Attached files

file filename
8-K - 8-K - Discover Card Execution Note Trustd546171d8k.htm

Exhibit 99.1

SECOND AMENDED AND RESTATED MASTER SERVICES AGREEMENT

This SECOND AMENDED AND RESTATED MASTER SERVICES AGREEMENT (including the Shared Employee Addendum and each Services Addendum hereto, this “Agreement”) by and among Discover Financial Services, a Delaware corporation (“DFS”), Discover Bank, a Delaware banking corporation (including its subsidiaries, “the Bank”), and each of the other parties named on the signature pages hereto (together with DFS and the Bank, each a “Party” and, collectively, the “Parties”), is dated as of March 15, 2018.

WITNESSETH:

WHEREAS, DFS, the Bank and each of the other parties thereto entered into the Amended and Restated Master Services Agreement dated as of July 15, 2015 (the “2015 Agreement”) pursuant to which the Parties perform services for, and/or receive services from, one or more of the other Parties hereto from time to time;

WHEREAS, the Parties desire to amend and restate the 2015 Agreement in order to (i) update the Shared Employee Addendum attached hereto as Exhibit A (the “Shared Employee Addendum”), (ii) update the list of Parties to reflect the company’s current organizational structure, and (iii) add Appendix 1 – Data Privacy and Information Security; and

WHEREAS, all existing Services Addenda executed under the 2015 Agreement shall remain in full force and effect and shall be incorporated by reference into this Agreement;

NOW, THEREFORE, in consideration of the mutual covenants herein contained, the Parties hereto hereby agree as follows:

1.    Services; Duty of Care. A Party providing services hereunder (the “Servicing Party”) shall perform and deliver services for or on behalf of another Party hereto (the “Receiving Party”) as more fully described under a duly executed services addendum between the Servicing Party and the Receiving Party (each a “Services Addendum” and collectively the “Services Addenda”), the form of which is attached hereto as Exhibit A (the services to be provided under any and all Services Addenda executed hereunder are hereinafter referred to individually and collectively as the “Services”). The Servicing Party and Receiving Party shall review the Services Addendum at least annually for accuracy and completeness and shall work together to amend any such Services Addendum, as appropriate.

The Servicing Party shall perform the Services in accordance with applicable laws and regulations utilizing at least such levels of diligence, care, completeness and timeliness customarily followed by large financial institutions and shall comply with all of DFS’ security, supervision and other procedures and policies in connection with its provision of Services. The Servicing Party may satisfy its obligations to perform hereunder either through its own employees, agents, or representatives, and/or through independent contractors used to provide the Services as if provided directly by the Servicing Party. The Servicing Party shall be responsible for the actions of its agents, employees, representatives, or independent contractors providing the Services and shall require, by contract, each of its independent contractors to, when providing Services, comply with (i) the terms of this Agreement; and (ii) all laws and regulations applicable to it, the Services it provides, the Servicing Party and Receiving Party.

The Services Addenda are hereby incorporated by reference into this Agreement. Except as otherwise provided herein, if any of the terms or conditions of this Agreement conflict with any of the terms or conditions of any Services Addendum, the terms or conditions of such Services Addendum will control solely with respect to the Services covered under such Services Addendum.


Appendix 1 – Data Privacy and Information Security is hereby incorporated by reference into this Agreement and into all Services Addenda outstanding hereunder from time to time.

2.    Fees. The Receiving Party shall pay service fees to the Servicing Party as more fully described in the applicable Services Addendum (“Servicing Fees”). Servicing Fees payable hereunder shall be paid monthly in arrears. Each Receiving Party reserves the right to net any Servicing Fees due to a Servicing Party against any Servicing Fees owed by the Receiving Party to such Servicing Party under this Agreement or any other agreement between the Parties.

3.    Term; Insolvency. This Agreement shall have a term of twelve months from the date hereof and shall automatically renew on an annual basis for subsequent twelve-month periods unless otherwise agreed to be each of the Parties hereto no less than thirty days prior to the expiration of any such twelve-month period. The term of each Services Addendum shall be the same as the term of this Agreement unless otherwise specified in the Services Addendum; provided that a Services Addendum may be terminated by either Party thereto upon thirty days notice to the other Party.

Notwithstanding the foregoing, each Party hereby acknowledges and agrees that (i) in the event that a Servicing Party shall have provided a Receiving Party with a 30 day termination notice pursuant to the foregoing paragraph, the Servicing Party shall be required to continue providing the applicable Services to the Receiving Party until such time as the provision of such Services shall have been transferred to the Receiving Party or a third party; (ii) in the event that the Bank or any Bank subsidiary party to any Services Addendum becomes the subject of an insolvency or bankruptcy proceeding, the applicable Servicing Party shall be required to continue providing the related Services to the Bank or such Bank subsidiary until such time as the related Services shall have been successfully transitioned to the Bank, such Bank subsidiary or a third-party servicer, and the applicable Servicing Party shall take all steps reasonably necessary to assist in the transition of such Services; and (iii) in the event that a non-Bank Servicing Party becomes the subject of a bankruptcy proceeding, such non-Bank Servicing Party shall be required to continue providing Services under any Servicing Addenda under which the Receiving Party is the Bank or a Bank subsidiary until such time as the related Services shall have been transitioned to the Receiving Party or a third-party servicer, and such non-Bank Servicing Party shall take all steps reasonably necessary to assist in the transition of the such Services.

