The purpose of the Unfair, Deceptive or Abusive Acts or Practices requirements and procedures are to describe the approach of NanoKard (the “Company”) for effectively managing and overseeing “unfair, deceptive or abusive acts or practices” (UDAAP) including compliance with applicable laws and regulations. UDAAP practices are prohibited in the United States by Section 1036 of the Dodd-Frank Act.
The Company will use commercially reasonable efforts to be clear in all communication with its Participants, Merchants, and other customers and to treat them fairly in all circumstances. The Company will require each Merchant to refrain from engaging in any unfair, deceptive, or abusive act or practice.
While all Company employees and partners have responsibility to ensure they are following the requirements of this policy, the primary users of this policy include Human Resources, Product Development, Operations, Finance, Underwriting, Legal, and Risk Management. All employees have received training on this policy and these requirements upon hiring. Any changes to the policy are updated in the Employee Handbook.
All employees of the Company are responsible for ensuring the Company’s compliance with all UDAAP policies, procedures and practices. Any suspected UDAAP violation threatened litigation or regulatory inquiry must immediately be brought to the attention of the Director of Compliance.
The Underwriting Team is trained to investigate and reasonably attempt to identify any unfair, deceptive, or abusive acts or practices engaged in by any Merchant in connection with their ongoing monitoring of each Merchant. Any identified issues (including without limitation those found in connection with the compliance and risk monitoring portions of this Policy) will be escalated to the Director of Compliance and/or the Company’s legal department.
The Director of Compliance responsibility includes investigation of identified issues and subsequent investigation into any unfair, deceptive or abusive acts or practices. Upon investigation, the Director of Compliance notifies Senior Management of any changes needed. Changes may include termination of a merchant account.
The General Counsel will, as part of its internal audit procedures, evaluate the activities, processes, marketing materials, and actions of the Company to identify any unfair, deceptive, or abusive acts or practices. Any identified or potential violations will be promptly escalated to the Director of Compliance and Senior Leadership Team.
The following section describes the Unfair, Deceptive or Abusive Acts or Practices Policy (UDAAP) Policy in detail.
Violations of UDAAP laws and regulations and/or this Policy by the Company or its Merchants may result in one or several of the following for the Company and/or its workforce members personally:
• Substantial fines.
• Orders for Restitution.
• Regulatory Enforcement Actions.
• Loss of the Company’s ability to engage in financial activity.
• Disciplinary action up to and including termination of employment.
An objective and internal risk assessment of the Company that includes UDAAP compliance shall be conducted by the Company’s internal audit team annually or more frequently as otherwise may be required by law, regulation, or policy. The purpose of the Assessment is to assess the Company’s compliance with applicable UDAAP and consumer protection laws and regulations. The internal review should assess the UDAAP related policies, procedures, internal controls, record keeping and reporting functions and training implemented, performed, or used by the Company.
A risk profile will be created for each Merchant in connection with underwriting, due diligence, monitoring, and risk identification procedures as set forth in the Company’s Compliance Policy and Risk Policy. In connection with these processes, the Company’s compliance team will evaluate the likelihood of a Merchant’s non-compliance with UDAAP laws and regulations. This evaluation will be updated upon any material modifications to the Merchant’s account. Each Merchant’s activity will be reasonably monitored on an ongoing basis, as part of the Company’s risk management, to identify a Merchant’s non-compliance with UDAAP laws and regulations.
The Audit team shall document the Risk Assessment process and findings and include a statement regarding the scope of the procedures performed, the specific procedures and controls tested, the basis for conclusions regarding the adequacy of procedures and controls, determine root causes for deficiencies and make recommendations for improving the overall program. The report shall be submitted to the Company’s Board of Directors or management team, which shall be responsible for reviewing the report and developing a response, if necessary. If it is determined that any Merchant is violating UDAAP laws or regulations, or likely to be violating UDAAP laws and regulations, such Merchant account shall immediately be frozen pending an investigation by the Company’s compliance team, the finding will be reported to the sponsor bank, and if appropriate based on the findings during such investigation, the Merchant account will be terminated.
The Director of Compliance shall provide, or have a qualified employee or third party provide, adequate training to all appropriate workforce members with respect to compliance with UDAAP laws and regulations, the Company’s Risk Policy, and other relevant policies, standards, laws, regulations, and procedures. The Director of Compliance shall ensure that:
1. Initial and ongoing training is provided to all appropriate workforce members to establish and maintain their familiarity with relevant requirements, identification of suspected UDAAP violations, and to inform personnel of any new or changed requirements.
