontractor’s failure to perform the Services in accordance with the subcontracting agreement. 2.9 The Supplier, upon the request of Citi, shall provide Citi with information of its subcontractor, including but not limited to, name of the subcontractor and its project manager, contact information of the subcontractor, description of the services subcontracted, and the subcontracting agreement. 3. Continuity of Business Plan 3.1 The Supplier must maintain a continuity of business plan (“COB Plan”). The COB Plan must enable the Supplier to provide the Services and comply with the terms of the Master Agreement, notwithstanding an event that disrupts, impairs or prevents the Supplier from otherwise providing the Services or complying with its obligations thereunder. 33
3.2 The COB Plan must include procedures to ensure that the Supplier is able to provide the Services and otherwise comply with its obligations under the Master Agreement, notwithstanding that an agent, consultant or contractor of the Supplier is incapable of providing the Services to the Supplier. 3.3 The COB Plan must be: (1) based upon a formal assessment of the applicable risks; (2) reviewed and updated on a regular basis and at least annually; (3) tested at least annually; and (4) subject to quality assurance review at least annually. 4. Representation and Warranties for Anti-Social Forces 4.1 For the purpose of this Schedule, “Anti-Social Force” means and includes a crime organization (boryokudan), a listed member (boryokudan —in) or an affiliated member (jun-boryokudan —in) of such crime organization, a corporate entity affiliated with such crime organization, a corporate racketeer (sokaiya), an individual or an organization which demands and/or acquires financial interests of others in unlawful manners and/or causes or threatens to cause physical harm to others, and all other equivalent or similar individuals or organizations. 4.2 The Supplier, to the best of its knowledge, represents and warrants on or after execution of an applicable Work Order that Supplier, its subcontractor and its subcontractors’ personnel have never belonged to or will never belong to the Anti-Social Force. 4.3 The Supplier, to the best of its knowledge, represents and warrants to a Japanese Entity on or after execution of an applicable Work Order that the Supplier and its subcontractors by themselves or through any third party have not engaged in or will not engage in the following acts: (1) Extortion, racketeering and/or similar unlawful demand; (2) Unreasonable demand and/or claim beyond its legal rights and obligations; (3) Employment of threatening language or physical force in connection with a transaction; (4) Defamation of others and/or disruption of others’ business activities by disseminating false or misleading statements, employing fraudulent means, or resorting to fearful forces; or (5) Any other acts similar to the foregoing, including but not limited to money laundering. 4.4 Citi reserves right to terminate an applicable Work Order if the Supplier and/or its subcontractors breaches or misrepresents any one of the representations and warranties set forth in this Section 4 and it becomes unreasonable to maintain a contractual relationship with Citi (or the relevant Citi affiliate). 5. Inspection and Rights to Audit 34
5.1 Citi, its auditors, or its authorized regulator shall have the right to audit the Supplier to ensure compliance with the Master Agreement and/or an applicable Work Order in relation to the Services. The Supplier shall cooperate with Citi’s internal and external auditors and regulators. The Supplier shall keep complete and accurate records of all of its work and expenses in providing the Services to Citi for a period not less than seven (7) years from the date which the record was created or such other longer period as requested by Citi in writing. 5.2 The Supplier shall require any subcontractor appointed (if applicable) to also maintain complete and accurate records of all of its work and expenses in relation to the Service subcontracted to it. The Supplier shall ensure and procure that these requirements are set forth in its arrangements with any subcontractor, 5.3 The Supplier shall allow Citi, its auditors and/or its regulators: (1) to obtain records and documents of transactions and information of Citi given to, stored at or processed by the Supplier; (2) to access any report and findings made on the Supplier in conjunction with the Services performed for Citi; (3) to access to the business premises of the Supplier in the exercise of its rights herein; and (4) to inspect, examine and audit the Supplier’s operations and records insofar as they are relevant to the Services. 6. Notice 6.1 If the Supplier receives Citi’s Protected Information, the Supplier, upon a request of Citi, shall fill out all necessary information in the Protected Information Sharing Attestation (Form 1) attached hereto and submit Form I to Citi. .If Supplier subcontracts all or any part of handling of the Protected Information to a third party, Supplier shall also fill out the “Outsourcing” part of the Form 1 and submit the Form 1 to Citi prior to the subcontracting. 6.2 If the Supplier returns or destroys the Protected Information in accordance with Section 1.5, the Supplier, upon a request of Citi, shall fill out all necessary information in the Protected Information Return/Deletion Attestation (Form 2) attached hereto and submit Form 2 to Citi without unnecessary delay. 6.3 If the Supplier outsources all or a part of the Services to a subcontractor, the Supplier, upon a request of Citi, shall fill out all necessary information in the Subcontract Attestation (Form 3) attached hereto and submit Form 3 to Citi prior to such outsourcing arrangement. 6.4 If the Supplier makes material changes in provision of the Services which give rise to a direct or indirect impact on Citi, including but not limited to system upgrade and/or alteration, changes in business processes, and changes in the Subcontractor and/or its 35
supervisory management, the Supplier, upon a request of Citi, shall fill out all necessary information in the Service Report (Form 4) attached hereto and submit Form 4 to Citi without unnecessary delay. 6.5 Citi reserves the right to request the Supplier for a periodic report on provision of the Services by filling out all necessary information in the Service Report (Form 4) attached hereto and submitting Form 4 to Citi without unnecessary delay. 7. Governing Law and Jurisdiction This Schedule shall be governed by, and construed in accordance with, the laws of Japan, and the parties hereby agree to submit to the non-exclusive jurisdiction of the Tokyo District Courts. III. Governing Law and Jurisdiction for direct Work Orders In the event a separate Work Order is directly made and entered into by and between the Supplier and Citi, notwithstanding any term to the contrary in the Master Agreement and/or Schedule, the governing law and jurisdiction clause as it applies to the applicable Work Orders entered into by and between Citi and the Supplier is varied as follows: “The validity of this Agreement as it applies to the Work Order, the construction and enforcement of its terms, and the interpretation of the rights and duties of the parties to the Work Order shall be governed by the laws of Japan. The Parties to the Work Order submit to the non-exclusive jurisdiction of the courts of the Tokyo District Court with respect to any dispute arising out of or in connection with the relevant Work Order and the Services provided in Japan.” FORM 1 — PROTECTED INFORMATION SHARING ATTESTATION Form 1.doc FORM 2 — PROTECTED INFORMATION RETURN/DELETION ATTESTATION Form 2.doc FORM 3 — SUBCONTRACT ATTESTATION Form 3.doc 36
FORM 4 — SERVICE REPORT Form 4.doc 37
SCHEDULE H — KOREA LAW REQUIREMENTS (Version 3 — 25 February 2016; revalidated 17 January 2017) In addition to the provisions under the Agreement, the Supplier shall comply with the requirements set forth below in accordance with applicable laws of Korea. To the extent that the terms and conditions of the Agreement are inconsistent with the terms and conditions herein, the terms and conditions herein will prevail. 1. Requirements under the (i) Personal Information Protection Act and (ii) Use and Protection of Credit Information Act: The following provisions shall apply to the Supplier to the extent that the Supplier receives Personal Information. Personal information refers to information pertaining to a living individual which contains information identifying a specific person with a name, a resident registration number, or similar in a form of an image, etc. (including information that does not, by itself, make it possible to identify a specific person but that when combined with other information readily identifies such a person). For the avoidance of doubt, Personal Information includes any credit information that relates to determination of credit rating or credit transactions capacities of a person as such term is defined under the Use and Protection of Credit Information Act. 1.1 The Supplier shall take measures, including establishment and operation of facilities and systems, to achieve the following in connection with processing any Personal Information: - prevent any distortion of access records to the Personal Information; - encrypt the Personal Information for transmission purposes; and - examine the Personal Information access records on a regular basis. In addition, the Supplier shall take such other measures necessary to protect the Personal Information as reasonably required by Citi. 1.2 Personal Information Protection Officer (a) For each service provided, the Supplier shall designate an individual to act as a Personal Information Protection Officer who will be responsible for processing all Personal Information pertaining to a natural person and ensure that the following duties are performed by such person: - adopt internal policies and procedures to protect the Personal Information (the “Personal Information Protection Procedures); - oversee and manage the Personal Information processing practice and make any improvement on such practice if necessary; - address any complaint the Supplier receives in connection with the Personal Information processing; - establish an internal control system to prevent any theft, misuse or abuse of the Personal Information; - establish a program and educate the Supplier Personnel regarding protection of the Personal Information; - manage and supervise maintenance and protection of documents that include the Personal Information; and - perform any other duties that may be necessary to process and protect the Personal Information. 38
(b) The Supplier shall ensure that the Personal Information Protection Officer (i) has the authority to make inquiries or require any person who deals with the Personal Information to report to him/her regarding processing status or processing system of the Personal Information and (ii) does not suffer from any disadvantage in performing his/her duties set forth in Section 1.2(a) above. 1.3 Upon occurrence of any breach of the Personal Information Protection Procedures or theft of the Personal Information (the “Occurrence”), the Supplier shall, without delay, take necessary measures to minimize the damage or loss and immediately notify Citi and Citi’s Project manager of the Occurrence and the following information as applicable: - the items of the Personal Information that are disclosed or stolen; - the time and details of the Occurrence; - measures that victims of the Occurrence may take to minimize their damage or loss; - measures adopted by and reliefs to be provided by the Supplier to remedy the Occurrence; and - contact information to which the victims may report their damage or loss. 1.4 The Personal Information pertaining to an individual must be made available for review, correction, or deletion, or must be subject to suspension of being processed upon such individual’s request. In the event that such individual to which the Personal Information pertains raises any objection to the manners in which his/her request concerning the foregoing matters are addressed by Citi, the Supplier shall endeavor to assist Citi in dealing with such objection. 2. Delegation Matters under the Regulations on Business Delegation by Financial Institutions The Supplier shall maintain a continuity of business (“COB”) plan designed to deal with a major destruction or incapacity of its facilities and/or systems. Pursuant to the COB plan, the Supplier shall maintain resources, guidelines, general action steps and backup sites, facilities and systems to resume business in case of disruption due to natural disaster, accidents or system failure. The COB plan shall include procedures including, but not limited to, for business site relocation, restoration of business functions and telecommunications resumption. Redundant servers shall be in place for several key systems and daily tape backups shall capture all key data and be stored offsite. The Supplier’s COB plan shall be updated and tested on an ongoing basis. 3. Requirements under Regulation on Outsourcing of Data Processing of Financial Companies 3.1 Pursuant to the Regulation on Outsourcing of Data Processing of Financial Companies, the outsourcing agreement between Citi and Supplier shall include but not be limited to the following: access and control to data transferred, joint responsibility between Citi and Supplier with regard to damage or loss suffered by Citi’s customer arising from an IT incident, inspection right on the Supplier by the regulator of Citi, jurisdiction in the event of legal dispute between Citi and Supplier. 3.2. When Citi outsources for data processing under this regulation, the Supplier may re-outsource the outsourced business to its affiliates, in which case, the outsourcing agreement between the Supplier and its affiliates is also subject to the requirements as set out in this Schedule. 3.3 The outsourcing agreement shall be governed by and construed in accordance with the laws of the Republic of Korea. Any dispute concerning the Service Provider over the outsourcing agreement is subject to the jurisdiction of the courts of the Republic of Korea. 39
4. Requirements under the Financial Investment Services and Capital Markets Act (FISCMA) The Supplier understands and acknowledges that, according to the FISCMA, Citi may entrust the Supplier with part of the affairs that it carries on as other financial businesses and incidental operations, while the Supplier or its Subcontractors shall not be entrusted with the affairs, prescribed under the Enforcement Decree of the FISCMA as those that are likely to undermine the protection of investors or sound order in trading, including (i) business of a compliance officer, (ii) business of performing internal auditing, (iii) business of managing risk, and (iv) business of analyzing and assessing credit risk, etc. The Supplier further understands that Citi shall report an agreement related to the above entrustment or delegation to the Financial Services Commission and the Supplier shall use its best efforts to facilitate the report process. 40