4.    Shared Employees.

a.    The duties and responsibilities of each Shared Employee at the Bank (“Bank Responsibilities”) are set forth in the Shared Employee Addendum. While performing Bank Responsibilities, the Shared Employee shall be deemed to be employed exclusively by the Bank and the Bank alone shall be responsible for the supervision and direction of the Shared Employee during such periods. While performing duties and responsibilities for an Affiliate, the Shared Employee shall be deemed to be employed exclusively by the Affiliate, and the Affiliate alone shall be responsible for the supervision and direction of the Shared Employee during such periods. All data, documents, and information furnished by the Bank to any Shared Employee, or obtained by the Shared Employee, in connection with Shared Employee’s performance of Bank Responsibilities shall remain the exclusive property of the Bank and shall be subject to the confidentiality provisions of Section 11 hereof.

 

2


b.    A Shared Employee shall act in the best interests of the Bank while performing Bank Responsibilities.

c.    Allocation of Shared Employee costs and expenses shall be as set forth in the applicable Services Addendum.

d.    Subject to this Section 4, allocation of time and responsibilities of a Shared Employee between the Bank and the related non-subsidiary Affiliate shall be agreed by the Bank and such Affiliate from time to time. In the event that there is a conflict between priorities of the Bank and the related Affiliate, a Shared Employee’s performance of Bank Responsibilities shall take priority over performance of Services for such Affiliate to the extent failure by the Shared Employee to perform Bank Responsibilities could adversely affect the safe and sound operation of the Bank or compliance with banking laws or regulations, as determined by the Bank acting reasonably and in good faith.

e.    The relationship between the Bank and the related Affiliate pursuant to this Section 4 is solely that of independent parties contracting to allocate the time and expenses of a Shared Employee.

5.    Business Continuity Planning.

Each Servicing Party shall adhere to Business Continuity Planning Policy of DFS and the Business Continuity Planning program maintained in accordance therewith. In the event of a business interruption, in addition to performing recovery actions in accordance with the Business Continuity Planning program, a Servicing Party shall immediately notify the Parties to which it is providing Services of the nature and extent of the interruption and the location of any recovery center to the extent applicable. Except as may be provided in Section 7 below, the occurrence of a business interruption event shall not relieve a Servicing Party of its obligation to perform the Services in accordance with the terms hereof.

6.    Audit.

a.    Each Party acknowledges that the other Parties hereto may be subject to regulation and examination by regulatory agencies (“Regulatory Agencies”). Each Servicing Party shall provide the Regulatory Agencies with access (i) to any facility or part of a facility at which such Servicing Party or any of its subcontractors is performing the Services, (ii) to such Servicing Party’s personnel, and (iii) to data and records relating to the Services, for the purpose of performing audits, examinations and inspections of such Servicing Party or any of its subcontractors with respect to the Services during the Term and for the period such Servicing Party is required to maintain records under applicable law. Each Servicing Party shall cooperate fully with regard to examinations by the Regulatory Agencies. Each Servicing Party shall immediately give to the applicable Receiving Party notice of any inquiry or communication, whether formal or informal, by a Regulatory Agency regarding the Services being provided to such Receiving Party. Each Servicing Party shall provide any and all assistance to the applicable Receiving Party to facilitate any audit of a third party subcontractor of the Servicing Party by a Regulatory Agency.

b.    Each Servicing Party shall provide the applicable Receiving Party and its auditors (including internal audit staff and external auditors), inspectors, and such other representatives as such Receiving Party may from time to time designate, access at all reasonable

 

3


times upon reasonable advance notice to the Servicing Party to any facility or part of a facility at which either the Servicing Party or any of its subcontractors is performing the Services, to the Servicing Party’s personnel, and to data, records, policies and procedures relating to the Services, for the purpose of performing audits, examination and inspections of either the Servicing Party or any of its subcontractors during the Term of the Agreement and for the period the Servicing Party is required to maintain records under applicable law, to examine the Servicing Party’s performance of the Services and compliance with the terms of this Agreement, including (i) practices, policies and procedures; (ii) systems, equipment and software; (iii) general controls and security practices and procedures; (iv) disaster recovery and back-up procedures; and (v) any other matters reasonably requested by the Receiving Party. Each Servicing Party will provide the Receiving Party with copies of any internal audit reports reasonably related to the Services or systems or practices that support the Services upon request.

7.    Force Majeure. No Servicing Party shall be liable for any loss, injury, damages, delay in performance or failure to perform any obligation under this Agreement to the extent such loss, injury, damages, delay or failure to perform is the result of causes beyond the control of that party and is without its fault or negligence, including, but not limited to, acts of God, labor disputes, governmental regulations or orders, civil disturbance, war conditions, terrorist acts, riots, explosions, fires or the result of a failure by the other Party to satisfy its obligations under this Agreement, except to the extent such loss, injury, damages, delay or non-performance is the result of any failure of the Servicing Party performing Services to comply with its obligations set forth in its Disaster Recovery Plan.

Upon occurrence of any force majeure event, the Servicing Party shall render the Services in accordance with the emergency service levels and other conditions as detailed in its Disaster Recovery Plan. Each Receiving Party shall also make a good faith effort to mitigate the effects of any occurrence beyond its control that results in any loss, injury, damages, delay or failure to perform its obligations under this Agreement.

