EXHIBIT 10.13
RESELLER
SERVICE AGREEMENT
This Agreement is made by and between FACTUAL DATA, 0000 Xxxxx Xxxx Xxxxx,
Xxxxxxxx, XX 00000, ("Reseller") and Trans Union LLC, 000 Xxxx Xxxxx Xxxxxx,
Xxxxxxx, Xxxxxxxx 00000 ("Trans Union") to provide for credit reporting
services.
WHEREAS, Reseller is in the business of obtaining consumer reports from
third party sources and providing credit reporting services to its customers
("Customers"); and
WHEREAS, Trans Union owns and maintains a national database of consumer
credit information ("TU Consumer Database"); and
WHEREAS, Reseller desires to resell Trans Union consumer credit reports, or
information therefrom, ("Consumer Reports") to Customers who have a permissible
purpose in accordance with the Fair Credit Reporting Act (15 USC ss.1681 et
seq.) including, without limitation, all amendments thereto ("FCRA").
NOW THEREFORE, in consideration of the premises and the mutual benefits
expressed herein, the parties agree as follows:
I. Reseller Responsibilities
A. Reseller may sell, subject to applicable law, Consumer Reports to the
industries and for the purposes outlined in the Reseller's Letter of
Intent, a copy of which is attached hereto and incorporated herein by
reference. In the event that Reseller wishes to expand its resale
business beyond the scope set forth in the Letter of Intent, it may do
so only with the prior written consent of Trans Union.
B. Reseller shall request, from Trans Union, Consumer Reports only on
behalf of Reseller's Customers who have a permissible purpose for
obtaining consumer reports, as defined by Section 604 of the FCRA.
Such Customers shall be provided access to the TU Consumer Database or
Consumer Reports only if all requirements stated in this Agreement are
met.
C. Prior to Requesting each Consumer Report, Reseller shall identify the
end user of the Consumer Report, certify each permissible purpose for
which the Consumer Report will be used, and certify that the Consumer
Report will be used for no other purpose, as defined by Section 607 of
the FCRA, via the method indicated by the Reseller in Section V of
this Agreement.
D. The Consumer Reports may be transferred without change, may be
reformatted by Reseller, or may be merged with similar data obtained
from other consumer reporting agencies (Merged Reports). Each Consumer
Report obtained by Reseller shall be used only one time, and only by
or on behalf of the Customer for whom it was requested. Reseller may
not archive or otherwise retain or use any Consumer Report for any
other purpose, except to the extent that Reseller is required by law
to maintain the Consumer Report for purposes of performing a
consumer-initiated investigation and providing, at the consumer's
request, a modified version of the same Consumer Report to the
Customer for whom it was originally requested. In the event that
Reseller has archived Consumer Report for such purpose, and receives a
court order or federal grand jury subpoena for that report, such
Consumer Report may be produced. In no event, however, should a new
Consumer Report be requested from Trans Union in response to any
subpoena; rather, Reseller should direct the requesting party to Trans
Union.
E. Reseller shall obtain Subscriber Agreements that contain the language
set forth in Exhibit A (or Exhibit B if for employment purposes) from
such Customers, wherein each user will state the nature of its
business, certify the specific permissible purpose for which Consumer
Reports will be obtained, and agree that Consumer Reports will be
obtained for no other purpose, all as required by the FCRA. Said
Exhibits A and B are incorporated herein and attached hereto. The
permissible purpose specified shall be one or more of the following:
1. In connection with a credit transaction involving the consumer on
whom the information is to be furnished and involving the
extension of credit to, or review or collection of an account of
the consumer; or
2. For employment purposes, in which case the Reseller must resell
Trans Union's PEER product and Reseller and its Subscriber must
execute an agreement containing the same language as set forth in
Exhibit B hereto; or
3. In connection with the underwriting of insurance involving the
consumer or review of existing policy holders for insurance
underwriting purposes, or in connection with an insurance claim
where written permission of the consumer has been obtained (and a
copy of such written permission must be retained for three (3)
years from the date of inquiry); or
Page 1 of 6
4. In connection with a tenant screening application involving the
consumer; or
5. In accordance with the written instructions of the consumer (and
a copy of such written permission must be retained for three (3)
years from the date of inquiry); or
6. For a legitimate business need in connection with a business
transaction that is initiated by the consumer; or
7. As a potential investor, servicer or current insurer in
connection with a valuation of, or assessment of, the credit or
prepayment risks.
F. Reseller is prohibited from selling Consumer Reports directly to
consumers under this Agreement. Reseller may make disclosures to
consumers only to the extent required by Section 609 of the FCRA;
provided however, that unless explicitly authorized in a separate
agreement, between Reseller and Trans Union, for the resale of a score
or as explicitly otherwise authorized in advance and in writing by
Trans Union, Reseller, shall not disclose to consumers or any third
party, other than Reseller's Customer for whom the score was obtained,
any nor all scores provided under this Agreement, unless clearly
required by law.