2. Refresher training is held on an annual basis, or more frequently as appropriate in light of changes in law, or other developments.
3. Outside experts and consultants are used, as appropriate, to develop, maintain and conduct effective UDAAP training sessions and materials.
The Director of Compliance shall be responsible for overseeing and monitoring the UDAAP training provided to the Company’s personnel.
All consumer facing agreements, terms, conditions and notices (collectively “Disclosures”) used in connection with the Company’s services must be reviewed and approved by the Company’s legal counsel and Director of Compliance prior to being distributed to ensure they are clearly communicated. Following initial approval, consumer facing Disclosures will be reviewed as necessary and whenever there are changes in law or regulation that affect the Disclosures, and in all instances prior to any material change or amendment. Only those Merchant agreements approved by the Company’s legal counsel and sponsor financial institution will be used and no modifications will be made without the consent of the foregoing.
All marketing, advertising and solicitation material distributed to the public through all channels (direct mail, internet, telephone, etc.), used in connection with the Company’s products and services must be reviewed and approved by the Company’s legal department and Director of Compliance prior to being published to ensure:
1. The message is complete and accurate.
2. The material could not mislead the average customer of the target market.
3. There is no explanation missing, given the Company’s system and operational abilities.
4. The overall impression of the material is accurate, including:
a. The general message is big enough to attract attention.
b. Wording and formatting is understandable.
c. All information is in a location where consumer can be expected to look.
The marketing material used by each Merchant (and minimally the Merchant’s website) will be reviewed by a member of the Compliance Team in connection with the underwriting process and monitored thereafter to identify and evaluate its completeness, accuracy, and likelihood to mislead any consumer.
All fees, penalties and charges assessed in connection with the Company’s products and services must be reviewed and approved by the Company’s legal counsel and Director of Compliance to ensure that they are clearly, conspicuously and accurately disclosed. All related marketing material and disclosures will be evaluated to ensure they clearly, accurately, and conspicuously disclose all relevant details of the program, including applicable fees, penalties, and charges. The Company’s agreement with each Merchant will require that such Merchant clearly discloses all fees, penalties, and charges to each of their customers, and the underwriting process will include a review of the fee structure of each Merchant.
All new products, features and services offered by the Company must be reviewed and approved by the Company’s legal counsel and Director of Compliance in advance of being offered to the public to ensure fairness and transparency to the customer including, but not limited to the Company being able to deliver on its representations and promises and that any fees associated with the product, feature or service. Merchants will be prohibited from changing their business type or making material changes to their products or services without notifying the Company. The Company’s risk monitoring will use reasonable efforts to identify Merchants which fail to notify the Company of such change. In connection with any such change, the Company’s compliance team will review and perform additional due diligence on such Merchant as appropriate.
The Director of Compliance tracks and reviews consumer complaints and the Company’s responses to verify that they are being investigated and responded to in a timely and appropriate manner. This review also serves to identify patterns or trends indicating consumers felt misled. The Director of Compliance presents periodic reports to the Company’s Board of Directors or management team regarding the findings, results, themes and/or trends from the review of consumer complaints and, where appropriate, make recommendations for improving the UDAAP risk program. the Company’s Compliance Team reviews consumer complaints in connection with each Merchant as part of its initial due diligence and ongoing monitoring efforts to identify any UDAAP risks associated with such Merchant and perform additional investigations into such risk as appropriate.
All vendors, third party service providers and agents that offer services to the Company customers directly, support or facilitate the Company’s services offered to Merchants, or that are material in the delivery of the Company’s products and services to customers are subject to a robust due diligence review that will consider:
1. The legitimacy and reputation of the vendor.
2. The registration of the vendor with the appropriate card brands.
3. The data security measures employed by the vendor.
4. The indemnification obligations and financial condition of the vendor.
5. The use and value of the vendor’s product and/or service.
Vendors are subject to re-approval on a periodic basis that considers their performance over the prior period. The Company has established vendor service level expectations for its key vendors and such expectations are explicitly detailed within the contractual agreements. The Company requires vendors to develop and implement reports to measure performance against those expectations. The Company prohibits Merchants from using vendors or third- party service providers which have not been approved by the Company.
The Company UDAAP Program is risk-based, derived through a risk assessment of the Company’s and each Merchant’s products, services, complexity of products and services, delivery channels, operations, customer types, marketing strategy, new product and service development, advertisements and solicitations, pricing and profitability and third-party service providers. The purpose of the assessment is to ensure that the Company and such Merchants have appropriate risk mitigation, policies, procedures and internal controls in place to minimize UDAAP compliance risk.