SCHEDULE I — MACAU LAW REQUIREMENTS (Version 2 — 22 March 2017) 1. Compliance with the law of Macau Special Administrative Region of the People’s Republic of China Prior to the provision of any Services by Supplier to Citi, both Parties shall comply with all legal and regulatory requirements in respect of the Services. 2. Audit and Inspection Right 2.1 The Supplier agrees that the services it performs for Citi are subject to examination of relevant authorities in Macau. Citi shall keep complete and accurate records of all of its work and expenses in receiving the Services from the Supplier for a period of at least ten (10) years from the date which the record was created. The Supplier shall, upon reasonable notice, allow Citi, its management, its auditors and/or its regulators, the opportunity of inspecting, examining and auditing the Supplier’s operations and the business records which are relevant to the Services provided hereunder by the Supplier including but not limited to the Supplier’s critical processes to confirm that the Supplier’s processes meet or exceed industry standards in such area of contingency planning, continuity of business plans, software engineering and test processes, change control procedures, critical staff succession planning and compliance with applicable laws and regulations. The Supplier shall cooperate fully with Citi’s internal or external auditors to ensure a prompt and accurate audit. If Citi provides recommendations for enhancing the Supplier’s critical processes, then the Supplier shall give due consideration to implementing such recommendations. 2.2 If an audit leads Citi to conclude that the Supplier breached the provisions of this Agreement or that any of the Supplier’s business or professional practices related to its performance of Services presents a risk of unauthorized disclosure of Information, the Supplier and Citi shall use their best efforts to reach a mutually satisfactory resolution. The Supplier shall also use its best efforts to correct any practices which are found to be deficient as a result of any such audit within a reasonable time after receipt of Citi’s audit report. 2.3 Citi shall be entitled to enter all or any of the Supplier’s premises from time to time to inspect and examine the Supplier’s operations and to check that the Supplier is complying with its obligations under this Agreement. Citi shall endeavor to give reasonable notice of its exercise of its rights hereunder but in circumstances where Citi is of the view that it would prejudice Citi’s interests to give such notice, no prior notice shall be required to be given by Citi. Citi’s rights under this clause may be exercisable by Citi from time to time without the Supplier’s consent and Citi is empowered to take all necessary or reasonable steps in order to exercise its rights under this clause fully. 3. Data processing To the extent the Macau Data Protection Act (the “Act”) applies to the Supplier in its provision of services, Supplier shall comply with the requirements of the Act. when the Supplier is acting as data processor, and is collecting, holding, processing, using or transferring personal data of individuals under this Schedule J (Macau Law Requirements). To the extent required by the Act the Supplier (i) will use appropriate technology and organizational measures to protect the personal data collected and / or stored with it and (ii) will ensure its employees and other persons who work for the Supplier (on a permanent or temporary basis) are bound by obligations of confidentiality. 41
SCHEDULE J — MALAYSIA LAW REQUIREMENTS (Version .6 — 11 January 2017) 1 Definitions For the purposes of this Schedule and its Appendices, the following terms shall have the meanings:- 1.1 “Citi Malaysia” means any Customer Affiliate in Malaysia. 1.2 “Citi Malaysia Information” includes all tangible or intangible information or materials, in any form or medium (and without regard to whether the information or materials are owned by Citi Malaysia or by a third party), that is provided or disclosed to Supplier by Citi Malaysia (including Personal Data and Citi Malaysia’s customers’ documents and information) or where the information or materials is provided or disclosed by Citi Malaysia to a third party (including an Affiliate), it is accessed, observed or otherwise obtained by Supplier. 2. Confidentiality and Security 2.1 Supplier hereby acknowledges receipt of section 133 of the Financial Services Act, 2013 of Malaysia (“FSA”), section 178 of the Labuan Financial Services and Securities Act, 2010 of Malaysia (“LFSSA”) and section 43 of the Securities Industry (Central Depositories) Act, 1991 of Malaysia (“SICDA”) (see Appendix A attached hereto). Supplier hereby acknowledges that it has been made aware of the effect of, and agrees and undertakes to, and to procure all Supplier Personnel and Supplier Affiliates that it uses to provide the Services, to observe all precautionary measures to prevent disclosure of information that will cause a violation of section 133 of the FSA or section 178 of the LFSSA or section 43 of the SICDA. Supplier further agrees and undertakes that it will not, and will covenant all Supplier Personnel and Supplier Affiliates not to do anything which will violate section 133 of the FSA or section 178 of the LFSSA or section 43 of the SICDA or otherwise be guilty of an offence there under. 2.2 Notwithstanding anything to the contrary and subject to the provisions of this Schedule, Supplier shall not, without Citi Malaysia’s written consent, disclose Citi Malaysia Information to any person (save for disclosure to Supplier’s employees (and only to the extent necessary in order to fulfill the purposes contemplated by the relevant Work Order)). Where the Citi Malaysia Information includes an Affiliate’s Confidential Information, Supplier shall comply with such additional obligations as may be required by that Affiliate as provided in the Agreement or notified in writing to Supplier. For the avoidance of doubt, the term “person” includes Supplier Affiliates, agents, consultants, contract non-employee workers, contractors, sub-contractors, third party hires and third party vendors. 2.3 Supplier shall at all times take technical, personnel, organizational and other measures to ensure:- 2.3.1 the confidentiality of Citi Malaysia Information between its various customers; and 2.3.2 that all Citi Malaysia Information and assets can be clearly identified and segregated so that Citi Malaysia Information and assets can either be 42
removed from the possession of Supplier or deleted, destroyed or rendered unusable. 2.4 Supplier shall retain all documents in connection with the provision of the Services in accordance with Citi Malaysia’s record retention policies or for such longer periods as may be reasonably instructed in writing by Citi Malaysia from time to time. Except as otherwise specified in the relevant Work Order or as required under any Applicable Law, upon the request of Citi Malaysia, Supplier will return (or purge its systems and files of, and suitably account for) all Citi Malaysia Information supplied to, or otherwise obtained by, Supplier in connection with the relevant Work Order. Supplier will certify in writing that it has fully complied with its obligations under this Clause 2.4 within seven (7) days following the date it receives a request from Citi Malaysia for such a certification. 2.5 Supplier shall not, without Citi Malaysia’s express prior written approval, send any Citi Malaysia Information to, store Citi Malaysia Information at, or provide access to Citi Malaysia Information from, any facility or data center outside of the country from which such Citi Malaysia Information was collected. 2.6 Supplier acknowledges that Citi Malaysia and its Affiliates are global companies and may, from time to time, collect, store, process, disseminate or use Personal Data relating to or provided by Supplier, or any person (natural person or legal entity) that Supplier assigns or engages (whether directly or indirectly) to exercise its rights or fulfill its obligations under the Agreement and relevant Work Order (collectively “Supplier Personal Data”). Supplier consents to, and warrants that it has obtained the consents of each person whose Personal Data is provided by Supplier or who is assigned or engaged to interact with Citi Malaysia or an Affiliate in connection with the subject matter of the Agreement and relevant Work Order for the collection, storage, processing, dissemination or use of such Supplier Personal Data by Citi Malaysia and the Affiliates for all purposes relating to the business contemplated under the Agreement and the relevant Work Order, including without limitation Citi Malaysia’s or an Affiliate’s administration of applicable policies or the administration of Citi Malaysia’s or an Affiliate’s vendor management program. 2.7 This Clause 2 (Confidentiality and Security) of this Malaysia Law Requirements Schedule shall survive termination or expiration of the relevant Work Order. 3 Business Continuity Management 3.1 Supplier represents, warrants and covenants that it has in place a satisfactory and a fully documented and adequately resourced Business Continuity Management (“BCM”) plan comprising (1) a Business Continuity Plan (“BCP”) evidencing how Supplier shall, under exceptional circumstances, be in a position to perform its obligations under the relevant Work Order, including but not limited to continuity of service and (ii) a Disaster Recovery Plan (“DRP”) evidencing how Supplier shall, in the event of a disaster, be in a position to perform its obligations under the relevant Work Order, including but not limited to disaster (whether natural or man-made) recovery plans that minimize the probability and impact of interruption to Citi Malaysia’s business, back up processing, protecting program and data files and equipment for the orderly and expeditious provision of the Services. 3.2 Supplier further represents and warrants that in respect of each Work Order, the BCP and the DRP shall be in place for the entire term of the relevant Work Order and for such period where transition services are provided by Supplier to Citi Malaysia. Supplier is required to declare its state of business continuity readiness to Citi 43
Malaysia on an annual basis. Supplier shall provide Citi Malaysia and comply with Recovery Time Objectives (“RTO”) stipulating the timeframe required for any of Supplier’s information technology systems and applications to be recovered and to be operationally ready to support the Services after an outage in accordance with such specifications as may be acceptable to Citi Malaysia. 3.3 Supplier shall test the BCP in relation to the Services and all facilities used by it in connection with the BCP on a regular basis and at least annually and notify Citi Malaysia of any test finding that may affect the Supplier’s performance, the test results and action to be undertaken to address any gap in the BCP. 3.4 Supplier shall test the DRP in relation to the Services and all facilities used by it in connection with the DRP on a regular basis and at least twice a year and notify Citi Malaysia of any test finding that may affect the Supplier’s performance, the test results and action to be undertaken to address any gap in the DRP. 3.5 If Supplier makes any significant change(s) to the BCM or there are any adverse developments that may significantly impact the Services, it shall notify Citi Malaysia in writing and provide a full description of such significant change(s) and/or adverse developments immediately. 3.6 In the event that such test(s) on the BCM in relation to the Services are reasonably required by Citi Malaysia in connection with the testing of its own business continuity plan, Supplier shall co-operate fully with Citi Malaysia to ensure that such test(s) are carried out as soon as reasonably practicable and accurately in accordance with Citi Malaysia’s reasonable requirements. 3.7 Supplier shall allow Citi Malaysia’s internal auditors or other independent party appointed by Citi Malaysia to review the BCM of Supplier. 3.8 The BCP and DRP should include, at least:- 3.8.1 Procedures to be followed in response to a major disruption to business operations. The procedures should enable the institution to respond swiftly to a crisis situation, recover and resume the critical business functions, resources and infrastructure outlined in the BCP within the stipulated timeframe. 3.8.2 Escalation, declaration and notification procedures including a call tree and contact list. 3.8.3 The conditions for BCP activation and the individual who has the authority to declare a disaster and grant permission to execute the recovery processes. 3.8.4 A list of all resources required to recover the critical business functions in the face of a major disruption including but not limited to key recovery personnel, computer hardware and software, office equipment and relevant documentation. 3.8.5 Relevant information about the alternate and recovery sites. 3.8.6 Procedures for restoring normal business operations, which should include the orderly entry of all business transactions and records into the relevant information technology systems and the completion of all verification and reconciliation procedures. 3.9 “Business Continuity Management” or “BCM” means a whole-of-business approach that includes policies, standards and procedures for ensuring that specified operations can be maintained or recovered in a timely fashion in the event of a disruption. Its purpose is to minimize the operational, financial, legal, reputational and 44
other material consequences arising from a disruption. BCP and DRP are the key components of BCM. 3.10 “Business Continuity Plan” or “BCP” means a comprehensive documented action plan that outlines procedures, processes and systems necessary to resume or restore the business operation of an institution in the event of a disruption. 3.11 “Disaster Recovery Plan” or “DRP” means a comprehensive written plan of action that sets out the procedures and establishes the processes for information technology systems and requirements that are necessary to support and restore the business operation of an institution in the event of a disruption. 4 Monitoring and Control Supplier agrees to (i) meet with Citi Malaysia at any time and from time to time upon prior written notice being given to Supplier at the reasonable request of Citi Malaysia to review all aspects of the Services provided by Supplier pursuant to the relevant Work Order and/or other matters of mutual interest to Supplier and Citi Malaysia, and (ii) adopt any recommendations and/or measures reasonably proposed by Citi Malaysia to ensure, inter alia, compliance with legal and regulatory obligations. 5 Assignment and Sub-Contracting 5.1 Supplier shall not assign, outsource or subcontract any or all of its obligations or responsibilities set forth in the relevant Work Order to any third parties without the prior written consent of Citi Malaysia, and for the avoidance of doubt, the term “third parties” includes Supplier Affiliates, agents, consultants, contract non-employee workers, contractors, sub-contractors, third party hires and third party vendors. 5.2 To the extent that Supplier is so permitted to assign, outsource or subcontract any of its obligations set forth in the relevant Work Order, Supplier shall procure the compliance by all assignees/outsourcees/sub-contractors with the provisions of the Work Order and this Malaysia Law Requirements Schedule relating to the performance of such obligations (including, without limitation, provisions relating to security and confidentiality, assignment and sub-contracting, transition services, audit and inspection and business continuity management). 5.3 Where Citi Malaysia has consented to Supplier assigning, outsourcing or subcontracting any or all of its obligations set forth in the relevant Work Order to a third party, Citi Malaysia may require Supplier to, and Supplier shall (if so required by Citi Malaysia), provide to Citi Malaysia written notification of any venation or termination of the agreement between Supplier and that third party. If so requested by Citi Malaysia, the written notification shall be provided to Citi Malaysia within three (3) days of the variation or termination, or within any longer period of time as Citi Malaysia may allow. 6 Right of Audit 6.1 Subject to Clause 7 (Examinations, Review and Audits) of this Malaysia Law Requirements Schedule, Supplier will allow Citi Malaysia’s and an Affiliate’s internal or external auditors (i) to inspect, examine and audit Supplier’s operations and records insofar as they are relevant to the Services provided by Supplier, and (ii) to obtain copies of any report and finding made on Supplier in conjunction with the Services performed, directly or indirectly, for Citi Malaysia. Supplier shall cooperate with Citi Malaysia’s and an Affiliate’s internal and external auditors to ensure a prompt and accurate audit. 45