8.    Representations and Warranties. Each Party represents and warrants that it is duly organized, validly existing and in good standing under the laws of its jurisdiction, and this Agreement when duly executed and delivered will constitute a legal, valid and binding obligation of such Party, enforceable against such Party in accordance with its terms, except as enforcement may be limited by bankruptcy, insolvency, liquidation or other similar laws affecting generally the enforcement of creditors’ rights. Each Party further represents and warrants as follows:

a.    Such Party has full power and authority to do and perform all acts contemplated by this Agreement.

b.    None of the execution and delivery of this Agreement, the consummation of the transactions herein contemplated, the fulfillment of, or compliance with, the terms and provisions hereof, nor the performance of its obligations under this Agreement will conflict with, or result in a breach of any of the terms, conditions or provisions of any law applicable to such Party, the governing documents of such Party or of any agreement to which any such Party may be bound.

c.    Prior to the performance of any of its obligations pursuant to this Agreement, such Party will have obtained and/or made any consent, approval, waiver or other authorization of or by, or filing or registration with, any court, administrative or governmental agency that is required to be obtained in connection with the execution, delivery or performance by such Party, or the consummation by such Party, of the transactions contemplated by this Agreement.

 

4


d.    Each Servicing Party represents and warrants that none of the Services nor the provision or utilization thereof as contemplated under this Agreement, do or will infringe, violate, trespass or in any manner contravene or breach or constitute the unauthorized use or misappropriation of any intellectual property of any third party.

9.    Liability and Indemnification.

a.    Each Servicing Party agrees to be liable for, and to indemnify and hold harmless each Party to which it is providing Services from and against, any and all liability, loss, claim, cost or expense (including court costs and attorneys’ fees) attributable to (i) a breach of any representation or warranty made by the Servicing Party pursuant to this Agreement; (ii) willful misconduct or gross negligence the Servicing Party; or (iii) any default by the Servicing Party in any of its obligations or covenants under this Agreement.

b.    Each Receiving Party agrees to indemnify and hold harmless each Party providing Services to it from and against any and all liability, loss, claim, cost or expense (including court costs and attorneys’ fees) attributable to (i) a breach of any representation or warranty by the Receiving Party pursuant to this Agreement; (ii) willful misconduct or gross negligence of the Receiving Party; or (iii) any default of the Receiving Party in any of its obligations or covenants under this Agreement.

c.    For purposes of Subsections 9(a) and (b), references to a Servicing Party or Receiving Party shall be deemed to include their affiliates (other than each other) and any of their employees, agents, representatives and/or independent contractors of each.

10.    Notice. Any notice required to be given hereunder by one Party to another Party shall be given in writing by personal delivery or certified mail, return receipt requested, and shall be effective when received. Every such notice shall be addressed as to such other Party at 2500 Lake Cook Road, Riverwoods, Illinois 60015, Attention: General Counsel.

11.    Confidentiality.

a.    It is understood that, in the performance of Services hereunder, a Servicing Party may have access to private or confidential information of a Receiving Party (for purposes of this Section 11, the “Disclosing Party”) and the Disclosing Party’s employees and customers. Each Servicing Party shall keep, and have its employees, agents and subcontractors keep, any and all private or confidential information of the Disclosing Party strictly confidential and to use such information only for the purpose of providing the Services or as otherwise agreed to by the Disclosing Party. Each Servicing Party acknowledges and agrees that in the event of a breach or threatened breach of the provisions of this Section, the Disclosing Party will have no adequate remedy in money or damages and, accordingly, shall be entitled to an injunction against such breach. However, no specification in this Agreement of a specific legal or equitable remedy shall be construed as a waiver or prohibition against any other legal or equitable remedies in the event of a breach of any provision of this Agreement. The Servicing Party shall not provide any private or confidential information of the Disclosing Party to unaffiliated third parties pursuant to an administrative or judicial subpoena, summons, search warrant or other governmental order without providing prior notice to the Disclosing Party, unless otherwise provided by law or court order.

 

5


b.    Each Servicing Party agrees that confidential information includes all non-public personal information (as that term is defined in Title V of the Gramm-Leach-Bliley Act of 1999 (“GLBA”) or any successor federal statue, and the rules and regulations thereunder, all as may be amended from time to time) and other non-public information regarding the Disclosing Party’s customers (collectively, “Customer Information”). Each Servicing Party agrees as follows with respect to Customer Information: (i) the Servicing Party shall exercise a standard of care in the protection of Customer Information which is consistent with all applicable laws, rules and regulations; (ii) the Servicing Party shall use and maintain Customer Information only as necessary for the purpose of providing the Services for which the Customer Information was disclosed and only in accordance with applicable law, rule or regulation of any jurisdiction relating to disclosure or use of Customer Information; (iii) shall not use any Customer Information in any manner prohibited by Title V of GLBA; and (iv) the Servicing Party will implement and maintain an appropriate written information security program, the terms of which shall meet or exceed all applicable legal and regulatory requirements. In the event that a Servicing Party learns or has reason to believe that Customer Information of a Disclosing Party has been disclosed or accessed by an unauthorized person: (i) it shall immediately give notice of such event to the Disclosing Party and cooperate with the Disclosing Party and the relevant Regulatory Authorities in the event of litigation or a regulatory inquiry concerning the disclosure and (ii) it shall immediately take appropriate steps to ensure that any disclosure of, or unauthorized access to, Customer Information does not continue and shall inform the Disclosing Party of steps taken to address the cause of the disclosure.

c.    Each Servicing Party’s obligations and agreements under this Section 11 shall not apply to any information supplied that: (i) was known to the receiving party prior to the disclosure by the other; (ii) is or becomes generally available to the public other than by breach of this Agreement; or (iii) otherwise becomes lawfully available on a nonconfidential basis from a third party who is not under an obligation of confidence to the other party.

d.    Upon termination of this Agreement, or upon the Disclosing Party’s written request, the Servicing Party shall promptly return to the Disclosing Party confidential information of the Disclosing Party, including Customer Information, which is and shall remain the property of the Disclosing Party.