The Director of Compliance or their designee conducts the annual UDAAP risk assessment on an annual basis or more frequently as may be necessary to consider the impact to the Company’s risk profile as a result of changes to the Company’s business environment including but not limited to new Merchants, products, services, changes to existing products or services, and expanded geographies. New Merchants, products, or services shall be evaluated in advance of any product or service offering. New delivery channels shall be evaluated in advance of any plans to make such delivery channels operative. The foregoing shall not preclude ongoing monitoring of the Company and each of its Merchants for UDAAP compliance.
The Company’s Board of Directors and Senior Management reviews and approves the results of the annual risk assessment. The Company’s Board of Directors is responsible for ensuring that any deficiencies identified in the risk assessment are addressed in a timely manner. The Company’s Board of Directors shall track all deficiencies identified in the risk assessment and the corrective actions taken. The VP Corporate Affairs (with outside counsel as needed) documents all corrective actions taken by the Company. Merchants deemed to be engaging in any unfair, abusive, or deceptive acts or practices will be promptly terminated, reported, and if applicable placed on the MATCH list.
The Director of Compliance is responsible for maintaining documentation demonstrating review and approval of all Disclosures, marketing material and new products, features and services, and training. Such documentation shall be for seven (7) years. Additionally, material related to a Merchant will be documented and retained for the term during which such Merchant is using or contracted with the Company (whichever is longer) and seven (7) years thereafter.
Deceptive Acts & Practices
An act or practice is deceptive when there is a representation, omission or practice that is likely to mislead consumers who are acting reasonably in the circumstances presented and the representation, omission, or practice is material. Deceptive acts include false statements, misleading claims, bait and switch situations or omitting material information that impacts product or service choice.
Unfair Acts or Practices
An act or practice is unfair when it causes or is likely to cause substantial injury to consumers which cannot be reasonably avoided and is not outweighed by countervailing benefits to consumers or to competition. Unfair acts are triggered when material information is withheld regarding a product or service such that the consumer cannot make an informed choice or when the consumer is coerced into an unwanted product or service.
Abusive Acts or Practices
An act or practice is abusive if it materially interferes with the ability of a consumer to understand a term or condition of a product or service or takes unreasonable advantage of:
1. A lack of understanding on the part of the consumer or the material risks, costs or conditions of the product or service.
2. The inability of the consumer to protect their interests in selecting or using the financial product or service.
3. The reasonable reliance by the consumer on a covered person to act in the interests of the consumer.
• U.S. Code § 5531. Prohibiting unfair, deceptive, or abusive acts or practices
• U.S. Commodity Futures Trading Commission: Dodd Frank Act
The Chairman approves this Policy. The Board of Directors can provide input and revisions to the Policy.
Relevant employee notifications and training can be found in the Employee Handbook.
Information systems are a growing and important resource for NanoKard ISO-Agents, one that can provide critical competitive advantage to NanoKard in the form of information gathering, improved external communications, and increased customer/merchant responsiveness. As more and more of our ISO-Agents use Information Systems to connect with merchants/customers, suppliers and other key organizations, it is important that NanoKard ISO-Agents understand and agree on the appropriate procedures to protect NanoKard assets.
In accordance with the company’s due diligence processes, this NanoKard ISO-Agent Data Security Policy provides useful tips and techniques to promote effective use of NanoKard assets and usage. It applies to all NanoKard systems located on or accessed from NanoKard property and systems provided by NanoKard for use in NanoKard business, and should be applied to systems used independently by ISO-Agents.
This policy applies to all NanoKard ISO-Agents that have access to NanoKard Information Resources and, as stated above, should be applied to systems used independently by ISO-Agents.
NanoKard utilizes sophisticated computer and communications systems to assist ISO-Agents in performing their job functions. These technologies support our business activities by enabling closer, more effective and timely communications among ISO-Agents within NanoKard and with our merchants, customers, partners and vendors worldwide. These guidelines advise all users regarding the access to and the disclosure of Information Systems. These guidelines establish expectations for all ISO-Agents concerning the disclosure of information via NanoKard assets and usage.
NanoKard maintains and uses many facilities, equipment, and communication systems including, among others, telephones, regular mail, special delivery services, E-mail, voice mail, fax machines, computers, laptops, iPads, cell phones, etc., which are all designed to make NanoKard operations effective and efficient. NanoKard assets and usage are provided to ISO-Agents at NanoKard expense to assist in carrying out NanoKard business. Some of these systems may permit ISO-Agents to communicate with each other internally and with other parties externally. As with all NanoKard assets, NanoKard assets and usage are for official NanoKard business only. Access to NanoKard assets and usage is provided in conjunction with the official NanoKard business and individual job responsibilities. Use of NanoKard assets and usage is subject to these policies and guidelines and other relevant NanoKard policies and procedures.