6.2 Subject to Clause 7 (Examinations, Review and Audits) of this Malaysia Law Requirements Schedule, Supplier will allow (with reasonable prior notice from Citi Malaysia) the Office of the Comptroller of the Currency (“OCC”), the Federal Reserve Board (“FED”), the Labuan Financial Services Authority (“LFSA”), Bank Negara Malaysia (“BNM”), the Securities Commission of Malaysia (“SC”) and any other authority having jurisdiction over Citi Malaysia or an Affiliate (the OCC, FED, LFSA, BNM, SC and any other authority having jurisdiction over Citi Malaysia or an Affiliate shall hereinafter be referred to as “Regulator”) or any agent appointed by any Regulator, to inspect, examine and audit Supplier’s operations and records insofar as they are relevant to the Services including but not limited to (i) records and documents relating to transactions, (ii) reports and findings made on Supplier in conjunction with the Services, and (iii) the internal controls adopted by Supplier with respect to preservation of the confidentiality of data generally and Citi Malaysia’s or an Affiliate’s Confidential Information specifically (where applicable). Supplier will ensure that these requirements are made part of its arrangements with any party Supplier may engage in the outsourcing (if applicable), including any disaster recovery and backup service providers. 6.3 Supplier confirms that, other than as provided in Clause 7 of this Malaysia Law Requirements Schedule, no governmental, regulatory, statutory or other approvals are required by it in respect of the inspection, examination and audit referred to in paragraphs 6.1 and 6.2 above. 6.4 Supplier will give due consideration to the findings and recommendations of any Regulator and those of the internal or external auditors of Citi Malaysia or an Affiliate. The parties shall discuss, in good faith, the feasibility of implementing said findings and recommendations, as well as the assignment of costs in connection therewith. If Supplier elects not to comply with the findings and recommendations, Citi Malaysia or an Affiliate shall be entitled to terminate the relevant Work Order or any part thereof without penalty by giving Supplier sixty (60) days (or such other period as may be decided by Citi Malaysia) prior written notice. During the notice period, Supplier shall not be compelled to comply with the findings and recommendations. 6.5 Supplier shall notify Citi Malaysia if any Regulator or other person seeks access to Citi Malaysia Information or if a situation arises where the rights of access of Citi Malaysia, an Affiliate, Citi Malaysia’s or an Affiliate’s internal or external auditors or any Regulator is restricted or denied. 7 Examinations, Review and Audits As an examination, review or audit of the books, accounts or transactions of Citi Malaysia may require the approval of Citi Malaysia’s or an Affiliate’s Regulator, any such examination, review or audit must be first approved by Citi Malaysia. 8 Malaysia’s Export Control laws Supplier shall execute the Letter of Assurance attached hereto as Appendix B if requested by Citi Malaysia or an Affiliate(s). 9 Transition Services Commencing upon notice to Supplier of expiration or termination of the relevant Work Order for any reason whatsoever (including a breach by either party) and continuing for up to twelve (12) months (or such longer period as may be required by Citi Malaysia) from the effective date 46
of expiration or termination, Supplier will provide to Citi Malaysia or an Affiliate such information, cooperation and reasonable termination assistance (“Transition Services”) requested by Citi Malaysia or an Affiliate to allow for the provision of services without interruption or adverse effect and to facilitate the orderly transfer of the subject matter of the relevant Work Order as desired by Citi Malaysia or an Affiliate. If requested by Citi Malaysia or an Affiliate, Supplier will reasonably cooperate with a third party in connection with the preparation and implementation of a transition plan by such third party or Citi Malaysia or an Affiliate upon the termination or expiration of the relevant Work Order and Supplier shall promptly furnish Citi Malaysia, an Affiliate or Citi Malaysia’s or an Affiliate’s designee with any documents, records, information, proprietary data (and related records and files) and materials of Citi Malaysia in the possession, power or control of Supplier or Supplier Affiliate or Supplier Personnel and all Work Product (in its current condition), which are required to facilitate the orderly transfer of the subject matter of the relevant Work Order as desired by Citi Malaysia or an Affiliate. Citi Malaysia or an Affiliate shall pay Supplier promptly the applicable fees (as agreed between the parties prior to the commencement of the Transition Services pursuant to this Clause 9 of this Malaysia Law Requirements Schedule) or the reasonable value for the said services properly performed by Supplier. Appendix A • Section 133 of the Financial Services Act 2013 of Malaysia • Section 178 of the Labuan Financial Services and Securities Act 2010 of Malaysia • Section 43 of the Securities Industry (Central Depositories) Act 1991 of Malaysia Appendix A (MY_201307).doc Appendix B Customer/Vendor Letter of Assurance / End User Certification for the purposes of the Strategic Trade Act 2010 STA Certification (revised_23102015).doc 47
SCHEDULE K— NEW ZEALAND LAW REQUIREMENTS (Version 2 — 18 January 2017) A. REGULATOR REQUESTS FOR INFORMATION Where Citi is supervised by a banking regulator such as the Reserve Bank of New Zealand or the Financial Markets Authority (both a “Regulator”) the Regulator may require information from Citi or the Supplier about the Services, the Supplier or the Agreement. Subject to applicable law or authority in the country in which it is based, the Supplier will give the Regulator any information relating to the Agreement as soon as possible after Citi or the Regulator asks the Supplier to do so. Unless prohibited by relevant law or legal authority, the Supplier will promptly inform Citi as soon as practicable after a Regulator asks the Supplier to provide information under this Section. The Supplier will permit the Regulator to conduct any on-site visit of the Supplier’s premises that is necessary to the Regulator’s role as supervisor of Citi. If a Regulator notifies Citi of its intention to conduct an on-site visit of the Supplier’s premises, Citi will promptly notify the Supplier. Where a Regulator conducts an on-site visit of the Supplier’s premises, the Supplier must not disclose or advertise that the Regulator has conducted such a visit without the prior written consent of Citi. The Supplier will use its best endeavours to satisfy the Regulator about any questions or concerns it may raise about the Services. The Supplier agrees that the existence of, and any information relating to, any investigation, question or concern raised by a Regulator about the services provided by the Supplier to Citi or in relation to Citi, is Confidential Information. B. PRIVACY The Privacy Act (1993) of New Zealand as amended from time to time (“Privacy Act”) applies to the handling of all personal information collected or held by government agencies and most businesses. Coverage of the private sector includes sole traders, major New Zealand-owned businesses and the local arms of overseas-owned businesses. The legislation identifies ‘personal information’ as information about an identifiable living person, irrespective of whether it is on a computer or a paper file. All references to ‘personal information’ in this Schedule shall be read as references to ‘personal information’ as defined in the Privacy Act. The parties and acknowledge and agree that: (a) each party to this Agreement that is resident in New Zealand (each, a “New Zealand Entity”) must: (i) comply with all applicable privacy laws, including the Privacy Act and any privacy principles prescribed thereunder (“Privacy Laws”); and (ii) ensure that personal information held, transferred or otherwise disclosed in connection with this Agreement does not breach any Privacy Laws; (b) each New Zealand Entity shall be responsible to obtain express or implied consent that the personal information can be used for (i) the transaction to which it relates; or (ii) those other purposes disclosed by the New Zealand Entity (“Purpose”); (c) where any party to this Agreement that is not resident in New Zealand (each, a “Non-New Zealand Entity”) holds personal information (i) solely as agent for the New Zealand Entity, or (ii) for the sole purpose of safe custody, or (iii) for the sole purpose of processing information on behalf of the New Zealand Entity, that Non-New Zealand Entity must comply the following conditions with respect to personal information disclosed to it by the New Zealand Entity: 48
A. the Non-New Zealand Entity must ensure that the personal information is protected against (i) loss, (ii) unauthorised access, use, modification or disclosure, or (iii) other misuse, by implementing such security safeguards in respect of the personal information as is reasonable in the circumstances; B. the Non- New Zealand Entity must hold the personal information in such a way that it can readily be retrieved in the event that the New Zealand Entity (or the individual concerned) wishes to access or correct the personal information; C. the Non-New Zealand Entity must not keep the personal information for longer than is required for the Purpose; D. the personal information must only be used for the Purpose; and E. they personal information must not be disclosed to any other person or body by the Non-New Zealand Entity unless the Non-New Zealand Entity believes on reasonable grounds that: I. the disclosure of the personal information is one of the Purpose for which the information was obtained or is directly related to the Purpose; or II. the source of the personal information is a publicly available publication; or III. the disclosure is to the individual concerned or authorised by the individual concerned; or IV. the disclosure is necessary: (i) to avoid prejudice to the maintenance of the law by any public sector agency, including the prevention, detection, investigation, prosecution, and punishment of offences, or (ii) for the enforcement of a law imposing a pecuniary penalty, or (iii) for the protection of the public revenue, or (iv) for the conduct of proceedings before any court or tribunal (being proceedings that have been commenced or are reasonably in contemplation); or V. the disclosure is necessary to prevent or lessen a serious threat to public health or public safety or the life or health of the individual concerned or another individual; or VI. the disclosure is necessary to facilitate the sale or other disposition of a business as a going concern; or VII. the information is to be used in a form in which the individual is not identified or is to be used for statistical or research purposes and will not be published in a form that could reasonably be expected to identify the individual concerned; or VIII. the disclosure has been authorized by the New Zealand Privacy Commissioner under section 54 of the Privacy Act; in all other circumstances, each Non-New Zealand Entity must hold personal information disclosed to it by the New Zealand Entity in the manner prescribed by the laws of the country in which it holds the personal information; and (d) if a Non-New Zealand Entity becomes aware of a breach of paragraph (c) above, that Non-New Zealand Entity shall promptly advise the New Zealand Entity of such breach. C. UNSOLICITED ELECTRONIC MESSAGES ACT (2007) The Unsolicited Electronic Messages Act (2007) applies to prohibit unsolicited commercial electronic messages with a New Zealand link from being sent. It requires the recipient to have consented (actual or implied) to receiving the electronic message and the electronic messages to include accurate information about the person who authorised the sending of the message and a functional unsubscribe facility in order to enable the recipient to instruct the sender that no further messages are 49
to be sent to the recipient. The Supplier must take all reasonable steps to ensure that its employees, agents and subcontractors comply with that Act. 50
SCHEDULE L — PHILIPPINES LAW REQUIREMENTS (Version 2 — 30 April 2015) [NOTE: With the recent changes to data privacy regulations in the Philippines, a further update to this schedule is expected within the first half of 2017. In the interim and pending changes to this schedule, this version represents the current laws and regulations for the Philippines.] Philippine Legal Vehicles (the “Phil LVs”) shall include:- (1) CITIBANK, N.A., PHILIPPINE BRANCH (2) CITICORP FINANCIAL SERVICES AND INSURANCE BROKERAGE PHILIPPINES, INC. (3) CITICORP CAPITAL PHILIPPINES, INC. (4) CITIGROUP BUSINESS PROCESS SOLUTIONS PTE LTD. FORMERLY KNOWN AS CRESCENT SERVICES (PHILIPPINES) PTE. LTD. (5) CITIBANK N.A., REGIONAL OPERATING HEADQUARTERS 1.1.1 Supplier hereby acknowledges that it is aware of and understands the effect of, and agrees and undertakes to, observe the Philippine bank secrecy laws as well as such other applicable legal or regulatory restrictions, as described in Appendix I hereto (collectively referred to herein as the “Philippine Laws and Regulations”) in connection with the provision of the Services pursuant to the Agreement, and further agrees and undertakes that it will not do anything which will cause the Phil LVs or any of its customers or affiliates to violate any provision of the Philippine Laws and Regulations or otherwise be guilty of an offense thereunder. Supplier further undertakes to procure that its Personnel shall observe the Philippine Laws and Regulations. Supplier undertakes that it, together with its Personnel, shall be liable with the Phil LVs should the disclosure of information by Supplier and its Personnel result to a violation by the Phil LVs of the Philippine Laws and Regulations. 1.1.2 Subject to clauses 1.1.8 and 1.1.9 below, if Supplier hires another person to assist it in the performance of the Services, or assigns or sub-contracts any portion of its rights or responsibilities or obligations to another person, Supplier shall cause the vendor, assignee, sub-contractor or delegate to be bound to retain the confidentiality of the information and comply with all other provisions of the Agreement. Supplier shall ensure that each and every vendor, assignee, subcontractor or delegate will execute the Confidentiality Undertaking set out in Appendix II hereto, and submit a copy of the same to the Phil LVs upon request. 1.1.3 The parties agree that any unauthorized use or disclosure of information by Supplier may cause immediate and irreparable harm to the Phil Lvs for which money damages may not constitute an adequate remedy. In such event, the parties agree that the Phil LVs may seek injunctive relief as appropriate. 1.1.4 Supplier agrees and undertakes, and shall procure all its Personnel, to segregate each of the Phil LV’sdata from its own data and data of any other entity. 1.1.5 Supplier shall permit the auditors and regulators of the Phil LVs, during normal business hours upon reasonable advance notice, to conduct an examination of Supplier’s business and operations in relation to the Services under the Agreement, and shall provide access to information as may be requested by the Phil LVs. Supplier shall give due consideration to the implementation of the recommendations of Citi or its auditors or regulations for enhancing 51
Supplier’s critical processes. Supplier shall further procure its Personnel to comply with and satisfy the findings and recommendations of the regulators and those of the internal and/or external auditors of Citi and/or Supplier. The parties shall discuss, in good faith, the manner in which the said findings and recommendations of the regulators and internal and/or external auditors shall be implemented, as well as the assignment of costs in connection therewith. If it is not possible or commercially expedient for Supplier to comply with the findings and recommendations or the parties fail to agree on the implementation of such recommendations, either party shall be entitled to terminate the Agreement by giving the other party sixty (60) days prior written notice. During the notice period, Supplier shall not be compelled to comply with the findings and recommendations. 1.1.6 The Phil LVs shall at all times retain the ownership of all master and transaction data files containing Confidential Information of the Phil LVs. 1.1.7 Supplier shall maintain, at its sole expense, throughout the performance of its obligations, the following insurance coverage satisfactory to the Phil LVs: (a) fidelity insurance coverage for losses incurred as a result of dishonesty, fraud or misconduct on the part of its Personnel; (b) fire insurance providing coverage against loss or damage of the Phil LV’s data and equipment due to fire; and (c) such other insurance policies as is customary for similar service providers. None of the requirements contained herein as to types and approval of insurance coverage to be maintained by Supplier are intended to and shall not in any manner limit the liabilities and obligations assumed by Supplier under the Agreement. 1.1.8 Supplier acknowledges that subcontractors, third party hires, secondees or vendors shall not be given access to Confidential Information until the use of such subcontractors, secondees and third party hires and vendors have been approved by the Phil LVs. 1.1.9 The parties acknowledge that assignment and outsourcing arrangements that require the consent of the Phil LVs include the use of secondees, temporary staff and any other third party hire. Upon receipt of a request from Supplier, the Phil LVs shall review the proposed assignment and outsourcing arrangement and advise Supplier whether the approval of, or notification to, the outsourcing governance committee, the BSP or any relevant regulator is required for such arrangement. Until such approval is obtained or notification is given, Supplier shall not enter into or implement such assignment or outsourcing arrangement for Services to the Phil LVs. 1.2.0 Supplier acknowledges that any variation to the Agreement may require the approval of, or notification to, the outsourcing governance committee, the BSP or any relevant regulator. Supplier shall promptly advise the Phil LVs of any proposed amendment so that the Phil LVs may take the appropriate action. 1.2.1 Supplier confirms that it has business continuity contingency plans and procedures (“COB Plan”) in place which have been properly tested, and shall provide said COB Plan to the Phil LVs upon request. 52