G. Reseller may advertise its services on the Internet or another public
computer network. In addition, Reseller may transmit Consumer Reports
via the Internet; provided however, that Reseller meets or exceeds all
of the security requirements set forth in Exhibit C incorporated
herein and attached hereto ("Internet Security Requirements"). In
order to ensure the Internet Security Requirements are reflective of
advances in generally available network security technology, Trans
Union reserves the right to reasonably revise or otherwise modify the
Internet Security Requirements upon at least one hundred twenty (120)
days' prior written notification to Reseller. In the event Reseller so
chooses to transmit Consumer Reports and fails to comply with all
Internet Security Requirements, this Agreement shall immediately
terminate. From time to time, upon at least five (5) days' prior
written notification, Trans Union shall have the right to audit (or
have its independent auditor audit), at Trans Union's expense,
Reseller's compliance with the Internet Security Requirements.
Reseller shall reasonably cooperate with Trans Union and any Trans
Union requests in conjunction with all such audits including, but not
limited to requests to correct any deficiencies discovered during such
audits within a period of time mutually agreed upon and/or to suspend
any further transmission of Consumer Reports until such deficiencies
are corrected. Resellers obligation to comply, with the provision of
this Section I.G. and the Internet Security Requirements, shall, in no
event, be deemed contingent upon, or otherwise affected by, the
aforestated audit rights of Trans Union.
H. Reseller may sell Consumer Reports for employment purposes (PEER) to
Customers who are members of the media, law enforcement agencies,
private investigative agencies, detective agencies, law firms,
security services, investigators, and lawyers or attorneys at law,
provided such customers shall be issued individual code numbers as set
forth in Section V of this Agreement and subject to the requirements
in Section E (2) above. However, for reports for any purpose other
than employment, or any other products, the prohibition in Section I
below shall apply.
I. Except as otherwise expressly permitted herein, Reseller shall not
sell Consumer Reports to Customers who are:
1. Private investigative agencies
2. Detective agencies
3. Law firms
4. Security services
5. Investigators
6. Lawyers or attorneys at law
7. Law enforcement
8. Credit repair clinics or any similar entity who offers to improve
a consumer's credit report
9. Members of the media
10. Other resellers
11. Or such other category of customer as Trans Union may identify
from time to time by written notice to Reseller.
The foregoing categories are hereinafter referred to as "Unauthorized
Users."
J. Reseller shall take the steps identified on Exhibit D to verify the
identity of Customers who will obtain Consumer Reports to make certain
that such Customers are legitimate businesses, have a permissible
purpose for obtaining credit reports, and are not Unauthorized Users.
Trans Union may amend Exhibit D at any time by providing thirty (30)
days written notice to Reseller.
Page 2 of 6
K. If, as a result of the verifications outlined on Exhibit D, the
prospective Customer is found to be an Unauthorized User, or is found
to have no permissible purpose to obtain credit reports, no agreement
will be signed and no subscriber number will be issued.
L. Trans Union reserves the right to terminate any Customer at any time
with or without notice.
II. Merged Report Guidelines
Reseller agrees to adhere to the following additional guidelines when it
sells Merged Reports developed from Consumer Reports:
A. Reseller shall comply with the requirements of FCRA dealing with
consumer disclosure, interviews and reinvestigation procedures.
B. Reseller shall retain each Merged Report so that it can provide a
consumer disclosure as required by FCRA.
C. Reseller shall be able to easily identify the source(s) of each
element of data in the Merged Report. Consumer disclosures must
clearly show this data as it was originally reported by each of the
sources when providing the consumer disclosure.
D. When a Customer requests and reviews a Merged Report and the consumer
is denied credit based on information in that Merged Report, the
consumer must be referred to the Reseller for a complete disclosure.
E. In making a consumer disclosure, the Reseller will provide the names,
addresses and telephone numbers of the consumer reporting agency that
was used to provide information for the report.
F. In making a disclosure, in addition to all other obligations Reseller
has under Section 609 of the FCRA, the Reseller also must advise the
consumer about her/his FCRA rights to dispute information with the
appropriate source credit bureau, to request reinvestigation, and to
have corrected reports reissued to previous recipients, all as
required by the FCRA and in the format established by the Federal
Trade Commission.
G. Reseller must obtain information from sources other than the applicant
in preparing the Merged Report. The Reseller must obtain information
from a minimum of two national consumer reporting agencies. Separate
inquiries are necessary when the co-borrowers have individually
applied for credit.
H. The Merged Report must contain the date the report was created as well
as the Reseller's name, address, and phone number as the consumer
reporting agency which prepared the Merged Report. The Merged Report
must show the names of the repository(ies) from which the information
was obtained and must identify the organization that ordered the
Merged Report.