At no time may NanoKard ISO-Agents use removable media, such as USB flash drives among others, to store or transport files or any other intellectual property from a Digital and data standpoint.
A. Information Access, Content, and Use
NanoKard makes every effort to provide its ISO-Agents with high quality technology to conduct NanoKard's official business. NanoKard has installed, at substantial expense, Information Resources to conduct its official business.
This document addresses general Information Systems policies and guidelines, specific issues related to appropriate content, and ISO-Agent use of NanoKard assets and usage. All employees, departments and ISO-Agent are required to follow these general policies and guidelines. All NanoKard employees and ISO-Agent with access to NanoKard assets and usage are required to read, understand and comply with NanoKard's policies.
NanoKard assets and usage are owned by NanoKard and are to be used for business purposes only in serving the interests of NanoKard customers/merchants and in the course of normal business operations.
The use of NanoKard facilities, property, equipment, or communication systems is limited to Data Security and acceptable use as defined in these policies and guidelines. No NanoKard equipment or communications systems, including without limitation all hardware and software, may be removed from NanoKard property without prior express consent of NanoKard.
Personal equipment, including without limitation all computer hardware and software, may not be brought onto NanoKard premises or be used for NanoKard official business without the prior express consent of the CEO of NanoKard. ISO-Agents are not to use their personal accounts or use NanoKard equipment to reach personal sites unless it is for legitimate business purposes.
NanoKard encourages the use of NanoKard assets and usage for business when such business can be accomplished consistent with the following policies and guidelines identified in this document. When using Information Systems, ISO-Agents shall conduct official NanoKard business consistent with NanoKard's mission statement. Official NanoKard business shall comply with all applicable federal and state statutory requirements as well as standards for integrity, accountability, and legal sufficiency. Thus, official NanoKard business conducted via the Internet should meet or exceed the standards of performance for traditional methods (e.g. meetings, use of telephone).
ISO-Agents shall base decisions to use NanoKard assets and usage on sound business practices. The conduct of business using NanoKard assets and usage is particularly compelling where costs are reduced and/or the services provided by NanoKard are improved in measurable ways. When using NanoKard assets and usage, NanoKard ISO-Agents shall promote and maintain a professional image.
NanoKard ISO-Agents shall disseminate information that is current, accurate, complete, and consistent with NanoKard policy. Information released via NanoKard assets and usage is subject to the same official NanoKard policies for the release of information via other media (such as printed documents), so that the information disclosed avoids potential problems with copyrights, trademarks, and trade secrets. Information accuracy is particularly important.
NanoKard ISO-Agents shall protect confidential and proprietary information entrusted to NanoKard. Questions regarding confidential or proprietary information should be directed to NanoKard management, the Legal department or his/her designee.
B. Protecting Confidential Information
Maintaining the confidentiality of sensitive information is crucial to NanoKard's success. Confidential information stored on or carried over NanoKard assets and usage could become the subject of accidental or intentional interception, mis-delivery, hacking or even unauthorized internal review unless ISO-Agents take the necessary precautions outlined in these guidelines.
NanoKard has developed specific procedures to ensure the protection of confidential information. ISO-Agents should exercise care when communicating any potentially confidential information outside of NanoKard, as no electronic communications facility is completely secure.
Data shall be classified per the Data Retention Policy. All confidential data should be marked with "Confidential," "Do not reproduce," "Not to be reproduced without approval," or "Do not forward." All E-mail messages containing confidential information should contain "Confidential" in the subject header.
Some directories in NanoKard assets and usage contain sensitive or confidential data. Access to these directories shall be restricted. Unauthorized attempts to circumvent such access restrictions are violations of these Guidelines and may result in action, up to and including, without limitation, termination of contract agreements, and legal action.
ISO-Agents must refrain from entering into discussions with third parties regarding NanoKard's business prospects or financial condition. ISO-Agents should not discuss future products, services, features or functionality unless NanoKard has previously disclosed such information in a press release or through some other public disclosure. Such information is proprietary to NanoKard and constitutes valuable information that should be protected as a trade secret. The release of such information could become the subject of criminal prosecution.