12.    Effectiveness. This Agreement shall be effective on January 1, 2013 (the “Effective Date”) and shall supersede and replace in its entirety on the Effective Date any and all servicing agreements heretofore entered into between any and all of the parties hereto. Any servicing agreement in effect between any of the parties hereto prior to the date hereof and not replaced by an Addendum to this Agreement shall be deemed terminated unless otherwise agreed by the parties thereto. For the avoidance of doubt, the Second Amended and Restated Network Agreement dated June 1, 2011 between Discover Bank and DFS Services LLC is not amended or replaced by this Agreement and such agreement shall remain in full force and effect.

13.    General Conditions.

a.    The validity, construction and performance of this Agreement are governed by the laws of the State of Delaware, United States of America.

b.    All provisions contained in this Agreement extend to and are binding upon the Parties and their respective successors and assigns. This Agreement may not be assigned by any Party without the prior written consent of the other Parties, which consent will not be unreasonably withheld.

 

6


c.    Each paragraph and provision of this Agreement is severable from the entire Agreement, and if one provision hereof is declared invalid, the remaining provisions shall nevertheless remain in effect.

d.    This Agreement and the respective Addenda hereto constitute the entire agreement between Parties with respect to the Services, and no representation or statement not contained in this Agreement or the Addenda shall be binding upon any Party as a warranty or otherwise. This Agreement may not be amended, changed, modified or altered except in writing, signed by each Party. No Addendum may be amended, changed, modified or altered except in writing, signed by each Party thereto.

e.    This Agreement may be executed in one or more counterparts, each of which shall be deemed an original and all of which together shall be deemed to constitute but one and the same instrument.

f.    The relationship between a Servicing Party and a Receiving Party hereunder is that of independent contractor. Nothing herein contained shall be construed as constituting a partnership, joint venture or agency between any of the Parties.

g.     No term or provision hereof will be deemed waived, and no variation of terms or provisions hereof shall be deemed consented to, unless such waiver or consent shall be in writing and signed by the Party against whom such waiver or consent is sought to be enforced. Any delay, waiver or omission by a Party to exercise any right or power arising from any breach or default of the other party in any of the terms, provisions or covenants of this Agreement shall not be construed to be a waiver by such Party of any subsequent breach or default of the same or other terms, provisions or covenants on the part of another Party.

h.     Headings used in this Agreement are for reference purposes only and shall not be deemed a part of this Agreement.

i.    Any exhibit to this Agreement shall be construed as an integral part of this Agreement to the same extent as if the same had been set forth herein. Any agreement, schedule, or exhibit referred to herein shall mean such agreement, schedule, or exhibit as amended, restated, supplemented or modified from time to time to the extent permitted by the applicable provisions thereof and this Agreement.

j.    Each defined term shall have the meaning set forth herein and shall be equally applicable to both the singular and plural forms. The words “including,” “include” and “includes” shall each be deemed to be followed by the term “without limitation.” Reference to any statute, rule or regulation means such statute, rule or regulation as amended and supplemented at the time and from time to time and includes any successor statute, rule or regulation. Unless otherwise stated, references to recitals, articles, sections, paragraphs, and schedules shall be references to recitals, articles, sections, paragraphs and schedules of this Agreement.

k.     The agreements contained in Sections 9, 11 and 13 of this Agreement shall survive the termination of this Agreement.

[Signature page follows]

 

7


IN WITNESS WHEREOF, each of the parties hereto has caused this Second Amended and Restated Master Services Agreement to be executed by a duly authorized officer as of the date first above written.

 

DISCOVER FINANCIAL SERVICES     DISCOVER BANK
By:  

/s/ Roger C. Hochschild

    By:  

/s/ James J. Roszkowski

Name:   Roger C. Hochschild     Name:   James J. Roszkowski
Title:   President and COO     Title:   President
DFS SERVICES LLC     DFS CORPORATE SERVICES LLC
By:  

/s/ Roger C. Hochschild

    By:  

/s/ Roger C. Hochschild

Name:   Roger C. Hochschild     Name:   Roger C. Hochschild
Title:   President and COO     Title:   President
DISCOVER PRODUCTS INC.     BANK OF NEW CASTLE
By:  

/s/ Roger C. Hochschild

    By:  

/s/ James J. Roszkowski

Name:   Roger C. Hochschild     Name:   James J. Roszkowski
Title:   President     Title:   President
DFS INTERNATIONAL INC.     DISCOVER FINANCIAL SERVICES (CANADA), INC.
By:  

/s/ Roger C. Hochschild

    By:  

/s/ Peter Illian

Name:   Roger C. Hochschild     Name:   Peter Illian
Title:   President     Title:   President
DISCOVER HOME LOANS, INC.     DINERS CLUB INTERNATIONAL LTD.
By:  

/s/ Carlos Minetti

    By:  

/s/ Diane E. Offereins

Name:   Carlos Minetti     Name:   Diane E. Offereins
Title:   Chief Executive Officer     Title:   CEO and President
THE STUDENT LOAN CORPORATION     DISCOVER FUNDING LLC
By:  

/s/ Carlos Minetti

    By:  