I. Once the merge logic is applied, the Merged Report must accurately
reflect all elements of tradeline or credit grantor information for
each tradeline if it was furnished by one or more of the credit
reporting agencies.
III. Trans Union Responsibilities
A. Trans Union shall maintain credit information on individuals as
furnished by its subscribers or obtained from other available sources.
B. Trans Union shall use good faith in obtaining and assembling such
information from sources Trans Union considers reliable, but does not
guarantee the accuracy nor completeness of any information reported,
and TRANS UNION MAKES NO WARRANTIES, EXPRESS OR IMPLIED INCLUDING, BUT
NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS
FOR A PARTICULAR PURPOSE, WITH RESPECT TO CONSUMER REPORTS, FURNISHED
UNDER THIS AGREEMENT, WHETHER TO RESELLER OR TO CUSTOMER(S).
IV. Indemnification and Limitation of Liability
A. Reseller shall indemnify and hold Trans Union harmless from any and
all claims, losses and damages, liability, and costs, including
attorney's fees, against, or incurred by, Trans Union to the extent
such claims, damages, liability and costs result directly or
indirectly from either or both of the following: (a) any use of
Consumer Reports; or (b) Reseller's breach of its obligations under
this Agreement including, but not limited to, any breach which results
in the non-permissible use of the Consumer Reports provided to
Reseller, Customer(s), or both, under this Agreement.
Page 3 of 6
B. IN NO EVENT SHALL TRANS UNION BE LIABLE TO RESELLER IN ANY MANNER
WHATSOEVER FOR ANY LOSS OR INJURY TO RESELLER RESULTING FROM TRANS
UNION'S OBTAINING OR FURNISHING OF CONSUMER REPORTS. MOREOVER, IN NO
EVENT SHALL EITHER PARTY BE LIABLE FOR ANY CONSEQUENTIAL, INCIDENTAL,
INDIRECT, SPECIAL, OR PUNITIVE DAMAGES INCURRED BY THE OTHER PARTY AND
ARISING OUT OF THE PERFORMANCE OF THIS AGREEMENT, INCLUDING BUT NOT
LIMITED TO LOSS OF GOOD WILL AND LOST PROFITS OR REVENUE, WHETHER OR
NOT SUCH LOSS OR DAMAGE IS BASED IN CONTRACT, WARRANTY, TORT,
NEGLIGENCE, STRICT LIABILITY, INDEMNITY, OR OTHERWISE, EVEN IF A PARTY
HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THESE LIMITATIONS
SHALL APPLY NOTWITHSTANDING ANY FAILURE OF ESSENTIAL PURPOSE OF ANY
LIMITED REMEDY.
C. THE FOREGOING NOTWITHSTANDING, WITH RESPECT TO RESELLER, IN NO EVENT
SHALL THE AFORESTATED LIMITATIONS OF LIABILITY, SET FORTH ABOVE IN
PARAGRAPH B OF THIS SECTION IV, APPLY TO DAMAGES INCURRED BY TRANS
UNION AS A RESULT OF GOVERNMENTAL, REGULATORY OR JUDICIAL ACTION(S)
PERTAINING TO VIOLATIONS OF THE FCRA, OTHER LAWS, REGULATIONS, OR
JUDICIAL ACTIONS, OR ANY COMBINATION OF THE FOREGOING, TO THE EXTENT
SUCH DAMAGES RESULT FROM RESELLER'S BREACH, DIRECTLY OR INDIRECTLY, OF
ITS OBLIGATIONS UNDER THIS AGREEMENT.
V. Identify End User
A. Reseller shall provide to Trans Union, for each Reseller
Customer for whom Reseller will procure Consumer Reports the
Customer's identity by subscriber number, name, address and
telephone number, and the permissible purpose for which each
report is sought, so that such information may be noted on the
report for the consumer who is the subject of the report
accessed. Such Customer identification shall be made as mutually
agreed between Trans Union and Reseller pursuant to one or both
of the inquiry methods below. Failure of Reseller to comply with
the requirements of this Section V shall result in immediate
termination of this Agreement.
1. Individual Code for Each Customer
Each Customer signed up by Reseller may access the TU
Consumer Database after appropriate identification
procedures have been established, and a separate customer
code shall be issued for each Customer. When such code is
established, Reseller shall provide Trans Union with the
Customer's name, address, and telephone number. The
permissible purpose shall be identified on each inquiry.
2. Reseller Code Used for All Inquiries
No individual customer code will be issued, nor will
access to the TU Consumer Database be established, for any
Customer by Trans Union. Rather, the code used will be the
Reseller's code. The Customer name and permissible purpose
for the inquiry shall be identified by Reseller on each
Consumer Report accessed. Pursuant to Section 609 of the
FCRA, the Customer's name must be the trade name under
which the Customer conducts business, written in full.