ISO-Agents are asked to respect the privacy of individuals who send them messages. ISO-Agents should protect voice mail, and E-mail accounts from unauthorized access. Appropriate protection procedures include ensuring proper password protection to these accounts, closing E-mail messages after reading them and deleting all messages when they are no longer needed.
ISO-Agents shall not place NanoKard material (e.g. copyrighted software, internal correspondence) on any publicly accessible Internet computer without prior permission.
The Internet does not guarantee the privacy and confidentiality of information. Sensitive material transferred over the Internet may be at risk of detection by a third-party. ISO-Agents must exercise caution and care when transferring such material in any form.
C. Copyrighted Information
NanoKard respects the intellectual property rights of other companies and individuals. Use of all copyrighted material, including literature, software, and graphics shall comply with relevant, valid license terms. NanoKard assets and usage may provide access to materials protected by copyright, trademark, patent, and trade secret and even export laws. ISO-Agents should not assume that merely because information is available on an electronic information system, such as the Internet, that it may be downloaded or further disseminated. No copyrighted material should be copied, transmitted, posted, or otherwise distributed without such compliance. If a question arises as to the propriety of downloading information, NanoKard management should be consulted.
All material trademarked or copyrighted by NanoKard should be marked with the appropriate trademark or copyright designation. No NanoKard ISO-Agents should remove trademark and copyright notices from third party material.
NanoKard license to use software is carefully set forth in legal agreements that NanoKard has with the developers and distributors of the software. ISO-Agent use of software must be in compliance with those agreements. If NanoKard gives ISO-Agent the opportunity to use certain software, copying of that software is strictly prohibited. Loading of software of a personal interest is prohibited unless ISO-Agent are given prior express consent by NanoKard management. When ISO-Agent no longer has a contract agreement with NanoKard, all NanoKard owned software, licenses, and media will remain with NanoKard.
Unless otherwise noted, all software on the Internet should be considered copyrighted work. Therefore, ISO-Agent are prohibited from downloading software and/or modifying any such files without permission from the copyright holder.
D. Privacy Statement
This policy is intended to guide ISO-Agent in the performance of their duties. It is also intended to place ISO-Agent on notice that ISO-Agent should expect NanoKard assets and usage and their contents, to be confidential or private. All data, including any that is stored or printed as a document, is subject to audit and review by NanoKard in its sole discretion.
No ISO-Agent has a reasonable expectation of personal privacy with respect to the use of any of NanoKard facilities, property, equipment, or communications systems. This includes anything created or received on NanoKard assets and usage even if used for business purposes and in the normal course of NanoKard operations.
NanoKard reserves the right, but not the obligation, to monitor use of NanoKard assets and usage including without limitation the Internet, E-mail, computer transmissions, and electronically stored information created or received by NanoKard ISO-Agent with NanoKard's Information Systems. All computer applications, programs, work-related information created or stored by ISO-Agent on NanoKard's Information Systems, are NanoKard property. The same expectation applies to ISO-Agent usage of Internet, E-mail, personal computer transmissions, and electronically stored information created that could contain data related to merchants, clients, customers.
E. Monitoring and Inspecting Information Systems
NanoKard assets and usage are provided for official NanoKard business. NanoKard assets and usage are owned and controlled by NanoKardNanoKard and are accessible at all times by NanoKard for maintenance, upgrades and other business or legal purposes.
All Information Systems, including the messages and data stored on the systems, are and remain at all times the property of NanoKard, subject to applicable third-party intellectual property rights such as copyrights. By virtue of continued contract agreement and use of NanoKard systems, all ISO-Agent are considered to have consented to monitoring and other access by authorized NanoKard personnel. NanoKard reserves the right to conduct inspections for violations of NanoKard policies.
NanoKard reserves the right to access and conduct an inspection or search all in-house directories, indices, files, databases, faxes, NanoKard computer hardware and software, voice mail, E-mail and communication systems or deliveries sent to any NanoKard location, and other Information Resources no matter to whom it is addressed with no prior notice. NanoKard may also cancel or restrict any ISO-Agent privilege to use any or all its facilities, equipment, property, or communication systems.
It is expected that ISO-Agents take the same steps to conduct inspections or search all personal directories, indices, files databases, faxes, hardware and software, voice mail, E-mail and communications systems or deliveries sent to merchants, clients and customers for any breaches or violations of data protection/security.
If an ISO-Agent refuses to cooperate with a search or inspection for legitimate business purposes that is based on reasonable suspicion that the ISO-Agent is in possession of prohibited materials, NanoKard may take that refusal into consideration in determining appropriate action. An ISO-Agent refusal to provide requested information to NanoKard management will be considered additional grounds for action. Action, including contract termination, and/or legal action will be based on all available information, including the information giving rise to the inspection or search.