/s/ Timothy J. Schmidt

Name:   Carlos Minetti     Name:   Timothy J. Schmidt
Title:   Chief Executive Officer     Title:   President and CEO
DFS GSD CORP.     DISCOVER FINANCIAL SERVICES (HONG KONG) LIMITED
By:  

/s/ Peter Illian

    By:  

/s/ Annie Zhang

Name:   Peter Illian     Name:   Annie Zhang
Title:   President     Title:   President

 

Signature page to Second Amended and Restated Master Services Agreement


PULSE NETWORK LLC     DINERS CLUB SERVICES PRIVATE LIMITED
By:  

/s/ David R. Schneider

    By:  

/s/ Subhrajit Basu

Name:   David R. Schneider     Name:   Subhrajit Basu
Title:   President     Title:   Vice President
DISCOVER FINANCIAL SERVICES (UK) LIMITED     GTC INSURANCE AGENCY, INC.
By:  

/s/ Diane E. Offereins

    By:  

/s/ Julie Loeger

Name:   Diane E. Offereins     Name:   Julie Loeger
Title:   President     Title:   President
DISCOVER GLOBAL EMPLOYMENT COMPANY PRIVATE LIMITED     DISCOVER SERVICES CORPORATION
By:  

/s/ Roger C. Hochschild

    By:  

/s/ Kelly Tufts

Name:   Roger C. Hochschild     Name:   Kelly Tufts
Title:   President     Title:   President
DISCOVER INFORMATION TECHNOLOGY (SHANGHAI) LIMITED     DISCOVER COMMUNITY DEVELOPMENT CORPORATION
By:  

/s/ Neil Ni

    By:  

/s/ James J. Roszkowski

Name:   Neil Ni     Name:   James J. Roszkowski
Title:   General Manager     Title:   President
DISCOVER PROPERTIES LLC      
By:  

/s/ James J. Roszkowski

     
Name:   James J. Roszkowski      
Title:   President      

 

Signature page to Second Amended and Restated Master Services Agreement


EXHIBIT A to AMENDED AND RESTATED MASTER SERVICES AGREEMENT

SHARED EMPLOYEE ADDENDUM

Each of the following Shared Employees shall have the responsibilities set forth next to their name, and such other powers and authorities as may be prescribed by Discover Bank’s Board of Directors from time to time by resolution or other means, such as set forth in policies approved by the Board of Directors. This Exhibit A may be amended from time to time by Discover Bank, such amendment to be effective on the date of the resolutions approving the Bank Responsibilities of the applicable Shared Employee.

 

  Chief Executive Officer: Responsible for supervising, coordinating and managing the Bank’s business and activities and supervising, coordinating and managing its operating expenses and capital allocation. This includes (i) setting corporate strategy, direction, vision, values; (ii) reviewing/approving business unit strategies and plans; (iii) managing corporate functions such as Finance Department and Law Department; and (iv) ensuring appropriate controls, risk management, and governance. Lead the Board and facilitate productive reviews of the Company’s strategic plans and results.

 

  Chief Operating Officer: Shall report to the chief executive officer and is responsible for day-to-day operating activities of the Bank, including business strategies and revenue and sales and expense management. This includes (i) establishing organizational structure and operating systems within the business units to ensure strategies are achieved; (ii) ensuring implementation of corporate policies, directives, and processes; (iii) translating corporate vision, strategies, and performance targets into business unit plans, targets, and budgets; and (iv) ensuring that business units implement proper regulatory and operational controls and risk management.

 

  Executive Vice President, Head of Finance: Responsible for (i) managing the responsibilities of the Finance Department related to the Bank, including accounting, regulatory reporting, treasury, line of business finance, capital markets and capital functions; (ii) maintaining effective financial, accounting and regulatory reporting controls; and (iii) effective balance sheet management. Ensure implementation and maintenance of effective controls and risk management and ensuring that the Bank manages applicable risks within approved limits and guidelines.

 

  Executive Vice President, General Counsel and Secretary: Responsible for the legal affairs of the Bank, including litigation, corporate transactions, regulatory relations and legal support of the Bank products.

 

  Executive Vice President, Consumer Banking: Responsible for overseeing and managing the student loan, personal loan, home equity loan and deposits businesses. Ensure implementation and maintenance of effective controls and risk management and ensuring that the Bank manages applicable risks within approved limits and guidelines.

 

  Senior Vice President, Credit and Decision Management: Responsible for overseeing and managing the Credit and Decision Management Department, which is responsible for setting credit standards for the credit card, student loan and personal loan businesses. This includes implementing risk underwriting strategies and models across all products and continuing to develop best-in-class analytic competencies in risk, marketing and banking analytics for account acquisition and portfolio management. Ensure implementation and maintenance of effective controls and risk management and ensuring that the Bank manages applicable risks within approved limits and guidelines.


  Executive Vice President, Chief Marketing Officer: Responsible for overseeing and managing the Cashback Bonus and other rewards programs, and fee product management. Responsible for product development and marketing activities of the credit card business and protection products business, including pricing, marketing analytics, marketing operations, e-business marketing, and rewards strategy and marketing. Also responsible for brand and advertising management, utilizing consumer insights to define mass communication strategy, creating multi-channel advertising messages and developing marketing partnerships with sponsorship properties. Ensure implementation and maintenance of effective controls and risk management and ensuring that the Bank manages applicable risks within approved limits and guidelines.