Reseller shall establish and provide Trans Union a toll
free number, which will be answered between the hours of 9
a.m. to 5 p.m. Central Time, Monday through Friday,
exclusive of federal holidays, that Trans Union can call
to obtain the Customer's address and telephone number.
B. If any current Customers have been assigned a Trans Union access
code, they shall be identified, and Reseller shall determine that
the certifications required, and all other obligations stated, in
this Agreement are complied with by such Customers. All
Unauthorized Users who have an access code for the TU Consumer
Database, shall be terminated and access to the TU Consumer
Database by them shall be canceled, except as otherwise permitted
by Section I.H above.
C. Reseller is also required to:
1. Internally identify all Customers engaged in the
underwriting of insurance including, but not limited to,
auto insurance, casualty insurance, property insurance,
surety bond companies, bail bondsmen, and insurance agents
(hereinafter referred to as "Insurance Company Customers").
2. Ensure that all of Insurance Company Customers are
identified by means of a separate Trans Union subscriber
code.
3. Ensure that all Insurance Company Customers have a Trans
Union subscriber code with an "I" KOB.
4. Ensure that all inquiries made by all Insurance Company
Customers include the appropriate permissible purpose code,
as identified by Trans Union.
Page 4 of 6
VI. Fees & Charges
A. Reseller shall pay to Trans Union for each access to the TU Consumer
Database, by Reseller and for each access by a Customer, the price
then in effect for the type of Consumer Report ordered. Trans Union
shall have no obligation to collect any account owing from Customers.
B. Trans Union shall provide monthly invoices to Reseller for all access
to the TU Consumer Database, by Reseller and for all accesses by
Customers, and such invoices shall be paid by Reseller within thirty
(30) days of receipt. Without limiting any of Trans Union's remedies
for non-payment or late payment of invoices, past due amounts shall
accrue interest at the rate of one and one-half percent (1.5%) per
month (eighteen percent (18%) per year) or the maximum allowed by law
if lower than 18% per year. If collection efforts are required,
Reseller shall be liable for all cost of collection, including
reasonable attorney's fees.
VII. Miscellaneous
A. This Agreement shall commence upon the last signature date below and
shall remain in force and effect until this Agreement is terminated
pursuant to Section I.G., Section V., or Section VII.C. or by either
party upon at least sixty (60) days' prior written notice to the other
party. The foregoing notwithstanding, without limiting any other
remedies to which Trans Union may be entitled including, but not
limited to, injunctive relief, Trans Union reserves the right, at
Trans Union's sole option, to immediately suspend its performance, in
whole or in part, under this Agreement, to immediately terminate this
Agreement, or both, if Trans Union, in good faith, determines that:
(1) Reseller, either directly or indirectly, has materially breached
any of its obligations under this Agreement; (2) the requirements of
any law, regulation, or judicial action have not been met; or (3) as a
result of changes in laws, regulations or regulatory or judicial
action, the requirements of any law, regulation or judicial action
will not be met.
B. Trans Union may make available ancillary products for resale by
Reseller, subject to such terms and conditions as Trans Union may
impose from time to time. If Reseller refuses to agree to or fails to
comply with such terms and conditions, Trans Union shall have no
obligation to make such ancillary product available to Reseller.
C. This Agreement including, without limitation, all the rights and the
obligations set forth in this Agreement, with respect to Reseller are
personal to Reseller and may not be subcontracted by Reseller without
the prior written consent of Trans Union. Moreover, this Agreement,
including the rights and obligations contained in this Agreement, may
not be assigned, transferred (e.g., via stock purchase, sale of
assets, etc.) or otherwise disposed of, by operation of law or
otherwise, in whole or in part, by Reseller. This Agreement shall
immediately terminate upon any attempt to so subcontract, assign, or
transfer such rights and obligations.
D. Each of the parties to this Agreement are independent contractors and
nothing contained in this Agreement shall be construed as creating a
joint venture, partnership, employer-employee, principal-agent nor
mutual agency relationship between or among the parties hereto and no
party shall, by virtue of this Agreement, have any right or power to
create any obligation, express or implied, on behalf of any other
party. No party, nor any employee of a party, shall be deemed to be an
employee of the other party by virtue of this Agreement.