Appendix I — PHILIPPINE LAWS AND REGULATIONS — PHILIPPINE BANK SECRECY LAWS Philippine Law and Regs (for LCA)_Marcl Appendix II — CONFIDENTIALITY AND SECRECY UNDERTAKING Schedule B_Confi Undertaking for Supp 53
SCHEDULE M — SINGAPORE LAW REQUIREMENTS (Version 6.0 — revalidated 23 January 2017) 1. DEFINITIONS For the purposes of this Schedule / Local Country Addendum and its Appendices, the following terms shall have the following meanings:- (1) “Citi S’pore” shall refer to Citi and any Citi Affiliate in Singapore (each “Citi S’pore”); (2) “Citi S’pore Information” shall include all tangible or intangible information and materials, in any form or medium (and without regard to whether the information is owned by Citi Spore or by a third party), that is furnished or disclosed to the Supplier by Citi S’pore or which is collected by the Supplier for or on behalf of Citi S’pore as part of providing the Services or any Deliverable (including Customer Information, Protected Information and Personal Information); (3) “Customer Information” shall be as defined in Appendix I; (4) “Permitted Purpose” means any Use relating to or in connection with the particular project described on a Work Order, as permitted by Citi S’pore in writing; (5) “Protected Information” shall be as defined in Appendix IV; (6) “Regulator” shall include the Personal Data Protection Commission of Singapore; (7) “third parties” includes affiliates, agents, consultants, contract non-employee workers, contractors, sub-contractors, third party hires of the Supplier; (8) “Use” means collection, processing, disclosure or other use;, (9) “Personal Information” shall have the same meaning as “Personal Data”, and (if neither term is defined in the Agreement) shall mean any information that relates to a person and that could be used, either directly or indirectly, to identify such person, whether a natural person or a legal entity; and (10) “Work Order” shall include “Purchase Order” or “Statement of Work”. 2. CONFIDENTIAL INFORMATION (INCLUDING PERSONAL INFORMATION) 2.1 Notwithstanding anything to the contrary and subject to the provisions in this Schedule / Local Country Addendum, the Supplier (i) shall not, without Citi S’pore’s prior written consent, disclose Citi S’pore Information (including Customer Information, Protected Information and Personal Information) provided pursuant to any Work Order in any manner except as expressly authorized by the Agreement and Work Order, and (ii) shall treat information with at least the same degree of care that it treats its own confidential information, but in no event with less than a reasonable degree of care. The Supplier undertakes to Use Citi S’pore Information solely for the Permitted Purpose and in accordance with all of Citi S’pore’s further instructions relating to such Use which Citi S’pore may issue from time to time (including instructions to completely cease Use of any specific Citi S’pore Information), and shall not retain any Personal Information comprised in the Citi S’pore Information longer than is necessary to Use the Citi S’pore information for the Permitted Purposes (unless mandatorily required by Applicable Law). 54
2.2 Notwithstanding anything stated to the contrary, all Citi S’pore Information disclosed to the Supplier shall remain the property of Citi S’pore. 2.3 The Supplier shall at all times be capable of logically or physically segregating, clearly identifying and protecting all Citi S’pore Information, documents, records and assets that are processed by and/or stored with the Supplier pursuant to the Agreement and Work Order. The Supplier shall take all necessary technical, personnel and organizational measures in order to: 2.3.1 maintain the confidentiality of Citi S’pore Information between its various customers; and 2.3.2 prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar issues. 2.4 If the Supplier is directed by court order, subpoena or other legal or administrative proceeding, regulatory or supervisory agency’s request or similar process to disclose any Citi S’pore Information, the Supplier shall notify Citi S’pore in writing (unless it has a legal obligation to the contrary), with a copy of such document attached, in sufficient detail immediately upon receipt of such court order, subpoena, legal or administrative, regulatory or supervisory agency’s request or similar process, in order to permit application by Citi S’pore for an appropriate protective order. 2.5 The Supplier shall: 2.5.1 notify Citi S’pore if any overseas regulator or authority were to seek access to Citi S’pore Information or if a situation were to arise where the rights of access of Citi S’pore or Monetary Authority of Singapore (“MAS”) as set out in this Schedule have been restricted or denied; 2.5.2 attend to whatever queries MAS may have and cooperate with MAS in supervising the outsourcing risks to Citi S’pore, including complying, as soon as possible, with any request from MAS or Citi S’pore for the Supplier or its sub-contractors to submit any reports on the security or control environment of the Supplier or its sub-contractors in relation to the Services; and 2.5.3 as soon as it becomes aware of any breach or potential breach of security relating to Citi S’pore Information, any unauthorised Use or loss of Citi S’pore Information, or any breach of its obligations relating to Citi S’pore Information, in addition to its obligations in this regard under the Agreement: (i) in the case of unauthorised Use of Citi S’pore Information, take reasonable measures, including legal proceedings, to restrain or prevent such unauthorised Use; and (ii) use all reasonable endeavour to prevent a recurrence of the same. 2.6 Where required by Citi S’pore in respect of Citi S’pore Information which is Personal Information, Supplier shall provide Citi S’pore with full details of its internal procedures and processes with regards to its Use of Personal Information (“Data Protection Processes”) and will work with Citi S’pore within the agreed timescales to prepare and agree in writing (amending its current procedures as required), a method for ensuring its procedures comply with Citi S’pore’s requirements as notified to Supplier. If at any time the Supplier changes any of its Data Protection Processes affecting the Agreement and/or Work Order as agreed with Citi S’pore pursuant to this sub-clause, it will promptly notify Citi S’pore in writing of such changes and refrain from implementing and using any such changes unless and until agreed by Citi S’pore. 2.7 The Supplier shall not transfer, whether within or out of its country, any Personal Information comprised in the Citi S’pore Information without the prior written consent of Citi S’pore. If given, the Supplier shall provide an adequate level of protection to any such Personal 55
Information transferred in accordance with relevant Citi S’pore policies and all reasonable instructions of Citi S’pore. 2.8 Where the Supplier provides Services to or deals with a Citi S’pore entity that is subject to the Banking Act, including without limitation, Citibank N.A. Singapore Branch, Citibank Singapore Limited and Citicorp Investment Bank (Singapore) Limited, the following provisions shall apply:- 2.8.1 The Supplier hereby acknowledges receipt of a written notice from Citi S’pore highlighting Citi S’pore’s obligations of confidentiality under the Singapore Banking Act and the Banking Regulations. The written notice is attached hereto as Appendix I. 2.8.2 The Supplier agrees to execute the Confidentiality and Secrecy Undertaking in the form specified in Appendix II and the Supplier hereby acknowledges that it is aware and understands the effect of, and agrees and undertakes to, and to procure all its employees, servants, agents, representatives and Personnel to observe all precautionary measures and prevent disclosure of information that will cause Citi S’pore or any of its Affiliates to violate its statutory duty pursuant to Section 47 of the Banking Act and similar provisions in the Banking Regulations not to disclose any information relating to, or any particulars of, an account of a customer of Citi S’pore, whether the account is in respect of a loan, investment or any other type of transaction or deposit information to any person except as expressly provided in the Banking Act and Banking Regulations. 2.8.3 The Supplier further agrees and undertakes that it will not, and will covenant all employees, servants, agents, representatives and Personnel not to do anything which will cause Citi S’pore or its Affiliates to violate any provision of Section 47 or otherwise be guilty of an offence thereunder. 2.8.4 The Supplier shall procure the execution of the Confidentiality and Secrecy Undertaking in the form specified in Appendix III by each of the Supplier’s Personnel appointed or to be appointed in connection with Work Order and/or to perform the Services or part thereof for and on behalf of Supplier. 2.8.5 The Supplier and its employees shall not without Citi S’pore’s prior written consent further disclose Customer Information (as defined in the Singapore Banking Act) to any third parties unless required to do so by law. For the avoidance of doubt, the Supplier’s Affiliate (other than one approved by Citi S’pore to provide the Services) shall be considered a third party for the purposes of this clause. 2.9 Where the Supplier provides Services to or deals with a Citi S’pore entity that is subject to the Trust Companies Act, including without limitation, CitiTrust (Singapore) Limited and Citicorp Trustee (Singapore) Limited, the following provisions shall apply:- 2.9.1 The Supplier hereby acknowledges receipt of a written notice from Citi S’pore highlighting Citi S’pore’s obligations of confidentiality under the Singapore Trust Companies Act, (Cap. 336) (the “Act”). The written notice is attached hereto as Appendix IV. 2.9.2 The Supplier agrees to execute the Confidentiality and Secrecy Undertaking in the form specified in Appendix II. The Supplier hereby acknowledges that it is aware of and understands the effect of, and agrees and undertakes to, and to procure all its employees, servants, agents, representatives and Personnel to observe all precautionary measures and prevent disclosure of information that will cause Citi S’pore or any of its Affiliates to violate its statutory duty pursuant to Section 49 of the Act not to disclose any Protected Information except as expressly provided in the Act. 2.9.3 The Supplier shall procure the execution of the Confidentiality and Secrecy Undertaking in the form specified in Appendix III by each of the Supplier’s Personnel 56
appointed or to be appointed in connection with Work Order and/or to perform the Services or part thereof for and on behalf of Supplier. 2.9.4 The Supplier and its employees shall not, without Citi S’pore’s prior written consent, further disclose Protected Information to any third parties unless required to do so by law. The Supplier further agrees and undertakes that it will not, and will covenant all employees, servants, agents and representatives not to do anything which will cause Citi S’pore or any of its Affiliates to violate any provision of Section 49 or otherwise be guilty of an offence thereunder. For the avoidance of doubt, the Supplier’s Affiliate (other than one approved by Citi S’pore to provide the Services) shall be considered a third party for the purposes of this clause. 2.10 Where the Supplier provides Services to or deals with a Citi S’pore entity that is subject to the Securities & Futures Act or the Financial Advisors Act (such as Citigroup Global Markets Singapore Pte Limited and Citigroup Global Markets Securities Singapore Pte Limited), the following provisions shall apply:- 2.10.1 The Supplier hereby acknowledges that it is aware and understands Citi S’pore is a capital markets services licence holder and is subject to statutory confidentiality obligations under the Securities and Futures Act and the Financial Advisors Act. The Supplier agrees and undertakes to, and to procure all its employees, servants, agents and representatives to observe all precautionary measures and prevent disclosure of information that will cause Citi S’pore to violate its statutory duty pursuant to not to disclose any information relating to, or any particulars of, an account of a customer of Citi S’pore. 2.10.2 The Service Provider further agrees and undertakes that it will not, and will covenant all employees, servants, agents and representatives not to do anything which will cause the Customer or any of its customers or affiliates to violate its statutory confidentiality obligations or otherwise be guilty of an offence thereunder. 2.10.3 The Supplier and its employees shall not without the Citi S’pore’s prior written consent further disclose customer information to any third parties unless required to do so by law. 2.11 Where the Supplier collects any Citi S’pore Information from Citi Personnel or any third party, it shall limit the collection of such Citi S’pore Information to the Permitted Purposes or purposes ancillary or incidental to the Permitted Purposes, and only carry out such collection after notifying or obtaining the consent of the individual (“Subject Individuals”) in such manner as Citi S’pore may prescribe or otherwise consistent with any Data Protection Processes where relevant. 2.12 To the extent that the Supplier receives, from an individual (or a person/entity acting on the individual’s behalf), a request, complaint or other third party communication which is in any way related to Citi Singapore Information, it will notify Citi S’pore of such request, complaint or other communication promptly and provide Citi S’pore with its full co-operation and assistance, including by: (i) providing Citi S’pore with full details of the request, complaint or other communication; (ii) if required, assisting Citi to comply with the individual’s access request within the relevant timescales set out by Citi and in accordance with Citi S’pore’s instructions; (iii) providing Citi S’pore with all Personal Information it holds in relation to the relevant individual within the timescales required by Citi S’pore; and (iv) providing Citi S’pore with any other information reasonably requested by Citi S’pore in connection thereto. 3 BUSINESS CONTINUITY MANAGEMENT 3.1 The Supplier represents, warrants and covenants that it has in place satisfactory business continuity plans (“BCP”), evidencing how the Supplier shall, under exceptional circumstances, be in a position to perform its obligations under the Agreement, including but not limited to continuity of service, disaster (whether natural or man-made) recovery plans that minimize the 57