NanoKard employee access to on-line services, the Internet, blogs, social media sites, or other communications networks is prohibited unless NanoKard has provided prior express consent. As such, no NanoKard equipment, telephone lines, or on-line services may be used to view or download offensive, discriminatory or pornographic material.
NanoKard management may examine ISO-Agent’ communications or files and such examination should be expected to occur in various circumstances when necessary, including, but not limited to:
● Ensuring that NanoKard systems are not being used to transmit discriminatory, harassing or offensive messages of any kind.
● Determining the presence of illegal material or unlicensed software.
● Ensuring that communication tools are not being used for unauthorized, disruptive, or improper uses.
● Investigating allegations or indications of impropriety.
● Locating, accessing and/or retrieving information in ISO-Agent absence.
● Responding to legal proceedings and court orders in the preservation or production of evidence.
● NanoKard reserves the right to review ISO-Agent use of and to inspect all material created by or stored on NanoKard assets and usage. NanoKard reserves the right to monitor all use of Information Systems to access, review, copy, delete, or disclose messages and data derived from any use. All messages or data become property of NanoKard, subject to access, review, duplication, deletion, or disclosure by NanoKard management or by other personnel authorized by NanoKard. ISO-Agent should be aware that billing practices, firewall protections, and traffic flow monitoring programs often maintain detailed audit logs setting forth addresses, times, durations, etc. of communications both within and external to NanoKard. ISO-Agent should treat NanoKard assets and usage with the expectation that communications will be available for review by authorized personnel of NanoKard for legitimate business purposes at any time.
NanoKard reserves the right to access, review, duplicate, delete or disclose for legitimate business purposes any communications, messages or data derived from use of NanoKard's Information Systems.
F. Storing and Archiving Information
NanoKard has developed specific archival procedures to ensure the safe retention of electronic data. The expectations is the ISO-Agents have the same or similar archival procedures in place on their systems. As a matter of procedure and the following guidance, ISO/Agent files are/should be subject to routine back-up procedures. Copies of documents and electronic messages may be retained for long periods of time. By virtue of various archival practices employed at NanoKard, any messages or data stored, even temporarily, on NanoKard assets and usage may be copied to magnetic or other storage media without the specific knowledge of the individual creating the messages or data. Such archives are and remain NanoKard property and may be used by NanoKard for any business purpose. Simply deleting messages or data from these Information Systems does not provide privacy with regard to such messages or data. The length of time that such archives may be maintained can be almost indefinite. ISO-Agent may be required to preserve their electronic data based on pending litigation and/or investigations by NanoKard.
G. ISO-Agent Usage
Each ISO-Agent has the responsibility of complying with NanoKard policies and guidelines provided in this document. Failure to do so may result in adverse action, including without limitation termination of contractual agreements and legal action.
The use of Information Systems is restricted to official NanoKard business. Personal use of or time spent for personal gain is strictly prohibited unless NanoKard gives prior express consent. Inappropriate personal use includes the creation, downloading, viewing, storage, copying, or transmission of sexually explicit or sexually oriented materials, materials related to illegal gambling, illegal weapons, terrorist activities, and any other illegal activities or activities otherwise prohibited. In addition, any Internet use that could cause congestion, disruption of normal service, or general additional NanoKard expense is prohibited.
Hacking or unauthorized attempts or entry into any other computer is forbidden. Such an action is a violation of the Federal Electronic Communications Privacy Act (ECPA) 18 U.S.C. § 2510.
Sending threatening, slanderous, racially and/or sexually harassing messages is strictly prohibited. The representation of yourself as someone else, real or fictional, or a message sent anonymously is prohibited.
ISO-Agent should be aware that NanoKard assets and usage and the World Wide Web are not censored and contain information some users may find offensive. NanoKard cannot accept responsibility for what the ISO-Agent accesses. However, if offensive material is accessed, ISO-Agent shall disengage from the material immediately.
ISO-Agent shall not copy or transfer electronic files without prior permission from the CEO of NanoKard. Almost all software is subject to Federal copyright laws. Care should be exercised whenever accessing or copying any information that does not belong to the ISO-Agent. When in doubt, consult NanoKard management. Unauthorized or illegal use of third-party intellectual property is prohibited. Such use includes, but is not limited to, downloading or using copyrighted or patented software, video and audio clips or documents on NanoKard assets and usage in a manner inconsistent with relevant license terms or other intellectual property rights.