E. In addition to Trans Union's audit rights under Section I.G. above,
during the term of this Agreement and for a period of three (3) years
thereafter, Trans Union may audit Reseller's compliance with all other
requirements of this Agreement, upon at least five (5) business days'
prior written notice and during normal business hours. Trans Union may
also audit Reseller to ensure that Reseller accurately outputs Trans
Union data on any Consumer Report sold by Reseller, including Merged
Reports. Trans Union shall also have the right, upon at least ninety
(90) days' prior written notification to Reseller, to require Reseller
to output Trans Union data in a specified format in accordance with
written Trans Union guidelines as issued, and as may be revised, from
time to time. The parties recognize that Trans Union will suffer
irreparable harm, and that monetary damages may be incalculable and/or
inadequate in the event that Reseller retains Trans Union data in
breach of Paragraph I.B. or I.D. of this Agreement, and therefore,
such breach shall be entitled to remedy by injunctive relief, in
addition to any and all other relief which may be available at law or
at equity.
F. "Trademarks" shall be defined as all trademarks, trade names, service
marks, slogans, logos, designs, Internet universal resource locators
(e.g., domain names) and other similar means of distinction, which are
owned or controlled by Trans Union. All rights in any Trademarks
associated with the business of Trans Union, including all goodwill
pertaining thereto, shall be and remain the sole property of Trans
Union. If Trans Union grants Reseller the right to use Trademarks
pursuant to this Section VII. F., Reseller shall use and display such
Trademarks only in the manner and for the purpose(s) authorized in
writing in advance by Trans Union, and only during the term of this
Agreement. Moreover, Trans Union reserves the right to require
Reseller, upon at least ninety (90) days' prior written notification
from Trans
Page 5 of 6
Union, to use and display such Trademarks in accordance with written
Trans Union's guidelines for use of Trademarks as issued, and as may
be revised, from time to time. Samples of all materials that may be
distributed by Reseller displaying the Trademarks shall be submitted
to Trans Union upon Trans Union's reasonable request to verify
compliance with Trans Union's guidelines for the use of the
Trademarks. Trans Union reserves the right to add to, change, or
discontinue the use of any Trademark, on a selective or general basis,
at any time. Reseller shall not use any Trademark of Trans Union in
any corporate, partnership, or business name without Trans Union's
prior written consent. Trans Union may prohibit the use of any or all
Trademarks by Resellers if, in Trans Union's sole discretion,
Reseller's use of the Trademark(s) is detrimental to Trans Union in
any way.
G. No failure or successive failures on the part of either party, its
respective successors or permitted assigns, to enforce any covenant or
agreement, and no waiver or successive waivers on its or their part of
any condition of this Agreement shall operate as a discharge of such
covenant, agreement, or condition, or render the same invalid, or
impair the right of either party, its respective successors and
permitted assigns, to enforce the same in the event of any subsequent
breach or breaches by the other party, its successors or permitted
assigns.
H. All references in this Agreement to the singular shall include the
plural where applicable. Titles and headings to sections or paragraphs
in this Agreement are inserted for convenience of reference only and
are not intended to affect the interpretation or construction of this
Agreement. If any term or provision of this Agreement is held by a
court of competent jurisdiction to be invalid, void, or unenforceable,
the remainder of the provisions shall remain in full force and effect
and shall in no way be affected, impaired or invalidated.
I. Neither party shall be liable to the other for failure to perform or
delay in performance under this Agreement if, and to the extent, such
failure or delay is caused by conditions beyond its reasonable control
and which, by the exercise of reasonable diligence, the delayed party
is unable to prevent or provide against. Such conditions include, but
are not limited to, acts of God; strikes, boycotts or other concerted
acts of workmen; laws, regulations or other orders of public
authorities; military action, state of war or other national
emergency; fire or flood. The party affected by any such force majeure
event or occurrence shall give the other party written notice of said
event or occurrence within five (5) business days of such event or
occurrence.
J. This Agreement shall be governed by and construed in accordance with
the laws of the State of Illinois regardless of the laws that might
otherwise govern under applicable Illinois principles of conflicts of
law.
K. The recitals set forth above are an integral part of this Agreement
and are hereby incorporated into this Agreement.
L. THIS AGREEMENT INCLUDING, BUT NOT LIMITED TO, ALL ASSOCIATED PRICING
AGREED UPON, CONSTITUTES THE ENTIRE AGREEMENT BETWEEN THE PARTIES
HERETO AND SUPERSEDES ALL PREVIOUS AGREEMENTS AND UNDERSTANDINGS,
WHETHER ORAL OR WRITTEN, EXPRESS OR IMPLIED, SOLELY WITH RESPECT TO
THE SUBJECT MATTER OF THIS AGREEMENT. THIS AGREEMENT MAY NOT BE
ALTERED, AMENDED, OR MODIFIED EXCEPT BY WRITTEN INSTRUMENT SIGNED BY
THE DULY AUTHORIZED REPRESENTATIVES OF BOTH PARTIES.
IN WITNESS WHEREOF, the parties, intending to be legally bound, have caused this
Agreement to be executed by their duly authorized representatives as of the last
date and year set forth below. The parties hereto agree that a facsimile
transmission of this fully executed Agreement shall constitute an original and
legally binding document.