 

  Treasurer: The Treasurer shall have care and custody of all of the funds, securities and other valuables of the Bank. The Treasurer’s responsibilities include recommending strategies for achieving specific asset/liability objectives, administering the day-to-day asset/liability management processes and executing asset/liability management actions, maintaining the securities contained within the investment portfolio and utilizing the purchase and sale of securities to facilitate asset liability management strategies. Treasurer shall also be responsible for capital planning program management. Ensure implementation and maintenance of effective controls and risk management and ensuring that the Bank manages applicable risks within approved limits and guidelines.

 

  Chief Risk Officer: Responsible for managing the Corporate Risk Management Department, a service provider to the Bank, which provides for oversight of risk management and analytics, and independent oversight of consumer and counterparty credit risk, market and liquidity risk, operational risk, model risk and risk arising from third party vendors. Responsible for oversight of the new initiatives program, as well as the incentive compensation program and resolution and capital planning. Also responsible for overseeing the Chief Compliance Officer and the Compliance Department, including the Compliance Department’s activities related to preventative compliance, testing, monitoring and reporting.

 

  Vice President – Home Equity: Responsible for managing the home equity loan business, including product development, pricing, analytics, marketing activities, and operations strategy. Also, ensure implementation and maintenance of effective controls and risk management and ensuring that the Bank manages applicable risks within approved limits and guidelines.

 

  Deputy General Counsel and Assistant Secretary: Responsible for attending all meetings and keeping minutes of the proceedings of the Board and any other committee unless they have chosen another secretary.

 

  Chief Compliance Officer: Responsible for overseeing and managing the activities of the Compliance Department and reporting on the activities of the Compliance Department to the Board and/or the Audit Committee.

 

  Vice President – Corporate Tax: Responsible for managing federal and state tax filings, tax accounting matters and strategic tax planning.


EXHIBIT B to AMENDED AND RESTATED MASTER SERVICES AGREEMENT

FORM OF SERVICES ADDENDUM

This Services Addendum is dated as of         , 20      and is entered into pursuant to and incorporated by reference into the Amended and Restated Master Services Agreement dated as of March 15, 2018 by and among the parties thereto, including each of the undersigned (as amended, the “Master Services Agreement”).                      (the “Servicing Party”) hereby agrees to provide to                      (the “Receiving Party”) the Services described below. The provision of Services hereunder shall be governed by the terms of the Master Services Agreement. All capitalized terms used and not defined herein shall have the meanings ascribed thereto in the Master Services Agreement.

Services to be Provided

In addition to services as agreed from time to time by the Parties, Servicing Party will perform the following Services for, or on behalf of, Receiving Party:

 

        

 

        

 

        

 

        

Shared Employees

Will Receiving Party utilize Shared Employees of the Servicing Party?

Yes/No

For all Services Addenda under which the Bank or a Bank subsidiary is providing services that include Shared Employees, the Bank shall be reimbursed pursuant to a calculation based on an estimate of the percentage of time spent by the Shared Employee on non-bank matters.

Fees, Expenses and Payment for Services to be Provided

Fees for Services to be provided under this Addendum shall be determined for each support function providing services to the Receiving Party largely consistent with an internal management reporting process for allocating costs. The method for determining cost allocation will be made in consultation with the cost center manager for the respective support function and will utilize a combination of one or more of the following cost allocation methods:

 

    Usage: meaning costs will be based on actual or planned costs;

 

    Business specific: meaning that no allocation methods are necessary as the related cost center captures costs of one business exclusively;

 

    Time spent: meaning a direct reflection of the support provided to each business;

 

    Headcount FTE: meaning costs will be allocated to each business based on the percentage of each business’s FTE to sum of total FTE; and

 

    Percentage of operating expenses: meaning certain costs are allocated to businesses based on the overall percentage of costs being absorbed by each business


[All Services Addenda to which the Bank or a Bank subsidiary is a Party shall include the following provision:

The Parties intend for the cost allocation, in all cases, to be on terms and under circumstances, including credit standards (if applicable), that are substantially the same or at least as favorable to the Bank or Bank subsidiary as those prevailing at the time for comparable transactions with or involving unaffiliated third parties. The Parties shall not impose any allocation on the Bank or Bank subsidiary that is inconsistent with that intent and, if it is determined by the Bank or Bank subsidiary in good faith or any regulatory body with supervisory authority over the Bank that an allocation hereunder is inconsistent with that intent, the Parties shall promptly modify the terms accordingly and shall adjust any prior allocations that violate that intent.]

The parties agree that the fees payable to the Servicing Party hereunder shall not exceed the fees the Servicing Party would have received for similar services provided to an unaffiliated third party.]

 

[SERVICING PARTY]     [RECEIVING PARTY]
By:                                                                           By:                                                                      
Name:     Name:
Title:     Title:


Appendix 1

Data Privacy and Information Security

This Appendix 1 (“Appendix”) governs the Second Amended and Restated Master Services Agreement dated as of March 15, 2018 and applies to any and all Services Addenda outstanding under the Master Agreement from time to time (collectively, the “Master Agreement”). Unless otherwise defined in this Appendix, all capitalized terms used in this Appendix have the meanings ascribed to them in the Master Agreement.

1. Scope

1.1. This Appendix sets forth confidentiality, security, and data privacy requirements with respect to Personal Data originating from the European Economic Area (“EEA”) that are processed by a Party in connection with the provision of the services under the Master Agreement (the “Services”).

1.2. In the event of any conflict between the provisions of this Appendix and the provisions set forth in the Master Agreement, the provisions of this Appendix will apply.

2. Definitions

2.1. “Personal Data” means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

2.2. “Processing” or “Process” means any operation or set of operations which is performed upon Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.