Downloading a file from the Internet can infect NanoKard systems with a virus. ISO-Agent shall not circumvent or disable NanoKard standard virus prevention software and/or Information Resource security mechanisms.
ISO-Agent shall not send, post, or provide access to any confidential NanoKard materials or information to anyone outside of NanoKard.
ISO-Agent are obligated to cooperate with any investigation regarding the use of ISO-Agent computer equipment and which NanoKard management has authorized.
Alternate Internet Service Provider connections to NanoKard internal network are not permitted unless prior express consent has been given by NanoKard management and properly protected by a firewall or other appropriate security device(s).
If ISO-Agent are using information from an Internet site for strategic official NanoKard business decisions, ISO-Agent should verify the integrity of that information. ISO-Agent should verify whether the site is updated on a regular basis (the lack of revision date might indicate out-of-date information) and that it is a valid provider of the information.
NanoKard has no control or responsibility for content on an external server not under the control of NanoKard. Information may be offensive and/or unsuitable for dissemination.
Do not upload or download large files during prime hours due to the network impact on other users. Information Systems may have limits regarding disk space usage. Documents take up space; therefore, ISO-Agent should regularly delete and/or archive any files ISO-Agent wish to save.
ISO-Agent using NanoKard accounts are acting as representatives of NanoKard. As such, ISO-Agent should act accordingly so as not to damage the reputation of NanoKard.
H. Information Systems Awareness
ISO-Agent use of Information Systems containing merchant, client, customer data is the responsibility of each ISO-Agent. The practices listed below are not inclusive, but rather designed to remind each ISO-Agent of the need to raise their Information Systems awareness.
● Protect equipment. Keep all equipment in a secure environment and keep food and drink away from electronic systems. Know where the fire suppression equipment is located and how to use it in an emergency.
● Protect areas. Keep unauthorized people away from equipment and data. Challenge strangers in company or restricted areas.
● Protect passwords. Never write it down or give it to anyone. Don't use names, numbers or dates that are personally identified with the ISO-Agent. Change the password often and change it immediately if it has been compromised.
● Protect files. Don't allow unauthorized access to employee’s files and data. Never leave equipment unattended with the password activated – log off.
● Backing up data. Keep duplicates of critical data in a safe place.
● Report security violations. ISO-Agent should inform NanoKard management if ISO-Agent see any unauthorized changes to data. Immediately report any loss of data or programs, whether automated or hard copy.
K. Protecting Information Systems From Viruses
NanoKard provides virus protection software to help safeguard Information Systems. These systems are not totally foolproof. As such, ISO-Agents should be particularly cautious when opening any E-mail with an attachment.
ISO-Agent should ensure personal computers have anti-virus software. Viruses can infect executable files, disk boot sectors, documents, etc. If a virus is received from a sender, that sender should be notified that the file was infected and, if possible, the type of virus should be identified.
L. Encrypting Data
Only authorized encryption tools (both software and hardware) should be used in connection with Information Systems.
M. Securing Mobile Computing Devices
ISO-Agent who use mobile computing resources (laptops, handheld devices, etc.) must take adequate precautions to ensure that proprietary information contained in such devices is secure and not available to third parties, particularly during travel. ISO-Agent are responsible for taking adequate precautions against theft of their mobile computing devices.
N. Acceptable Use
ISO-Agents should adopt the following Acceptable/Incidental Personal Use policies for their own systems:
1. The authorized use of NanoKard systems is limited to NanoKard official business. NanoKard provides Information Systems and communication tools to facilitate business communication and enhance personal productivity. NanoKard reserves the right to prohibit or restrict use of NanoKard systems for any other purpose and at any time.
2. Incidental Personal Use. Personal use of NanoKard systems is permitted so long as it is not excessive as determined by NanoKard, does not interfere with job performance, consume significant resources, or interfere with the activities of other ISO-Agent.
Any ISO-Agent found to have violated this policy, guidance and recommendations for data security, may be subject to action, up to and including contract agreement termination.
This policy is to be distributed to all NanoKard ISO-Agents who use Information Resources.
The NanoKard (the “Company”) Code of Conduct is to comply with all laws, domestic and foreign, that apply to its agents, merchants, and business, and to conduct its activities in accordance with high standards of business ethics in all respects.
Purpose & Overview
The purpose of this code is to establish the Code of Conduct (the “Code”) for members of senior management and all employees of agent’s, merchants, and businesses affiliated with NanoKard, and to reaffirm the Company's policies regarding adherence to applicable laws and standards of business ethics in conducting the business throughout the world. This Code of Conduct must be included as an addendum to Agent, Merchant, and Business agreements. The objectives of the Code of Conduct include:
Clearly communicate policies, procedures, and requirements to all of their Agents, Merchants and Businesses, to make sure that they do not violate any expected performance standards.