probability and, impact of interruption to Citi S’pore’s business including recovery time objectives, recovery point objectives and resumption operating capacities, back up processing, protecting program and data files and equipment for the orderly and expeditious provision of the Services. The Supplier will provide Citi S’pore with all required information in relation to the BCP, including any alternative locations or sites established by the Supplier for such purposes. The Supplier further represents and warrants that the BCP shall be in place for the entire term of the Agreement. 3.2 The Supplier shall test the BCP in relation to the Services and all facilities used by it in connection with the BCP on a regular basis and notify Citi S’pore of any test finding that may affect the Supplier’s performance. Where requested, Supplier shall also allow Citi S’pore to participate in and jointly test Supplier’s BCP and disaster recovery exercises, The Supplier will ensure that all relevant personnel receive regular training in activating the BCP and executing recovery procedures. if the Supplier makes any substantial change(s) to the BCP or there are any adverse developments that may substantially impact the Services, it shall notify Citi S’pore in writing and provide a full description of such significant change(s) and/or adverse developments immediately. 3.3 In the event that such test(s) on the BCP in relation to the Services are reasonably required by Citi S’pore in connection with the testing of its own business continuity plan, the Supplier shall co-operate fully with Citi S’pore to ensure that such test(s) are carried out as soon as reasonably practicable and accurately in accordance with Citi S’pore’s reasonable requirements. 3.4 The Supplier shall at all times be capable logically or physically segregating, clearly identifying and protecting all Citi S’pore Information, documents, records and assets such that in adverse conditions, all such information, documents, records of transactions and information given to the Supplier, and assets of Citi S’pore, can be either promptly removed from the possession of the Supplier in order to continue its business operations, or deleted, destroyed or rendered unusable 4 INSPECTION AND RIGHT TO AUDIT 4.1 The Supplier agrees that the services it performs for a branch of a U.S. bank in Singapore are subject to examination of the Office of the Comptroller of the Currency (“OCC”) and MAS. The Supplier shall, and procure its sub-contractors to: 4.1.1 allow Citi S’pore to obtain copies of any report and finding made on the Supplier and its sub-contractors in relation to the Services under the Work Order, whether produced by the Supplier or its sub-contractors’ internal or external auditors, or by agents appointed by the Supplier and its sub-contractors; 4.1.2 allow the OCC, the MAS, or any agent appointed by OCC or MAS, to (i) access and inspect the Supplier and its sub-contractors, and to obtain records and documents, of transactions, and information of Citi S’pore given to, stored at or processed by the Supplier and its sub-contractors; and (ii) access any report and finding made on the Supplier and its sub-contractors in relation to the Services under the Work Order, whether produced by the Supplier or its sub-contractors’ internal or external auditors, or by agents appointed by the Supplier and its sub-contractors; 4.1.3 adopt supervisory actions and additional measures which MAS may require to be taken by Citi S’pore, depending on the potential impact of the outsourcing on Citi S’pore and the financial system, or as circumstances warrant; and 4.1.4 adopt appropriate corrective measures, including enforcement actions, imposed by OCC to address violations of law and regulations or unsafe or unsound banking practices by Citi S’pore or the Supplier. 58
4.2 The Supplier shall remove from its possession, delete, destroy or render unusable Citi S’pore’s information, documents, records and assets as directed by Citi S’pore, subject always to the legal requirements for the retention of records in Singapore. The Supplier shall keep complete and accurate records of all of its work and expenses in providing the Services to Citi S’pore for a period of seven (7) years from the date from which the record was created. 4.3 The Supplier shall, and shall procure its sub-contractors to, upon reasonable notice, allow Citi S’pore, its internal or external auditors, agents and/or its regulators (the “Citi S’pore auditing parties”), the opportunity of inspecting, examining and auditing Supplier’s and its subcontractors’ operations and business records which are relevant to the Services provided, including but not limited to, Supplier’s and its sub-contractors’ critical processes, to confirm that such processes meet industry standards in such areas of contingency planning, continuity of business plans, software engineering and test processes, change control procedures, critical staff succession planning and compliance with applicable laws and regulations. The Supplier shall, and shall procure its sub-contractors to, cooperate fully with the Citi S’pore auditing parties to ensure a prompt and accurate audit. If Citi S’pore provides recommendations for enhancing the Supplier’s and its sub-contractors’ critical processes, then the Supplier and its sub-contractors shall give due consideration to implementing such recommendations. 4.4 The Supplier and its sub-contractors shall also use its best efforts to correct any practices which are found to be deficient as a result of any audit within a reasonable time after receipt of the audit report. 5 MONITORING AND CONTROL The Supplier agrees to meet with Citi S’pore at any time and from time to time upon prior written notice being given to the Supplier at the reasonable request of Citi S’pore to review all aspects of the Services provided by the Supplier pursuant to a Work Order and/or other matters of mutual interest to the Supplier and Citi S’pore and adopt any recommendations and/or measures reasonably proposed by Citi S’pore to ensure, inter alia, compliance with legal and regulatory obligations. 6 TERMINATION 6.1 Notwithstanding anything to contrary in the Agreement and/or Work Order, Citi S’pore shall have the right to terminate a Work Order with immediate effect and without penalty by giving written notice in the event that: 6.1.1 in Citi S’pore’s reasonable opinion, there has been: (i) a breach of security or confidentiality, including but not limited to, a failure to safeguard the confidentiality of Citi S’pore Information; (ii) a situation where the security and confidentiality of Citi S’pore Information is lowered due to changes in the control environment of the Supplier; or (iii) a demonstrable deterioration in the ability of the Supplier to perform the contracted Services; 6.1.2 the Supplier undergoes a change in ownership; 6.1.3 the Supplier shall (i) commence a voluntary case or other proceeding seeking liquidation, reorganization or other relief with respect to itself or its debts under any bankruptcy, insolvency, corporation or other similar law now or hereafter in effect that 59
authorizes the reorganization or liquidation of the Supplier or its debt or the appointment of a trustee, receiver, liquidator, custodian or other similar official of it or any substantial part of its property, or (ii) consent to any such relief or to the appointment of or taking possession by any such official in an involuntary case or other proceeding commenced against it, or (iii) make a general assignment for the benefit of creditors, or (iv) fail generally to pay its debts as they become due, or (v) take any corporate action to authorize any of the foregoing; or 6.1.4 an involuntary case or other proceeding shall be commenced by persons (that are not bound or affected by the Agreement and/or Work Order) against the Supplier seeking liquidation, reorganization or other relief with respect to it or its debts under any bankruptcy, insolvency or other similar law now or hereafter in effect seeking the appointment of a trustee, receiver, liquidator, custodian or other similar official of it or any substantial part of its property, and such involuntary case or other proceeding shall remain undismissed and unstayed for a period of 60 days; or an order is entered by a court of competent jurisdiction affecting substantially all of the property or affairs of the Supplier against which proceedings have been commenced under bankruptcy, insolvency or other similar laws as now or hereafter in effect and such order shall remain undismissed and unstayed for a period of 60 days. 6.2 Commencing upon notice to Supplier of termination (or for a material amendment) of the Work Order and continuing through the effective date of termination (or amendment), the Supplier will provide to Citi S’pore reasonable termination (or amendment) assistance requested by Citi S’pore to allow the use of the Services without interruption or adverse effect and to facilitate the orderly transfer of the subject matter of the Work Order to a third party supplier or “bridge-institution13” as desired by Citi S’pore. If requested by Citi S’pore, the Supplier will reasonably cooperate with the third party supplier or bridge-institution in connection with the preparation and implementation of a transition plan by such party. 6.3 Upon termination of the Agreement and/or Work Order, the Supplier shall allow Citi S’pore to remove from the Supplier all Citi S’pore Information previously provided to the Supplier (including without limitation, information incorporated in computer software or held in electronic storage media, together with any analyses, compilations, studies, reports or other documents or materials containing any such data, Customer Information or Protected Information, as are in the possession or control of the Supplier), and Citi S’pore shall be allowed to delete, destroy or render unusable by the Supplier all such data, customer information or protected information previously given. The Supplier shall certify in writing to Citi S’pore within seven (7) days of the termination of the Agreement and/or Work Order that it has not retained any such data, Customer Information or Protected Information in any form whatsoever. 7 ASSIGNMENT AND SUB-CONTRACTING 7.1 Notwithstanding anything to the contrary in the Agreement and/or Work Order, the Supplier shall not assign, outsource or subcontract any or all of its obligations set forth in the Agreement and/or Work Order to any third parties without the prior written consent of Citi S’pore. Supplier’s use of a sub-contractor pursuant to any consent provided is subject to the condition that Supplier will ensure that its own agreement with such sub-contractor includes provisions that permit Citi S’pore and its (or its Affiliates’) regulators, internal and external auditors and agents to have reasonable access to the books and records of the subcontractor, as well as the right to perform audits on the sub-contractor, under the same terms and conditions as described in Section 4 (Inspection and Rights of Audit). 7.2 To the extent that the Supplier is so permitted by Citi S’pore to assign, outsource or subcontract any of its obligations set forth in the Agreement and/or Work Order pursuant to the sub-clause above, the Supplier shall procure the compliance by all assignees/outsourcees/sub-contractors (and their respective Personnel) with the provisions of the Agreement, Work Order and this Schedule / Local Country Addendum relating to the 13 As defined in the Monetary Authority of Singapore “Guidelines on Outsourcing” dated 27 July 2016. 60
performance of such obligations (including, without limitation, provisions relating to security and confidentiality, audit and inspection and business continuity management). Supplier is solely responsible for all acts and omissions of its sub-contractors, including the performance and risk management practices of such sub-contractors, as if such acts and omissions were its own and nothing herein shall be construed to create any contractual relationship between Citi S’pore and any sub-contractor. 8 SUPPLIER PERSONNEL 8.1 Supplier shall ensure that all its Personnel involved in the provision of the Services are assessed to meet and comply with Citi S’pore’s hiring policies and standards, as made known to Supplier, for the respective services or roles they are providing or performing. Examples of the relevant assessment criteria, include but are not limited to: 8.1.1 whether they have been the subject of any proceedings of a disciplinary or criminal nature; 8.1.2 whether they have been convicted of any offence (in particular, that associated with a finding or fraud, misrepresentation or dishonesty); 8.1.3 whether they have accepted civil liability for fraud or misrepresentation; and 8.1.4 whether they are financially sound. 9 NOTIFICATION OF ADVERSE DEVELOPMENTS 9.1 Supplier shall immediately notify Citi S’pore of any adverse developments or changes, including those affecting its Affiliates or approved assignees/outsources/sub-contractors (and their respective Personnel), that has or could be reasonably expected to have a material impact on the Supplier’s ability to carry out (or Citi S’pore’s ability to receive) the Services and/or Deliverables effectively and in accordance with the provisions of the Agreement and this Schedule. Examples of adverse developments and changes, include but are not limited to: 9.1.1 any interruption of Services (including unplanned unavailability of any systems, software or infrastructure Supplier uses to deliver the Services); 9.1.2 any event that could potentially lead to prolonged service failure or disruption to the Services; 9.1.3 any breach of security and confidentiality of Citi S’pore Information; 9.1.4 any force majeure or other event that would cause Supplier to invoke business continuity or disaster recovery plans; 9.1.5 any regulatory or enforcement action taken against Supplier or any failure of Supplier and its Personnel to comply with this Schedule; 9.1.6 any strategic business change that could impact Service provision such as a change of control of Supplier; 9.1.7 any proposed change to Supplier’s management or key Personnel; 9.1.8 any material adverse change in the financial standing of Supplier; 9.1.9 any proposed implementation of new or revised policies, processes or information technology; and 9.1.10 any issues identified by Supplier’s internal or external auditors that may have or has a material adverse impact on the provision of the Services. 10 CLOUD COMPUTING SERVICES 10.1 Where Supplier has been approved by Citi S’pore to provide public or private cloud computing services or a portion of the Services that Supplier has been approved by Citi S’pore to provide involve the use of public or private cloud architecture, technology or a multi-tenanted system, 61
such as Software as a Service (“SaaS”), Platform as a Service (“PaaS”) or Infrastructure as a Service (“IaaS”), the Supplier shall: 10.1.1 clearly identify and segregate all Citi S’pore Information using strong physical or logical controls that have been reviewed and approved by Citi S’pore; 10.1.2 implement robust access controls that have been reviewed and approved by Citi S’pore to protect all Citi S’pore Information at all times, including but not limited to, up-to-date authentication, tokenization and data encryption technology; 10.1.3 not make changes to the approved and contracted service structure and any security settings without the prior written consent of Citi S’pore and 10.1.4 immediately notify Citi S’pore of any breach of security and confidentiality of Citi S’pore Information. 10.2 The Supplier hereby acknowledges and agrees that a breach of this section 10 shall entitle Citi S’pore to terminate the Work Order in accordance with section 6 (Termination). 11. GOVERNING LAW AND JURISDICTION Notwithstanding any term to the contrary in the Agreement, the governing law and jurisdiction clause as it applies to this Schedule and Work Orders entered into by Citi S’pore is varied as follows: “The validity of this Agreement as it applies to the Work Order, the construction and enforcement of its terms, and the interpretation of the rights and duties of the parties to the Work Order shall be governed by the laws of Singapore. The parties to the Work Order submit to the non-exclusive jurisdiction of the courts of Singapore.” 12. SURVIVAL 12.1 The provision of this Schedule that, by their nature and content, must survive the completion, rescission, termination or expiration in order to achieve their fundamental purpose and effect hereof, shall so survive the Agreement and Work Order, and continue to bind the Supplier. 12.2 Without limiting the generality of the foregoing, the following provisions shall survive: sections 2, 3.4, 6.2, 6.3, 10.1.1, 10.1.2 and 11. 62
APPENDIX I — BANKING SECRECY UNDER THE SINGAPORE BANKING ACT, (CAP. 19) APPLICABLE TO CITIBANK N.A., SINGAPORE BRANCH AND CITIBANK SINGAPORE LIMITED AND THE BANKING REGULATIONS 2001 APPLICABLE TO CITICORP INVESTMENT BANK (SINGAPORE) LIMITED APPENDIX II - SINGAPORE LAWS AND REGULATION — CONFIDENTIALITY AND SECRECY UNDERTAKING (FOR THE SUPPLIER) APPENDIX III - SINGAPORE LAWS AND REGULATIONS - CONFIDENTIALITY AND SECRECY UNDERTAKING (for Supplier’s employees/agents/servants/Personnel) APPENDIX IV - SINGAPORE LAWS AND REGULATIONS — CONFIDENTIALITY UNDER THE TRUST COMPANIES ACT, CAP. 336 OF SINGAPORE (THE “ACT”) APPLICABLE TO CITITRUST (SINGAPORE) LIMITED AND CITICORP TRUSTEE (SINGAPORE) LIMITED 63