2.3. “The Regulation” means Regulation (EU) 2016/679 (as amended, including by any rules, regulations, implementing acts, delegating acts, national implementing legislation and regulations, and guidance) of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), and any applicable successor data protection regulation(s).

2.4. “Security Incident” means any breach of security that may lead to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed in connection with the Services.

2.5. “Data Subject” means an identified or identifiable natural person to whom Personal Data relates. An identifiable person is one who can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to his physical, physiological, genetic, mental, economic, cultural or social identity.

2.6. “Sub-Processor” means any data processor engaged by a Servicing Party in connection with the provision of the Services.


2.7. “Supervisory Authority” means a data protection authority or similar regulatory or supervisory body as defined under applicable law or the Regulation.

3. Processing Obligations

To the extent a Servicing Party Processes any Personal Data on behalf of a Receiving Party in connection with the Services, such Servicing Party agrees as follows:

3.1. The Servicing Party will Process Personal Data solely for the purposes of performing the Services under the Master Agreement.

3.2. The Servicing Party will Process Personal Data solely on the basis of and in compliance with documented instructions issued by Receiving Party from time to time. If applicable law requires the Servicing Party (or, for the avoidance of doubt, any Sub-Processor) to conduct Processing inconsistent with any of the Receiving Party’s instructions, or if the Servicing Party believes that any instruction from the Receiving Party is in violation of, or would result in a violation of applicable law, the Servicing Party will promptly notify the Receiving Party thereof prior to commencing the Processing.

3.3. The Servicing Party will keep all Personal Data confidential and impose legally binding confidentiality and information security obligations on any personnel, contractor, Sub-Processor, or other third party that Process or otherwise have access to Personal Data; such obligations will meet or exceed the requirements set forth in applicable law and will survive the termination of the employment relationship.

3.4. The Servicing Party will not obtain any rights or title to any Personal Data by virtue of providing the Services, and may not determine the purposes for which Personal Data it receives under the Master Agreement may be Processed or otherwise used.

3.5. Where the Servicing Party, in accordance with the Agreement, engages a Sub-Processor for carrying out specific Processing activities, the Servicing Party must enter into a written agreement with the Sub-Processor that imposes the same data protection obligations and restrictions as set forth in this Appendix on the Sub-Processor. Such agreement must provide sufficient guarantees to implement appropriate technical and organizational measures such that the Processing will meet the requirements of applicable law including the Regulation.

3.6. At any time upon the Receiving Party’s request, the Servicing Party will make available a list of all Sub-Processors that Process or may Process Personal Data in connection with the Services. This list shall also specify all geographic locations where Processing by such enumerated Sub-Processors may take place. The Servicing Party will inform Discover of any intended changes concerning the addition or replacement of Sub-Processors. The Receiving Party may object to such change(s) if the Receiving Party believes the new Sub-Processor represents an unacceptable risk to the protection of Personal Data. Irrespective of the Receiving Party’s objection to (or lack of objection to) Sub-Processors engaged by the Servicing Party, the Servicing Party agrees it is liable to the Receiving Party for the acts and omissions of its Sub-Processors to the same extent that the Servicing Party would be liable if performing the services and/or Processing of each Sub-Processor directly.

4. International Transfers

The Servicing Party represents and warrants that it has a legitimate business purpose and valid legal basis under applicable law for any transfers of Personal Data outside the EEA. At the Receiving Party’s request, the Servicing Party will provide the Receiving Party with copies of any instruments upon which it bases transfers outside the EEA of any Personal Data related to the Services.


5. Information Security and Security Incidents

5.1. The Servicing Party represents and warrants that it has implemented and will maintain technical and organizational measures designed to secure Personal Data and to prevent accidental, unauthorized or unlawful access, destruction, disclosure, alteration or loss of the Personal Data, and further represents and warrants that such measures are and will remain appropriate in light of the risks presented by the Processing and the nature of the Personal Data to be protected. The Servicing Party will also comply with any specific measures required by applicable laws, the Regulation, and guidance from competent administrative, regulatory, or supervisory bodies. These measures will include, but are not limited to, (i) the pseudonymization and encryption of Personal Data, as appropriate; (ii) the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services; (iii) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and (iv) a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational security measures. The Servicing Party represents and warrants it will adapt its security measures on an ongoing basis in accordance with the development of regulations and the state of available technology, such that they continually satisfy the standards and requirements of this Section.

5.2. The Servicing Party represents and warrants that it has in place appropriate technical and organizational security measures to ensure compliance with applicable laws, including the Regulation. Additionally, at the request of the Receiving Party, the Servicing Party will provide the Receiving Party with a comprehensive and up-to-date risk assessment that identifies all risks to Personal Data within Servicing Party’s organization, classifies the risks according to anticipated severity, and identifies the technical and organisational security measures the Servicing Party has implemented to protect against each identified risk. As an alternative, the Servicing Party may provide a current information security certification that is generally recognized within the Servicing Party’s industry as providing reasonable assurance of a high standard of security for Personal Data, and is issued only after a third-party organisation has conducted a risk assessment similar to that required by this Section.