FACTUAL DATA TRANS UNION LLC
By: /s/ X.X. XXXXXXXXXX By: /s/ XXXXXXX XXXXXX-XXXXXX
-------------------------------- ---------------------------------
Name: X.X. Xxxxxxxxxx Name: Xxxxxxx Xxxxxx-Xxxxxx
------------------------------- ------------------------------
Title: VP Branch Ops. Title: GVP
------------------------------ ------------------------------
Date: 10/16/01 Date: 10/30/01
------------------------------- -------------------------------
Page 6 of 6
EXHIBIT A TO RESELLER SERVICE AGREEMENT
(REQUIRED TERMS FOR RESELLER AGREEMENT
FOR CONSUMER REPORTS BETWEEN RESELLER AND ITS CUSTOMER)
1. Reseller has access to consumer reports from one or more consumer credit
reporting agencies.
2. Subscriber is a _________________ and has a permissible purpose for
obtaining consumer reports, as defined by Section 604 of the Federal Fair
Credit Reporting Act (15 USC 1681b) as amended by the Consumer Credit
Reporting Reform Act of 1996, hereinafter called "FCRA." The subscriber
certifies their permissible purpose as:
o In connection with a credit transaction involving the consumer on whom
the information is to be furnished and involving the extension of
credit to, or review or collection of an account of the consumer; or
o In connection with the underwriting of insurance involving the
consumer or review of existing policy holders for insurance
underwriting purposes, or in connection with an insurance claim where
written permission of the consumer has been obtained; or
o In connection with a tenant screen application involving the consumer;
or
o In accordance with the written instructions of the consumer; or
o For a legitimate business need in connection with a business
transaction that is initiated by the consumer; or
o As a potential investor, servicer or current insurer in connection
with a valuation of, or assessment of, the credit or prepayment risks.
3. Subscriber certifies that it will request consumer reports pursuant to
procedures prescribed by Reseller from time to time only for the
permissible purpose certified above, and will use the reports obtained for
no other purpose.
4. Subscriber will maintain copies of all written authorizations for a minimum
of three (3) years from the date of inquiry.
5. THE FCRA PROVIDES THAT ANY PERSON WHO KNOWINGLY AND WILLFULLY OBTAINS
INFORMATION ON A CONSUMER FROM A CONSUMER REPORTING AGENCY UNDER FALSE
PRETENSES SHALL BE FINED UNDER TITLE 18, OR IMPRISONED NOT MORE THAN TWO
YEARS, OR BOTH.
6. Subscriber shall use each consumer report only for a one-time use and shall
hold the report in strict confidence, and not to disclose it to any third
parties; provided, however, that Subscriber may, but is not required to,
disclose the report to the subject of the report only in connection with an
adverse action based on the report. Moreover, unless explicitly authorized
in this Agreement or in a separate agreement, between Reseller and
Subscriber, for scores obtained from Trans Union LLC, or as explicitly
otherwise authorized in advance and in writing by Trans Union LLC through
Reseller, Subscriber shall not disclose to consumers or any third party,
any nor all such scores provided under this Agreement, unless clearly
required by law.
7. With just cause, such as delinquency or violation of the terms of this
contract or a legal requirement, or a material change in existing legal
requirements which adversely affects this Agreement, Reseller may, upon its
election, discontinue serving the Subscriber and cancel this Agreement
immediately.
Page 1 of 1
EXHIBIT B TO RESELLER SERVICE AGREEMENT
(REQUIRED TERMS FOR RESELLER AGREEMENT
FOR CONSUMER REPORTS FOR EMPLOYMENT PURPOSES (PEER)
BETWEEN RESELLER AND ITS CUSTOMER)
1. Reseller has access to consumer reports from one or more consumer credit
reporting agencies.
2. Subscriber is a _________________ and has a need for consumer credit
information in connection with the evaluation of individuals for
employment, promotion, reassignment or retention as an employee ("Consumer
Report for Employment Purposes").
3. Subscriber shall request Consumer Report for Employment Purposes pursuant
to procedures prescribed by Reseller from time to time only when it is
considering the individual inquired upon for employment, promotion,
reassignment or retention as an employee, and for no other purpose.
4. Subscriber certifies that it will not request a Consumer Report for
Employment Purposes unless:
A. A clear and conspicuous disclosure is first made in writing to the
consumer before the report is obtained, in a document that consists
solely of the disclosure, that a consumer report may be obtained for
employment purposes;
B. The consumer has authorized in writing the procurement of the report;
and
C. Information from the Consumer Report for Employment Purposes will not
be used in violation of any applicable federal or state equal
employment opportunity law or regulation.