SCHEDULE N — SRI LANKA LAW REQUIREMENTS (Version 3 — 15 February 2017) The Bank has an obligation under the Common Law to keep the affairs of its customers confidential. ADDITIONAL CLAUSES REQUIRED TO COMPLY WITH THE LAWS AND REGULATIONS APPLICABLE IN SRI LANKA. In order to ensure compliance with Part V of the Banking Act No. 30 of 1988 as amended and Section 29 of the Monetary Law Act No. 58 of 1949 as amended, the Supplier shall comply with the additional clauses set out in (1) below :- 1. Audit and Inspection 1.1 The Supplier shall: 1.1.1 maintain such records as may be agreed between Citi and the Supplier relating to the Services provided by the Supplier under this Agreement. The Supplier shall procure that any sub-contractor appointed (if applicable and including any disaster recovery and back-up suppliers) shall also maintain complete and accurate records of all its work in relation to the Services sub-contracted to it; 1.1.2 subject to the approval of the applicable regulatory authorities of the Supplier, allow Citi to conduct audits on the Supplier, whether by its internal or external auditors, or by agents appointed by Citi; and to obtain copies of any report and finding made on the Supplier in conjunction with the Services performed for Citi. The Supplier shall co-operate with Citi’s internal and external auditors to ensure a prompt and accurate audit; 1.1.3 subject to the approval of the applicable regulatory authorities of the Supplier, allow any duly authorised officer or representative of the Central Bank of Sri Lanka, any competent court of law, or other judicial, quasi-judicial, statutory, regulatory or supervisory authority or any agent appointed by any of them, to access the Supplier to obtain records and documents, of transactions, and information of Citi given to, stored at or processed by the Supplier, the right to access any report and finding made on the Supplier and to inspect, examine and audit the Supplier’s operations and records insofar as they are relevant to the Services provided by the Supplier under this Agreement, including but not limited to the internal controls adopted by the Supplier with respect to preservation of the confidentiality of data generally and Citi’s information specifically (where applicable). The Supplier should ensure and procure that these requirements are met in its arrangements with any sub-contractor that the Supplier may engage in the outsourcing (if applicable), including any disaster recovery and backup suppliers; 1.1.4 adopt whatever supervisory actions and additional measures which the Central Bank of Sri Lanka, any competent court of law, or other judicial, quasi-judicial, statutory, regulatory or supervisory authority or any agent appointed by any of them may require to be taken by Citi, depending on the potential impact of the outsourcing on Citi and the financial system, or as circumstances warrant, as communicated by Citi to the Supplier; 1.1.5 adopt whatever appropriate corrective measures, including enforcement actions, imposed by the Central Bank of Sri Lanka, any competent court of law, or other 64
judicial, quasi-judicial, statutory, regulatory or supervisory authority or any agent appointed by any of them, to address violations of law and regulations or unsafe or unsound banking practices by Citi or the Supplier. Citi will communicate such measures to the Supplier if the request made by the Central Bank of Sri Lanka or such other party is not addressed to the Supplier; and 1.1.6 provide such information as may be required by Citi in a timely manner in order that Citi may comply with any requirements imposed on Citi by law, the Central Bank of Sri Lanka, any competent court of law, or other judicial, quasi-judicial, statutory, regulatory or supervisory authority. 1.2 The Supplier agrees that the Services it performs for Citi are subject to examination and regulation of the Central Bank of Sri Lanka, any competent court of law, or other judicial, quasi-judicial, statutory, regulatory or supervisory authority or any agent appointed by any of them. 2. Declarations of Secrecy 2.1 In terms of Section 77 of the Banking Act No. 30 of 1988, as amended and the Banking Act Direction No. 02/04/002/005/001 dated 1” December 1999, the Supplier shall procure its employees, servants, agents, representatives and contractors to execute a confidentiality undertaking, in form and substance acceptable to Citi and the Supplier. 3. Special clause/condition in software maintenance agreements or service agreements with software companies 3.1 In terms of the Banking Act Direction No. 02/04/002/005/001 dated 1” December 1999 and Banking Act Direction No 02 of 2012 on the Outsourcing of Business Operations of a Licensed Commercial Bank and Licensed Specialized Bank, the Supplier shall ensure that where there are any agreements with third parties (appointed with Citi’s prior written consent) with regard to any software maintenance or services such agreements shall include a confidentiality clause substantially similar to the clause set out below. “The parties agree that all information provided pursuant to this Agreement by each party to the other party is confidential and proprietary to the party providing the information and no party shall use any information provided by the other party for any purpose other than as permitted or required for performance under this Agreement. Each party agrees not to disclose or provide any information provided by the other party to any third party (with the exception of (i) any affiliate or subsidiary, which is bound to retain the confidentiality of the information; (ii) employees who have a need to know in the course of receiving or performing the Services pursuant to this Agreement, as the case may be, and such disclosure shall be to the extent required, provided that such employees are bound to retain the confidentiality of the information; (iii) third party vendors as necessary for the Supplier to provide Services to Citi under this Agreement, provided that such vendors are bound to retain the confidentiality of the information; and (iv) Citi’s disclosure of data to its internal and external auditors) without the express written consent of the other party, and each party agrees to take all reasonable measures, including, without limitation, measures taken by each party to safeguard its own confidential information to prevent any such disclosure by employees, agents, or contractors. In no event shall Citi divulge to any third party the contents in any invoices/charge documentation that it receives from the Supplier, without the written consent of the Supplier unless pursuant to any request made by the Central Bank of Sri Lanka, any competent court of law, or other judicial, 65
quasi-judicial, statutory, regulatory or supervisory authority or any agent appointed by any of them or by the Internal or External Auditors of Citi. Nothing provided herein shall prevent any party from disclosing information to the extent the information (i) is or hereafter becomes part of the public domain through no fault of that party; (ii) is received from and furnished to a third party without similar restriction on disclosure by such third party; (iii) is independently developed by it; (iv) is required to be disclosed under law or any applicable regulation, at the order of a court of law, or at the request or order of any statutory, regulatory or supervisory authority with whom it customarily complies; or (v) is already known to it. If either party hires another person to assist it in the performance of this Agreement, or assigns any portion of its rights or delegates any portion of its responsibilities or obligations under this Agreement to another person, the assigning or delegating party shall cause its assignee or delegate to be bound to retain the confidentiality of the information.” 3.2 The Supplier shall obtain confidentiality undertakings, in form and substance acceptable to Citi and the Supplier from such software companies and the employees of such software companies who are or will be engaged in the provision of the services contemplated in this Agreement. 4. Form of Undertaking 4.1 Citi confirms that the Undertaking set out in the Appendix I hereto is sufficient for the purposes of complying with clauses 2.1 and 3.2. 5. Compliance with Banking Act Directions No. 2 of 2012 5.1 The Supplier shall do all such things necessary to ensure that Citi is in compliance with the Banking Act Direction No 02 of 2012 on the Outsourcing of Business Operations of a Licensed Commercial Bank and Licensed Specialized Bank, the following in particular: 5.1.1 The Supplier shall have a satisfactory business continuity plan and conduct regular tests thereon. 5.1.2 The Supplier shall do all such things and provide all such information necessary to enable Citi to make transaction reports and suspicious transactions reports to the Financial Intelligence Unit, as provided under the Financial Transactions Reporting Act No. 6 of 2006. APPENDIX I - UNDERTAKING14 Undertaking 2011.doc 14 Note: for Supplier’s employees, servants, agents, representatives and contractors to execute. 66
SCHEDULE O — TAIWAN LAW REQUIREMENTS (Version 7— 17 January 2017) A. REGULATOR CONTROL 1. Supplier shall, except to the extent prohibited or restricted by any law, regulation, or legal authority (including but not limited to any in the host country of Supplier): (i) adopt, , as it relates to the Services, supervisory actions and additional measures to reasonably assist Citi’s adoption of necessary measures which the Regulators (including but not limited to Office of the Comptroller of the Currency, the Financial Supervisory Commission, the Central Bank of China, and any other Taiwan regulators, collectively referred to herein as the “Regulators”) may require to be taken by Citi (which may include obtaining necessary approvals or consents from the regulators of Supplier, if any, and negotiate and amend the Agreement and/or any contracts between Supplier and any sub-contractors to incorporate contract clauses mandated by the Regulators), depending on the potential impact of the outsourcing on Citi and the financial system, or as circumstances warrant; and (ii) adopt whatever appropriate corrective measures, including enforcement actions, imposed by the Regulators to address violations of law and regulations or unsafe or unsound banking practices of the Supplier and to reasonably facilitate Citi’s adoption of necessary measures to address violations of law and regulations or unsafe or unsound banking practices of Citi. (iii) allow the services it performs for branches of a U.S. bank in Taiwan or any Citi affiliate in Taiwan to be subject to examination and regulation of the Regulators. (iv) allow Regulators based in Taiwan (hereinafter referred to as “Taiwan Regulators”) or any agent appointed by Taiwan Regulators/Citi, to obtain from Supplier, in a timely manner, records and documents, of transactions, and information of Citi given to, stored at or processed by Supplier, the right to access any report and finding made on Supplier and to inspect, examine and audit Supplier’s operations and records insofar as they are relevant to the Services provided by Supplier under this Agreement, including but not limited to the internal controls adopted by Supplier with respect to preservation of the confidentiality of data generally and Citi information specifically (where applicable). Supplier should ensure and procure that requirements consistent with the foregoing are met in its arrangements with any sub-contractor that Supplier may engage in the outsourcing (if applicable), including any disaster recovery and backup supplier. For the avoidance of doubt, it is understood that the abovementioned parties will be granted access only to information of Citi and/or Citi’s customers / employees. In addition, Citi shall ensure that any agent(s) appointed by Citi who it uses in connection with this Section to treat any information it receives as Confidential and, without limiting the foregoing, shall be liable to Supplier for any breach by such agent(s). (v) allow Citi to obtain copies of any report and finding made on the Supplier in conjunction with the Service. B. CONFIDENTIALITY AND SECURITY Further to the confidentiality clause in the Agreement, if Citi furnished, supplied, disclosed, or made available Confidential Information (including Confidential Information as defined under the Agreement and Personal Data defined below) to Supplier in connection with provision of 67
the Services (without regard to whether the information is owned by Citi or by a third party), the following additional terms and conditions shall be applied to the Parties: 1. “Personal Data” means and includes personal information of a natural person within the meaning of Article 2 of the Personal Data Protection Act (“PDPA”, the relevant extract is attached hereto in Appendix I as a reference). 2. All Confidential Information, documents and records of transactions provided or generated pursuant to the Agreement, any Work Order or Statement of Work, shall remain the property of Citi. Supplier shall while the same is in its possession hold the same for and on behalf of Citi and shall deliver the same forthwith upon request. The retention period of each document/record shall follow Citi’s record retention schedule. Supplier’s obligations under this clause shall continue after the termination of the Agreement. 3. Any Confidential Information, documents and records of transaction disclosed by Citi may only be collected, processed, disseminated, reproduced or used by Supplier for the purpose of providing the Services pursuant to the Agreement. Notwithstanding any provision in the Agreement, Supplier shall not, without Citi’s prior written consent and subject to the further requirement of this section, further disclose the Confidential Information to an unauthorized third party unless required to do so by law. For the avoidance of doubt, Supplier’s affiliate or third party service providers (other than those approved by Citi to provide the Services) shall be considered a third party for the purpose of this clause. Further, Supplier shall procure each of Supplier’s personnel appointed or to be appointed in connection with Work Order / Statement of Work and/or to perform the Services or part thereof for and on behalf of Supplier to execute the Confidentiality and Secrecy Undertaking in the form specified in Form 1 attached hereto or other form accepted by Citi. 4. Supplier shall treat Confidential Information with at least the same degree of care that it treats its own confidential information, but in no event with less than a reasonable degree of care, and shall implement and maintain adequate technical, personnel and organizational and other necessary security measures (“Security Measures”) that are designed to safeguard the information of the other from being stolen, altered, damaged, destroyed, disclosed or accessed without authorisation, misused and misappropriated. These Security Measures shall include the following:- 4.1 Organizational security measures to ensure Supplier will disclose the Confidential Information only to those of Supplier’s authorized personnel who have a need to know such Confidential Information (only to the extent necessary) in order to fulfill the purposes contemplated by the Agreement or the Work Order, and set forth internal rules and procedures for use of and access to the Confidential Information, which is subject to Supplier’s periodical review; 4.2 Personnel security measures to ensure that Supplier will (i) educate and train its personnel regarding information security practices and procedures and any special requirement of Citi and (ii) instruct and supervise its personnel who uses or has access to the Confidential Information to prohibit the personnel from committing unauthorized disclosure, access, use and misappropriation of the Confidential Information; 4.3 Technical security measures to ensure that Supplier will implement systems or technological controls to limit access to the Confidential Information and monitor such access; 4.4 Other security measures to protect Personal Data as required by Article 8 and 12 of the Enforcement Rules of the PDPA (attached hereto in Appendix II as a reference) or by Citi to be communicated by Citi to Supplier from time to time, and thereafter to be summarized/set out in this Clause 4.4 below: 68