5.3. The Servicing Party will promptly, and in no event later than twenty-four (24) hours, notify the Receiving Party of any Security Incident. The notification will expressly set forth (i) the nature of the Security Incident; (ii) the categories and approximate number of Personal Data records concerned; (iii) the identity and contact details of a contact person (including, where applicable, the identity and contact details of a Data Protection Officer); (iv) the likely consequences of the Security Incident; and (v) the measures taken or proposed to minimize possible harm. Company shall fully cooperate with and provide any additional information requested by the Receiving Party to investigate the Security Incident. Furthermore, the parties are aware that applicable laws (including the Regulation) may impose a duty to inform the Supervisory Authority or affected Data Subjects in the event of a Personal Data Breach. The Servicing Party agrees it will fully cooperate with and assist the Receiving Party in providing notice to the Supervisory Authority and/or affected Data Subjects, as the case may be.

6. Cooperation and Enquiries

6.1. The Servicing Party shall make available to the Receiving Party all information that is necessary for the Receiving Party to fulfill its obligations under applicable law, the Regulation, and the terms of this Appendix, including demonstrating compliance therewith.


6.2. The Parties agree to cooperate with each other to promptly and effectively handle enquiries, complaints, audits, or claims from any court, governmental official, Supervisory Authority, third parties or individuals (including but not limited to the Data Subjects). The Servicing Party will inform the Receiving Party of any such enquiry, complaint, audit or claim without undue delay and at the latest within three (3) days of receipt, except and solely to the extent prohibited by applicable law.

6.3. With regards to the protection of the Data Subject’s rights pursuant to applicable law and the Regulation, the Servicing Party will fully cooperate with and assist the Receiving Party in responding to such Data Subjects requests. If a Data Subject contacts the Servicing Party to exercise his individual rights, the Servicing Party will (unless instructed otherwise) direct such Data Subject to the Receiving Party, will inform the Data Subjects that they may exercise these rights solely vis-à-vis the Receiving Party, and will further communicate with the Data Subject solely in accordance with the Receiving Party’s instructions. The Servicing Party agrees to implement technical and organizational measures that will permit it to promptly facilitate the execution of such requests at the Receiving Party’s request, such as requests for access, rectification, erasure, restriction or portability of Personal Data.

6.4. Where the Receiving Party determines it is obligated under applicable law, the Regulation, or policy to conduct privacy and/or security assessments, such as a data protection impact assessment (“DPIA”) under the Regulation, the Servicing Party will fully cooperate with and assist the Receiving Party in fulfilling its obligations. Additionally, if the Receiving Party determines that applicable law, the Regulation, or policy requires the Receiving Party to consult with or seek guidance from a Supervisory Agency or other regulatory body prior to commencing or in connection with any particular Processing, the Servicing Party will fully cooperate with and assist the Receiving Party in fulfilling its obligations.

6.5. At the request of the Receiving Party, the Servicing Party agrees to provide the Receiving Party with a record of Processing activities performed on the Receiving Party’s behalf in the form and containing such information as requested by the Receiving Party.

7. Audit

7.1. Upon the Receiving Party’s written request, the Servicing Party will make available to the Receiving Party documentation sufficient to demonstrate that the Servicing Party’s Processing of Personal Data complies with applicable law, including the Regulation; the Receiving Party agrees to reasonably cooperate with the Servicing Party to identify any particular documentation that may be required. Such documentation will include a copy of all third-party certifications and/or audits, in their then-most-current form, that relate to the Servicing Party’s compliance with data protection, privacy, or information security standards or requirements.

7.2. If, in the Receiving Party’s reasonable discretion, the documentation provided by the Servicing Party under Section 7.1 fails to demonstrate the Servicing Party’s compliance with any provision or aspect applicable law, the Receiving Party may perform an audit of the Servicing Party that includes on-site inspection, for which the Receiving Party agrees to provide thirty (30) days’ notice. The Servicing Party agrees to permit and reasonably contribute to such audit, and to ensure that its Sub-Processors permit and contribute to the audit as the Receiving Party reasonably deems necessary.

8. Term and Survival

8.1. Term. This Appendix shall remain in force until the date on which the Master Agreement expires or is terminated in accordance with its terms.


8.2. Survival. The provisions of this Appendix with respect to confidentiality (Section 3.3), cooperation and enquiries (Section 6), survival (Section 8.2), and return and deletion of Personal Data (Section 9) will survive the termination of the Appendix.

9. Return/Deletion of Personal Data

Upon termination of the Master Agreement, the Servicing Party, at the option of the Receiving Party, will (i) return all Personal Data Processed in connection with the Services to the Receiving Party in a structured, commonly used, and machine-readable format, and will irretrievably delete existing copies and backups, or (ii) destroy and irretrievably delete all Personal Data Processed in connection with the Services, including materials or media containing such Personal Data, and including all copies and backups. Servicing Party agrees to certify deletion meeting the requirements of this Section upon the Receiving Party’s request.

10. Governing Law

This Appendix will be governed by and construed in accordance with the laws of the jurisdiction identified in the Master Agreement as providing the law applicable to the Master Agreement, if any, except and solely to the extent that a court or administrative body of competent jurisdiction determines that mandatory provisions of applicable data protection law require otherwise.

11. Modification of the Appendix

This Appendix may only be modified by means of a written amendment to the Master Agreement signed by all Parties.

12. Invalidity and Severability

If any provision of this Appendix is found by any court or administrative body of competent jurisdiction to be void, invalid, illegal or otherwise unenforceable, all other terms and provisions of this Appendix shall nevertheless remain in full force and effect, and the invalidity or unenforceability of such provision will not adversely affect the enforceability of any other provision of this Appendix. The parties agree that in the place of the invalid provision, a legally binding provision shall apply which provides for the greatest protection of personal data and most closely approximates what the parties would have agreed to if they had contemplated the partial invalidity.