5. Subscriber further certifies that before taking adverse action in whole or
in part based on the Consumer Report for Employment Purposes, it will
provide the consumer:
A. A copy of the Consumer Report for Employment Purposes; and
B. A copy of the consumer's rights, in the format approved by the Federal
Trade Commission, which notice shall be supplied to Subscriber by
Reseller.
6. Subscriber shall use Consumer Report for Employment Purposes only for a
one-time use, and shall hold the report in strict confidence, and not
disclose it to any third parties not involved in the current employment
decision.
7. Subscriber will maintain copies of all written authorizations for a minimum
of three (3) years from the date of inquiry.
8. With just cause, such as delinquency or violation of the terms of this
contract or a legal requirement, or a material change in existing legal
requirements which adversely affects this Agreement, Reseller may, upon its
election, discontinue serving the Subscriber and cancel this Agreement
immediately.
Page 1 of 1
EXHIBIT C TO RESELLER SERVICE AGREEMENT
INTERNET SECURITY REQUIREMENTS FOR DELIVERING TRANS UNION
PRODUCTS TO BUSINESSES
This document describes the security measures required for resellers and Trans
Union business partners who will use the Internet to distribute Trans Union
products to business customers. Resellers and business partners must meet these
requirements in order to be in compliance with their respective agreement(s)
with Trans Union.
If the reseller or business partner has engaged a third party to develop and
maintain their Internet delivery system, it is the reseller's/business partner's
responsibility to ensure that these security requirements are met by the third
party.
1.0 PROTECTION OF TRANS UNION DATA
NOTE: In this section, there are several references to web servers. If the
reseller or business partner is using a non-web delivery solution, replace
the term `web server' with `server that accepts data from the Internet.'
1.1 Trans Union data (such as, but not limited to, consumer credit data
and Trans Union-issued subscriber codes/passwords) must be protected
when in transit over the Internet. Strong (at least 128-bit)
encryption is required.
1.2 Trans Union data must be protected when stored on servers. Specific
security measures for all servers involved in delivering Trans Union
products are stated below:
1.2.1 The servers storing Trans Union data must be physically separate
from the web servers.
1.2.2 The servers storing Trans Union data must not be available for,
or exploitable by, any TCP services directly from the Internet
and should not be referenced in externally available DNS tables.
(Also see Firewall section below.)
1.2.3 Security settings on all servers must include authentication
with strong passwords that are changed at least every 90 days.
All security controls need to be set to prevent unauthorized
access to Trans Union data.
1.2.4 All servers must have all published network operating system
patches applied promptly after they become available.
1.3 Web servers must not temporarily store Trans Union data longer than
needed to re-send failed transmissions (generally not longer than one
day).
1.4 Physical security measures must be in place to ensure only authorized
access to servers containing Trans Union data.
2.0 FIREWALLS AND NETWORK CONNECTIONS
NOTE: In this section, there are several references to web servers. If the
reseller or business partner is using a non-web delivery solution, replace
the term `web server' with `server that accepts data from the Internet.'
2.1 The reseller's or business partner's Internet connection must be
protected with dedicated, industry-recognized firewalls that are
configured and managed to adhere to security industry best practices.
Firewalls with ICSA or similar certification are highly recommended.
2.2 The firewall strategy must ensure that only a secure web server can
access the server(s) holding Trans Union data:
o A single firewall strategy (firewall between the Internet and the
web server) would require multiple interfaces to separate the web
server and the network server(s) holding Trans Union data. The
firewall rules should ensure that only the web server is allowed
to access the server(s) holding Trans Union data.
Page 1 of 3
o A dual firewall implementation typically requires a firewall
between the Internet and the web server and another firewall
between the web server and the network server(s) holding Trans
Union data. The rules in the second firewall should ensure that
only the web server is allowed to access the server(s) holding
Trans Union data.
o Any other firewall strategy must provide comparable security to
that described above.
2.3 Administrative access to the firewall(s) should be allowed only
through a secured internal network or through direct serial port
access. For remote administration, the preferred method is to dial
into an internal local area network (LAN), provide strong
authentication (like a token), and use a secure telnet session to
access the firewall from inside the network. Modem dial-in access must
not be allowed to the firewall serial port.
2.4 All Internet Protocol (IP) addresses of the internal network housing
servers with Trans Union data must not be natively routed to the
Internet. Devices accessing the Internet from the internal network
must use Network Address Translation (NAT), Port Address Translation
(XXX), or like technology that keeps internal IP addresses from
becoming known to the Internet.
2.5 The reseller's or business partner's network must not allow any "back
door" access to any servers holding Trans Union data. Back door access
allows connection to the internal network without going through the
firewall(s) or a remote access server with strong authentication.
2.6 All network connections to Trans Union must be protected so that the
reseller's or business partner's other trusted trading partners cannot
attempt to access Trans Union.