4.4.1 Allocation of management personnel and resources for protection of Personal Data; 4.4.2 Defining the scope, classification, purpose and retention period of Personal Data; 4.4.3 Risk assessment and management mechanism for Personal Data; 4.4.4 Mechanisms for prevention, notification, remediation, and handling of security incidents; 4.4.5 Internal management procedures for collection, processing, and use of Personal Data; 4.4.6 Information security management and personnel management; 4.4.7 Awareness promotion and educational training; 4.4.8 Management of information security and IT infrastructure; 4.4.9 Mechanisms for information security auditing; 4.4.10 Necessary preservation of records of use, track log files, and evidence; and 4.4.11 Continuing assessment on any improvement on security and maintenance of Personal Data. 4.5 Other reasonable measures necessary to protect the Confidential Information as communicated by Citi to Supplier from time to time. 5. Supplier shall at all times be capable of segregating and clearly identifying all of Citi’s information, documents, records and assets that are processed by and/or stored with Supplier pursuant to the Agreement. Supplier agrees that the Confidential Information (in electronic, paper form or other media) shall effectively be segregated from those of Supplier and those of other institutions (the data of which is) handled by Supplier. The segregation shall be at least logically distinct and the access to and use of the Confidential Information shall be strictly controlled in order to avoid data misuse. For the sake of clarity, in the event that the Services provided by Supplier to Citi involves multiple legal entities (meaning other Citi entities within Taiwan, each a “Service Recipient Entity”), Supplier shall ensure that the data of each Service Recipient Entity shall be effectively segregated from that of other Service Recipient Entity, that of Supplier, and/or that of other institutions (the data of which is) handled by Supplier. 6. Upon occurrence of any security breach, theft, loss, unauthorized disclosure or use of Confidential Information Supplier received from Citi (the “Occurrence”), Supplier shall, without delay, take necessary measures to minimize the damage or loss and notify Citi immediately of the Occurrence and the following information as applicable: 6.1 the items of the Confidential Information that are disclosed or stolen; 6.2 the time and details of the Occurrence; 6.3 measures that Citi may take to minimize their damage or loss; 6.4 measures adopted by and reliefs to be provided by Supplier to remedy the Occurrence; and 6.5 contact information to which Citi may report their damage or loss. 69
7. The Personal Data pertaining to an individual may be made available for review, correction, or deletion, or must be subject to suspension of being processed upon such individual’s request and Citi shall endeavor to assist Supplier in dealing with such request. In the event that such individual to which the Personal Data pertains raises any objection to the manners in which his/her request concerning the foregoing matters are addressed by Citi, Supplier shall endeavor to assist Citi in dealing with such objection. 8. Except as otherwise expressly provided for by the Agreement and the Work Order, upon demand by Citi, or upon the termination of the Agreement and/or the relevant Work Order, Supplier shall promptly return or destroy the Confidential Information or its duplicates, supplied to, or otherwise obtained by, Supplier in connection with the Services, in the form or manner specifically instructed by Citi. If the Confidential Information was stored or saved in Supplier’s computers, servers, or any other electromagnetic medium, Supplier also shall delete or purge such stored or saved Confidential Information in the form or manner specifically instructed by Citi. 9. If Supplier is directed by court order, subpoena or other legal or administrative proceeding or similar process to disclose any of the Confidential Information provided pursuant to this Agreement, Supplier shall promptly notify Citi in writing (unless it has a legal obligation to the contrary), with a copy of such document attached, in sufficient detail promptly upon receipt of such court order, subpoena, legal or administrative, or similar process, in order to permit application by Citi for an appropriate protective order. 10.If Supplier receives any request from Supplier’s or any overseas regulatory or supervisory agency to access to any Confidential Information or if a situation were to arise where the rights of access of Citi or Taiwan Regulator have been restricted or denied, Supplier shall provide prompt notice of such request to Citi to enable Citi to notify its Taiwan Regulator and seek any required regulatory approval for the provision of such customer data by Supplier. 11.Supplier acknowledges and agrees that: 11.1 Citi reserves the rights to supervise and audit Supplier in connection with the provision of the Services and the Confidential Information disclosed to Supplier; 11.2 Citi reserves the rights not to furnish, supply, disclose, or make available the Confidential Information to Supplier in connection with provisions of the Services if Supplier fails to comply with the terms and conditions set forth in Section B hereof; and 11.3 Supplier shall be responsible for damages arising out of, or relating to divulgence, loss, alteration, misappropriation, and/or unauthorized disclosure of the Confidential Information caused by Supplier. 12. Where services entail access to Taiwan’s customer information/confidential information: 12.1 Citi reserves the right to revoke, restrict and monitor the use and access to Citi’s systems, customer information and confidential information. Supplier will obtain Citi’s agreement before it grants any of its personnel (including that of its subcontractors) access to the systems which contains Citi’s customer information/confidential information. Upon Citi’s request, Supplier will provide full list and job function of such personnel. In the event of any security breaches, unauthorized access or use of Citi’s systems/customer information/confidential information, Supplier will promptly notify Citi without delay. 12.2 In the event Supplier uses Citi’s customer information/confidential information to produce reports for regional/global management for the purposes of Citigroup internal control and management or risk analytical/management, Supplier will obtain Citi’s agreement for the following matters:- 70
(i) a full list of regular management report (and samples) and the nature, extent and recipients of such reports Supplier intends to generate; and (ii) each ad hoc report not listed on the approved list. 12.3 Supplier will obtain Citi’s agreement before it sends/stores/provides access to Citi’s customer information/confidential information to any facility/data center outside Citi premises. C. MONITORING AND CONTROL Supplier agrees to meet with Citi as reasonable time and from time to time upon prior written notice being given to Supplier at the reasonable request of Citi to review all aspects of the Services provided by Supplier hereunder and/or other matters of mutual interest to Supplier and Citi and adopt any recommendations and/or measures reasonably proposed by Citi to ensure, inter alia, compliance with legal and regulatory obligations. Supplier further agrees, in accordance with the standard operating procedures set out in Citigroup corporate policies, to maintain a customer protection system, a risk management system, an internal control system, an internal audit system, a mechanism to cooperate with Citi to settle consumers’ disputes and the management of personnel hired by Supplier, in each case as required by such Citigroup corporate policies. Supplier shall endeavor to follow the requirements set forth in the applicable Outsourcing Due Diligence Form (attached hereto in Form 5 as a reference) as provided by Citi from time to time or other written requirement notified by Citi. Supplier agrees to conduct regular and irregular internal audits and immediately notify Citi if the Services cannot be duly discharged, or there is difficulty, or a threat of encountering difficulty, in performing such Services. D. COMPLIANCE WITH LAWS Supplier shall not violate mandatory or prohibitive provisions of the law, public order or good morals, and shall ensure that the banking law, the anti-money laundering law, the PDPA, consumer protection law and other applicable laws and regulations in Taiwan (such laws and regulations to be communicated by Citi to Supplier from time to time, and thereafter to be summarized/set out in this Schedule) are complied with. E. SUBCONTRACTING Further to clauses in the Agreement dealing with subcontracting:- 1. Notwithstanding any other provisions in the Agreement or in this Schedule may provide otherwise, Supplier shall not subcontract or outsource any or all of its obligations set forth in this Agreement to any third party (including without limitation Supplier’s subsidiaries or affiliates) unless obtaining the prior written approval from Citi. 2. If Supplier is permitted to outsource or subcontract to third parties any of its obligations set forth in the Agreement, Supplier shall (i) procure the compliance by all assignees/ outsources/ sub-contractors with the provisions of the Agreement and the country addenda relating to the performance of such obligations (including, without limitation, provisions relating to security and confidentiality, audit and inspection and business continuity management), and (ii) require all non-affiliated third party sub-contractors to accept and comply with the terms of this Schedule, as well as the Local Country Addendum of other relevant countries (collectively “LCAs”). (The LCAs set out local laws and regulatory requirements applicable to non-affiliated parties, and have been drafted to fit into standard Citi vendor agreements. Supplier shall obtain up-to-date versions of the relevant LCAs from Citi). Supplier shall be remain fully responsible to Citi for its 71
obligations under this Agreement and for the subcontractor’s performance of such duties and obligations regardless of whether Supplier is negligent in respect of its selection or supervision of the subcontractor. 3. Without prejudice to the above, and in accordance with Article 10 of the Financial Supervision Commission (“FSC”) Outsourcing Guidelines for Financial Institutions (attached hereto in Appendix III, as a reference), Supplier’s agreements with its subcontractors shall, at the minimum, specify the following matters, in order to maintain the quality of the outsourced services:- 3.1 Description of the specific outsourced items and the scope thereof, as well as the rights and duties of the sub-contractors. 3.2 The relevant Taiwan laws and regulations (including the Banking Law, Anti-Money Laundering Law, the PDPA, Consumer Protection Law and other laws and regulations) applicable to Citi with which the subcontractors must comply (such laws and regulations to be provided/updated by Citi from time to time). 3.3 The protection of consumer rights, including confidentiality and security measures regarding Citi’s information. 3.4 The consumer protection, risk management, internal control and internal audit systems to be implemented by the sub-contractor in accordance with the standard operating procedures set out in Citigroup corporate policies. 3.5 Procedure for settlement of consumer disputes should follow Citigroup corporate policies. 3.6 Management of personnel hired by the sub-contractors, including hiring, review and sanctions related to its personnel, should follow Citigroup corporate policies. 3.7 Material events which constitute cause for termination of the outsourcing agreement including provisions regarding the termination or recession of the agreement upon notification of the Regulators. 3.8 The agreement of the sub-contractors that the Regulators may request relevant information or reports and conduct financial audits, or may order such sub-contractors to provide relevant information or reports within prescribed deadlines. 3.9 Agreement that the sub-contractors shall not use the name of Citi when dealing with the public in the course of handling the outsourced matters. 3.10 Other terms and conditions to the effect that the sub-contractor will be subject to and comply with the terms and conditions of the Agreement and the LCAs. 4. Supplier shall adopt sufficient internal control measures, including but not limited to, designating a project manager who is responsible for the subcontracted services, monitoring a subcontractor and its performance, and establishing audit functions. 5. Supplier shall cause the subcontractor to periodically report to Supplier on the status of subcontracted services and the subcontractor, upon request of Citi and/or Supplier, must provide Citi and/or Supplier with necessary information in a prompt manner. 6. Supplier shall audit a subcontractor periodically to ensure that such subcontractor complies with applicable Taiwan laws and regulations and all terms and conditions set forth in the Agreement, applicable Work Order and this Schedule. 72
7. Supplier shall prepare a continuity of business plan in order to provide Citi with continuous Services in case of emergency or subcontractor’s failure to perform the Services in accordance with the subcontracting agreement. 8. Supplier, upon the request of Citi, shall provide Citi with information of its subcontractor, including but not limited to, name of the subcontractor and its project manager, contact information of the subcontractor, description of the services subcontracted, the subcontracting agreement, and the periodical report on the subcontracted services. 9. Where Citi has consented to Supplier assigning, outsourcing or sub-contracting any or all of the Services, Citi may require Supplier to, and Supplier shall, provide to Citi written notification of any variation or termination of the agreement between Supplier and that third party. The written notification shall be provided to Citi within three (3) days of the variation or termination. F. IDENTITY OF SERVICE PROVIDER Supplier, when providing the Service, shall not hold itself out to others as Citi. Supplier shall not engage in untrue advertisements or collect fees from consumers when dealing with the public in the course of handling the Services. G. NOTICE 1. If Supplier receives Citi’s Confidential Information, Supplier, upon a request of Citi, shall fill out all necessary information in the Confidential Information Sharing Attestation (Form 2) attached hereto or other form accepted by Citi and submit such Form to Citi. If Supplier subcontracts all or any part of handling of the Protected Information to a third party, Supplier shall also fill out the Subcontract Consent and Attestation (Form 4) attached hereto or other form accepted by Citi and submit such Form to Citi prior to the subcontracting. 2. If Supplier returns or destroys the Protected Information in accordance with Section B 8, Supplier, upon a request of Citi, shall fill out all necessary information in the Confidential Information Return/Deletion Attestation (Form 3) attached hereto or other form accepted by Citi and submit such Form to Citi without unnecessary delay. 3. If Supplier outsources all or a part of the Services to a subcontractor, Supplier, upon a request of Citi, shall fill out all necessary information in the Subcontract Consent and Attestation (Form 4) attached hereto or other form accepted by Citi and submit such Form to Citi prior to such outsourcing arrangement. 4. If Supplier makes material changes in provision of the Service upon occurrence of any matter which give rise to a material impact on Citi, including but not limited to system upgrade and/or alteration, changes in business processes, changes in ownership, and changes in the supervisory and management of the subcontractor, Supplier shall notify Citi promptly and, upon Citi’s request, provide relevant service report or necessary information in relation thereto. Furthermore, if any aforementioned changes exceed or potentially exceed the scope of services approved by the competent authority, such changes will not be effective until approval or waiver from such competent authority is obtained. 5. Citi reserves the right to request Supplier to provide a service report periodically or upon Citi’s notification from time to time on provision of the Services in a form accepted by Citi. 6. Supplier will notify Citi promptly if there are any significant or major litigation arising from or in relation to the services covered hereunder. 73