Obtain the agent, merchant and business commitment to comply with member policies and procedures, as well as relevant Card Brand Rules.
Scope & Audience
The Code of Conduct is mandatory and applies to any designated Third-Party Agent, Merchant or Business of NanoKard. Any such designated person or entity, shall be provided with a copy of this Code and shall certify their compliance with it pursuant to procedures established by the Senior Compliance Officer.
The Agent, Merchant or bBusiness principal owner or corporate officer responsible for compliance, and must accept and sign this document. A copy of the signature is kept on file in the NanoKard CRM system and held for the duration of the Agent, merchant, Business relationship plus no less than 7 years.
The Code of Conduct is used in the following circumstances:
Used as an addendum to the acquirer’s Agent, Merchant, or Business agreement (these may be phased in as new contracts are signed or existing contracts are renewed).
Accepted and signed by the principal owner or corporate officer responsible for compliance.
Used by the acquirer when training Agents. Merchants or Businesses.
Utilized by agents when training their employees.
Summary of Major Roles
Third Party Agents involved in the Company’s business activities are responsible for reading, understanding and complying with this Code of Conduct, as well as future updates to this Code and other similar materials issued from time to time. Any such designated persons shall be provided with a copy of this Code and shall certify their compliance with it pursuant to procedures established by the Senior Compliance Officer.
The Senior Compliance Officer is ultimately responsible for ensuring the Code remains up-to-date and accurate, and for disseminating communications related to Code changes. The Senior Compliance Officer is responsible for providing training related to this Code. They are also required to review this Code on an annual basis to ensure it is effective and in accordance with current best practices, and will revise and update this Code, as necessary.
Senior Management is responsible for ensuring all Agents, Merchants and Businesses are aware of and comply with this Code.
The General Counsel is responsible for determining if a provision of this Code can be waived, upon full disclosure of all relevant facts by the Agent, Merchant or Business who seeks such a waiver. Any such waiver will be promptly disclosed as, and to the extent required by applicable law or regulations or by the Company’s listing agreement with a national securities exchange.
Code of Conduct
The following section describes the Code of Conduct. Agents, Merchants, and Businesses of NanoKard are required to uphold the following Code of Conduct principles:
Code of Conduct Principles
Operate in a responsible manner that protects the Card Brand payment system, sponsoring financial institutions, and other participants from undue harm or reputational damage.
Comply with Card Brand Rules and applicable laws and avoid circumvention of risk controls meant to safeguard the payment system and its participants.
Reasonably perform the roles and responsibilities designated by their sponsoring financial intuitions and provide an adequate level of service to the Merchants they support.
Ensure any Merchant marketing materials (including rates, fees, and terms) are approved by the sponsoring financial institution, compliant with applicable laws, and transparently disclosed to prospective Merchants.
Comply with the Payment Card Industry Data Security Standard (PCI-DSS) and other data security requirements for the protection of cardholder information and transaction data.
Training
The Senior Compliance Officer is responsible for establishing and conducting a suitable training program (either online or off-line, at the discretion of the Senior Compliance Officer) to help effectuate the compliance goals of this Code and will maintain records documenting the date and content of the training and names of attendees. The Senior Compliance Officer reviews this Code at least annually to ensure it is effective and in accordance with current best practices, and will revise and update this Code, as necessary.
Reports and Periodic Reviews
Any Agent, Merchant or Business requested to engage in any activity, which is or may be contrary to this Code, will promptly report such information to the Manager whom the individual reports, or, if the Agent, Merchant or Business was so directed by the Manager, then to assigned NanoKard legal counsel.
Any Agent, Merchant or Business that acquires information that gives the Agent, Merchant of Business reason to believe that any other Agent, Merchant or Business is engaged in conduct forbidden by the Code will promptly report such information to the Manager to whom the Agent, Merchant or Business reports or, if the Manager is engaged in such conduct, then to the assigned Company Legal Counsel.
References
Visa Global Acquirer Risk Standards: Visa Supplemental Requirements
Payment Card Industry Security Standards Council
Code Approval & Revision Process
Senior Leadership will provide approval and define who will need to review the Code of Conduct and have final approval authority. Revisions can be made via discussion and email, but approvals must be given in writing.
Exhibits
Please refer to the NanoKard Welcome Packet for Agent, Merchant, and Business training materials.