2.7 Firewalls must be configured to log exceptions and/or issue alerts.
Such exceptions or alerts must be reviewed.
3.0 End User Authentication
3.1 The Trans Union-issued subscriber codes and passwords must be
protected from unauthorized use. If such codes and passwords are given
to third parties acting on behalf of the reseller or business partner,
the third party must agree to protect them accordingly.
3.2 Trans Union-issued subscriber passwords must be changed if there has
been any actual or suspected compromise or misuse of the passwords.
3.3 The reseller or business partner must use strong end user
authentication mechanisms to ensure that Trans Union products are
delivered only to authorized individuals. (Note: If non-web delivery,
authentication mechanisms may identify an authorized process, as
opposed to an individual, in cases where the reseller or business
partner uses an automated process to pull Trans Union products.)
3.4 The authentication process must identify the individual who obtains
the report at the end customer's location. Authentication at the
company level is not adequate. (Also, see note about non-web delivery
in 3.3 above.)
3.5 If identification codes IDs and passwords are being used for
authentication:
3.5.1 Strong password policies must be in place (minimum length of 6
alpha and numeric characters, frequent and mandatory password
changes - at least every 90 days).
3.5.2 IDs and passwords must be encrypted with strong (at least
128-bit) encryption keys when they travel over the Internet.
3.6 If digital certificates are used for individual authentication, the
certificate authority must be trusted, the certification process must
be sound, and the certificate must be protected by the end user.
(NOTE: If both digital certificates and IDs/passwords are being used,
the 90-day password change requirement is not required as long as the
certificates are renewed no less frequently than on an annual basis.)
3.7 Servers storing IDs and passwords and/or digital certificate
information must be secured with the same security measures as the
servers holding Trans Union data. (See 1.2 above.)
Page 2 of 3
3.8 The reseller or business partner must ensure that IDs or digital
certificates of individual users who are no longer authorized to
obtain Trans Union products are disabled or inactivated promptly.
3.9 The reseller or business partner's application must have adequate
audit trails and detailed reports that allow early detection of
fraudulent access and/or investigation of suspicious activity.
3.10 The application must have a timeout feature so that the end user must
re-authenticate after an extended period of inactivity. The
recommended setting for the timeout is 30 minutes.
4.0 Other Considerations
4.1 Wherever possible, the reseller's or business partner's application
must use measures to reduce the risk of a returned credit report being
used fraudulently. For example, social security numbers and/or account
numbers would not be displayed if that information is not needed by
the end user.
4.2 The application software used to receive and process requests for
Trans Union products should comply with the Associated Credit Bureau
(ACB) security standards. ACB security certification is strongly
recommended.
4.3 ICSA or other third party review of the reseller's or business
partner's security measures is highly recommended.
5.0 Security Incidents/System Changes
5.1 Any actual or suspected compromises of the above security measures
must be reported to Trans Union as soon as they are known.
5.2 Any significant change to the Internet delivery system must be
reviewed against these requirements to ensure continued compliance.
Page 3 of 3
EXHIBIT D TO RESELLER SERVICE AGREEMENT
(REQUIRED STEPS FOR RESELLER TO VERIFY THE IDENTITY OF ITS CUSTOMERS)
1. The actions taken to verify the type of customer will be notated on either
the Subscriber Agreement or separate documentation within the membership
file that will be maintained with the Subscriber Agreement. Records which
document the investigation, and the Subscriber Agreement, must be retained
as long as the customer continues to maintain access and for three (3)
years thereafter. Those records (or copies thereof) must be made available
to appropriate Trans Union personnel on request.
2. Confirm that the stated permissible purpose for obtaining consumer reports
is compatible with the type of business conducted by the potential
customer.
3. Conduct a physical inspection of the company's premises to assure that it
is a legitimate business facility (not a residence) and that the
furnishings, etc. are commensurate with the size and purported type of
business, and in order to determine if it is an Unauthorized User.
Documentation must be maintained demonstrating when and by whom the
physical inspection was conducted and describing the company's premises. `
4. Confirm that advertisements or signs are compatible with purported
business.
5. Verify that the company has a business checking account and that the
account balance is compatible with the size and nature of the company.
6. Verify business references to ensure that the potential customer has
clientele which would support the stated business.
7. Verify business phone numbers by checking the phone directory or other
phone records.
8. Check the yellow pages listings for the area where the customer is located
to see if the prospective customer is listed under any of the categories
identified previously as Unauthorized Users. If Reseller does not have
access to the yellow pages listings for that area, Reseller may, instead,
use an Internet Yellow Pages listing.
9. Check the Internet to determine if the prospective customer has a web page.
If the prospective customer does have a web page, view the page to verify
that the information on the web page is compatible with purported business,
that the prospective customer is not an Unauthorized User, and that the
prospective customer is a legitimate business.
Page 1 of 1