H. ADDITIONAL DAMAGES CLAUSES 1. Without limiting any of Supplier’s rights or remedies in the event of breach by Citi, in the event that Supplier does not comply, or it reasonably appears that Supplier is not complying, in any material respect with the provision of the Agreement applicable to a Service provided to or for the benefit of Citi in Taiwan (including the service standard set forth in the applicable work order), Citi may upon reasonable notice: 1.1 require Supplier to take any necessary action to remedy or mitigate the relevant deficiency in such reasonable manner as Citi may reasonably specify; 1.2 require Supplier to compensate Citi for any actual loss incurred therefrom or any liquidated damages, if applicable, agreed by both Parties in the Agreement or the Work Order (if any) (provided (i) Citi has not caused or contributed to any such failure as a result of its own act, omission or breach of the Agreement and or work order (if any), and (ii) such failure is not caused by any force majeure event); and/or 1.3 where there is any breach of a material obligation under the Agreement, terminate the Services provided to or for the benefit of Citi in Taiwan in accordance with relevant clauses. 2. In the event that any Service level failure is subject to liquidated damages (under the applicable Work Order or as otherwise agreed in writing by the Parties), then the payment by (or credit from) Supplier under the relevant liquidated damage provision shall be deemed as full satisfaction for such Service level failure, provided that nothing in the foregoing shall limit a claim by Citi for damages in the event that the failure constitutes a separate breach under the Agreement. In the event of a claim for damages based on such a separate breach, Supplier shall receive a credit for any liquidated damages paid or payable. Appendix I Article 2 of the Personal Data Protection Act Appendix II Article 8 and 12 of the Enforcement Rules of Personal Data Protection Act Appendix III Article 10 of the Financial Supervision Commission (“FSC”) Outsourcing Guidelines for Financial Institutions (see attached for Appendices) Appendices I II & III 2017.docx FORM 1—CONFIDENTIALITY AND SECRECY UNDERTAKING 74
FORM 2 — CONFIDENTIAL INFORMATION SHARING ATTESTATION Form 2,SOMIZEIREraikin FORM 3 — CONFIDENTIAL INFORMATION RETURN/DELETION ATTESTATION FORM 4 — SUBCONTRACT CONSENT AND ATTESTATION Form 4 for LCA_subcontract con FORM 5 — OUTSOURCING DUE DILIGENCE FORM 75
SCHEDULE P —THAILAND LAW REQUIREMENTS (Version 2— revalidated 18 January 2017) 1. Right to audit and access [Section 5 (13), Annex 3 of BOT Notification No. SorNorSor 8/2557 dated December 25th, 2557and Section 5.5.1 (3.2) of BOT Notification No. SorNorSor 6/2557 dated July 14,2557] With reasonable prior written notice to the Supplier, the Supplier shall allow Citi, its regulators (including but not limited to Bank of Thailand, the Anti-Money Laundering Office of Thailand) or any person appointed by them and/or its internal and external auditors to (i) access any report and finding made on the Supplier in connection with the Services performed for Citi; (ii) access to the business premises of the Supplier in the exercise of its right herein; (iii) inspect, examine and audit the Supplier’s operations and records in relation to the Services provided by the Supplier under the Agreement including but not limited to the internal controls and the confidentiality and security system; and (iv) obtain and make copies of reports, documents of transactions and information stored or processed by the Supplier in connection with the Services pursuant to the Agreement. 2. Information Security [Sections (3) ((1)) and (5(8), Annex (3) of BOT Notification # SorNorSor 8/2557 dated December 25th, 2557 ] The Supplier agrees and undertakes, and shall procure all its personnel, to segregate Citi’s data from its own data and data of any other entity and to stipulate a data access right of the Supplier’s personnel strictly to protect confidentiality of Citi and its clients’ information. 3. Transition Services [Sections 3 (5), Annex 3 of BOT Notification # SorNorSor 8/2557 dated December 25th, 2557 and Section 5.5.1 (4.3) of BOT Notification No. SorNorSor 6/2557 dated July 14, 2557] Upon termination of any Service, the Supplier shall return, destroy or delete all confidential information and personal information of Citi or its clients previously given (including without limitation, information incorporated in computer software or held in electronic storage media, together with any analyses, compilations, studies, reports or other documents or materials containing any such confidential information or personal information, as are in the possession or control of the Supplier) subject to the legal requirements for retention of records. The Supplier shall certify in writing to Citi within 30 days of the termination of the Services that it has not retained any such confidential information or personal information in any form whatsoever. 76
SCHEDULE Q —VIETNAM LAW REQUIREMENTS (Version 6 — 23 March 2017) For the purposes of each Work Order made between the Supplier and Citi, the following terms and conditions shall be added to the Agreement and the Work Order, as applicable, in its entirety: 1. REGULATOR CONTROL OF THE VIETNAM ENTITY The Supplier and Citi, as the case may be, shall be subject to and shall fully comply with and abide by the laws of the Socialist Republic of Vietnam which include, but are not limited to, finance and banking laws and regulations applicable to the execution and implementation in force from time to time and each party warrants that the required approvals (if any) have been obtained and will be maintained for the duration of the Work Order concerned. Especially, for purposes of services provision under the Master Service Agreement and applicable Work Order, the Supplier shall satisfy all business conditions when conducting business in the lines of business investment which are subject to conditions in accordance with the Law on Investment and to ensure maintenance of all such business investment conditions during the process of business operation pursuant to Article 8.1 Law on Enterprises No. 68/2014/QH13 dated 26 November 2014. With regards to the foreign exchange control, Citi and the Supplier shall comply with the requirements of the Civil Code 2005, the Foreign Exchange Control Ordinance No. 28/2005/PL-UBTVQH11, Decree 70/2014/ND-CP dated 17 July 2014 of the Government on foreign exchange control and any implementation guidelines, replacement, supplement or in addition thereof and other laws and regulations as may be applicable from time to time. 2. INFORMATION CONFIDENTIALITY, DATA PRIVACY, STATE SECRECY AND IT SYSTEM SECURITY 2.1. The Supplier will maintain and enforce safety and physical security procedures with respect to its access and maintenance of Citi’s Confidential Information that are (a) at least equal to industry standards for such types of locations, and (b) which provide reasonably appropriate technical and organizational safeguards against accidental or unlawful destruction, loss, alteration or unauthorized disclosure of or access to Citi’s Confidential Information. Without limiting the generality of the foregoing, the Supplier will take all reasonable measures to secure and defend its location and equipment against “hackers” and others who may seek, without authorization, to modify or access the Supplier’s systems or the information found therein. The Supplier will periodically test its systems for potential areas where security could be breached. The Supplier will immediately report to Citi any breaches of security or unauthorized access to Citi’s systems that the Supplier detects or becomes aware of. The Supplier will use diligent efforts to remedy such breach of security or unauthorized access in a timely manner and deliver to Citi a root cause assessment and future incident mitigation plan with regard to any breach of security or unauthorized access affecting Citi’s Confidential Information. 2.2. The Supplier hereby acknowledges receipt of a written notice from Citi highlighting Citi’s Supplier’s obligations of confidentiality and data privacy, State secrets protection and IT system security under the laws of Vietnam. The written notice is attached hereto as Appendix I. The Supplier hereby undertake that the Supplier shall fully understand and strictly comply with the local laws and regulations applicable to the services provided by the Supplier under the Agreement and Work Order, including but not limited to the regulations as set forth in the Appendix I. 77
2.3. The Supplier hereby acknowledges that it is aware of and understands the effect of, and agrees and undertakes to, and to procure all its Personnel, third party vendors and Supplier Affiliates to observe all precautionary measures and prevent disclosure of information that will cause Citi to violate any applicable regulation as mentioned herein. 2.4. The Supplier further agrees and undertakes that it will not, and will covenant all its Personnel, third party vendors and Supplier Affiliates not to do anything which will cause the Vietnam Entity or any of its customers to violate the laws set out herein. 2.5. The Supplier (i) shall not, without Citi’s prior written consent, disclose the information provided pursuant to the Agreement and the Work Order in any manner (read with this Schedule) and (ii) shall treat information with at least the same degree of care that it treats its own confidential information, but in no event with less than a reasonable degree of care. 2.6. The Supplier and its employees shall not without Citi’s prior written consent further disclose Citi’s Confidential Information to any person (save for disclosure to the Supplier’s employees in compliance with Citi’s policies and procedures and applicable laws of Vietnam). For the avoidance of doubt, the term “person” includes the Supplier’s Affiliates. 2.7. Citi is allowed to transfer data, provide customer information including deposits, assets, and other information to its offshore head office or its branches at other countries provided that Citi ensures compliance with regulations on confidentiality of information, storage, safety, State secrecy and for internal operational purposes only. Subject to the foregoing regulation, Citi may have Confidential Information of an Affiliate and in connection with the Services provided by the Supplier to Citi, Citi may disclose Confidential Information of an Affiliate to the Supplier. Citi will inform the Supplier whether Confidential Information of an Affiliate is being provided to the Supplier in connection with the Services provided by the Supplier to Citi. The Supplier shall not disclose that Confidential Information to any other party (including, for the avoidance of doubt, any other Affiliate) unless such disclosure is with the written consent of Citi. The Supplier shall further comply with the Schedule applicable to that Affiliate. 2.8. The Supplier shall at all times be capable of segregating and clearly identifying all of Citi’s information, documents, records and assets that are processed by and/or stored with the Supplier pursuant to the Agreement and the Work Order. The Supplier shall take technical, personnel and organizational measures in order to maintain the confidentiality of Citi’s information between its various customers. 2.9. The Supplier hereby acknowledges that Citi may be requested at any time by the SBV to provide information and statistical data for purposes of assessment, inspection and supervision of operations of the credit institutions. 2.10. Citi shall not be permitted to provide any other organization or individual with information of Citi’s client at Citi under the laws of Vietnam, unless requested by competent authority or unless agreed by such clients pursuant to Civil Code 2005 (replaced by Civil Code 2015 as from 1 January 2017) and Law on Credit Institutions. The use of personal information is restricted only for the purpose(s) as prior agreed by the personal information’s owner; and the personal information’s owner reserves right upon request to update, modify or revoke any information which Citi or Supplier has been properly granted access to pursuant to Law on Cyber-information Security and Law on Protection of Consumers’ rights. 2.11. If any Citi’s information or data (even concerning deposits and deposited asset of the Citi’s clients) is considered as State secrets pursuant to Chapter 2 Ordinance 30/2000/PL-UBTVQH10 dated 28 December 2000 on State secrets protection, Decision No.15/2003/QD- 78
TTg issued by Prime Minister dated 20 January 2003 and Decree No. 70/2000/ND-CP dated 21 November 2000 ("State Secrets"), Citi is only permitted to disclose of such State Secrets to offshore entities after obtaining SBV Governor's approval except for complicated cases requiring approval from a higher-level authority as stated under SBV's Decision No. 1087/2003/QD-NHNN dated 17 September 2003. It is also required that such entity after receiving the State Secrets as approved is not allowed to disclose the same to any third party. 3. LANGUAGE Language used in Citi's official transaction documents shall be either Vietnamese or either bilingual including Vietnamese (pursuant to Article 20 Circular No. 40/2011/TT-NHNN dated 15 December 2011, Article 18 Decree 22/2006/ND-CP dated 28 February 2006 and Article 5.3.a Decision No. 1789/2005/QD-NHNN dated 12 December 2005). 4. WITHHOLDING TAX The Supplier being foreign contractors shall incur value added tax and corporate income tax imposed on the Services and/or Deliverables under the Master Service Agreement and applicable Work Order as required by laws of Vietnam, and Citi will pay such taxes on behalf of the Supplier pursuant to Article 1.1, Article 5.1 and Article 11 Circular 103/2014/TT-BTC dated 6 August 2014. 5. GOVERNING LAW AND JURISDICTION As from 1 January 2017, the governing law applicable to Master Agreement and/or the Work Order shall be agreed at the parties' discretion pursuant to Article 683.1 Civil Code 2015. All claims or disputes arising out of or in connection with the Master Agreement and/or the relevant Work Order which is performed, in whole and in part, in Vietnam may be submitted to the non-exclusive jurisdiction of court in Vietnam pursuant to Article 469.1 Code on Civil Proceedings 2015 (effective as from 1 July 2017); otherwise resolved by arbitration if the Parties have an arbitration agreement made either prior or after the dispute arises. APPENDIX I Appendix I Regulation list (6Febt 79 TTg issued by Prime Minister dated 20 January 2003 and Decree No. 70/2000/ND-CP dated 21 November 2000 (“State Secrets”), Citi is only permitted to disclose of such State Secrets to offshore entities after obtaining SBV Governor’s approval except for complicated cases requiring approval from a higher-level authority as stated under SBV’s Decision No. 1087/2003/QD-NHNN dated 17 September 2003. It is also required that such entity after receiving the State Secrets as approved is not allowed to disclose the same to any third party. 3. LANGUAGE Language used in Citi’s official transaction documents shall be either Vietnamese or either bilingual including Vietnamese (pursuant to Article 20 Circular No. 40/2011/TT-NHNN dated 15 December 2011, Article 18 Decree 22/2006/ND-CP dated 28 February 2006 and Article 5.3.a Decision No. 1789/2005/QD-NHNN dated 12 December 2005). 4. WITHHOLDING TAX The Supplier being foreign contractors shall incur value added tax and corporate income tax imposed on the Services and/or Deliverables under the Master Service Agreement and applicable Work Order as required by laws of Vietnam, and Citi will pay such taxes on behalf of the Supplier pursuant to Article 1.1, Article 5.1 and Article 11 Circular 103/2014/TT-BTC dated 6 August 2014. 5. GOVERNING LAW AND JURISDICTION As from 1 January 2017, the governing law applicable to Master Agreement and/or the Work Order shall be agreed at the parties’ discretion pursuant to Article 683.1 Civil Code 2015. All claims or disputes arising out of or in connection with the Master Agreement and/or the relevant Work Order which is performed, in whole and in part, in Vietnam may be submitted to the non-exclusive jurisdiction of court in Vietnam pursuant to Article 469.1 Code on Civil Proceedings 2015 (effective as from 1 July 2017); otherwise resolved by arbitration if the Parties have an arbitration agreement made either prior or after the dispute arises. APPENDIX I Appendix I - Regulation list (6Feb2 79
