Exhibit 10.2

AMENDMENT # 2 TO MASTER PROFESSIONAL SERVICES AGREEMENT Reference:
CITI-CONTRACT-14084- 2015 Effective Date: 1st May 2017 Party: SERVICE PROVIDER
CLIENT Name: Polaris Consulting & Services Limited Citigroup Technology, Inc.
Address: # 34, IT Highway, Navallur, Chennai – 600 130, Tamilnadu, India 111
Wall Street, 7th Floor New York, NY 10005 Incorporation: India Delaware Name:
Virtusa Corporation Address: 2000 West Park Drive Westborough MA 01581
Incorporation: Delaware Background: I. Polaris Consulting & Services limited
(“Service Provider”) and Citigroup Technology, Inc. (“Client”) previously
entered into a Master Professional Services Agreement dated 1st July 2015
(including any previous addendum, amendment, supplemental agreement or renewal
of the same, collectively “Master Agreement”). II. Service Provider and Client
shall jointly be referred to as “the Parties”. III. The Parties agree to amend
the terms of the Master Agreement as set out herein. IN CONSIDERATION of the
mutual covenants and undertakings contained in the Master Agreement and in this
Amendment, and intending to be legally bound, Service Provider and Client agree
as follows: 1. COUNTRY ADDENDA 1.1 The country-specific Schedules A to S in
Appendix 3.3.1 to the Master Professional Services Agreement dated 1 July 2015
shall be deleted and replaced in their entirety with the revised Asia Pacific
Country Schedules (Master Version 6.1 dated 23 March 2017), 1

GRAPHIC [g145181ko01i001.gif]

 


attached to this Amendment. 2. NO OTHER CHANGES 2.1 Other than the amendments
expressly set forth herein, all other provisions of the Master Agreement shall
remain unmodified and shall continue to be valid and fully binding and
enforceable as they exist as of the date hereof, IN WITNESS WHEREOF, the Parties
hereto, through their duly authorized officers, have executed this Amendment as
of the Effective Date designated above. Service Provider: Client: Polaris
Consulting & Services Limited Citigroup Technology, Inc. By: /s/ NM.
Vaidyanathan By: Brian Hagen Name: NM. Vaidyanathan Name: Director Title: Chief
Financial Officer Title: Enterprise Supply Chain Asia Pacific Date: 25-04-2017
Date: 15/5/17 Virtusa Corporation By: /s/ Paul D. Tutun Name: Paul D. Tutun
Title: EVP: GENERAL COUNSEL Date: 5/4/17 2

GRAPHIC [g145181ko01i002.gif]

 


Local Country Addenda Legal and Regulatory Requirements - Asia Pacific (LCA
Master Version 6.1 - Date: 23 March 2017) INDEX Schedule Country Version
Effective Date Page No. A AUSTRALIA 3 12 May 2016 Revalidated 9 January 2017 3 B
BANGLADESH 2 14 February 2017 6 C CHINA 6 17 January 2017 8 D HONG KONG 3 26
October 2015 12 E INDIA 5 23 March 2017 21 F INDONESIA 3 17 February 2017 26 G
JAPAN 3 6 June 2014 Revalidated: 10 January 2017 30 H KOREA 3 25 February 2016
Revalidated: 17 January 2017 38 I MACAU 2 22 March 2017 41 J MALAYSIA 6 11
January 2017 42 K NEW ZEALAND 2 18 January 2017 48 L PHILIPPINES 2 30 April 2015
Revalidated: 9 January 2017 51 M SINGAPORE 6 17 October 2016 Revalidated: 23
January 2017 54 N SRI LANKA 3 15 February 2017 64 1

GRAPHIC [g145181ko01i003.gif]

 


O TAIWAN 7 17 January 2017 67 P THAILAND 2 Revalidated: 18 January 2017 76 Q
VIETNAM 6 23 March 2017 77 2

GRAPHIC [g145181ko01i004.gif]

 


SCHEDULE A — AUSTRALIA LAW REQUIREMENTS (Version 3 — 12 May 2016; revalidated 9
January 2017) A. CONTINGENCY PLAN/CONTINUITY OF BUSINESS The Supplier must
maintain a Business Continuity Plan. The Business Continuity Plan must enable
the Supplier to provide the Services and comply with the terms of the Agreement,
notwithstanding an event that disrupts, impairs or prevents the Supplier from
otherwise providing the Services or complying with its obligations thereunder.
The Business Continuity Plan must include procedures to ensure that the Supplier
is able to provide the Services and otherwise comply with its obligations under
the Agreement, notwithstanding that an agent, consultant or contractor of the
Supplier is incapable of providing the Services to the Supplier. The Business
Continuity Plan must be: (a) based upon a formal assessment of the applicable
risks; (b) reviewed and updated on a regular basis and at least annually; (c)
tested at least annually; and (d) subject to quality assurance review at least
annually. B. APRA Where Citi is supervised by the Australian Prudential
Regulation Authority (“APRA”), APRA may require information from Citi or the
Supplier about the Services, the Supplier or the Agreement. Subject to
applicable law or authority in the country in which it is based, the Supplier
will give APRA any information relating to the Agreement as soon as possible
after Citi or APRA asks the Supplier to do so. Unless prohibited by relevant law
or legal authority, the Supplier will promptly inform Citi as soon as
practicable after APRA asks the Supplier to provide information under this
Section. The Supplier will permit APRA to conduct any on-site visit of the
Supplier’s premises that is necessary to APRA’s role as prudential supervisor of
Citi. If APRA notifies Citi of its intention to conduct an on-site visit of the
Supplier’s premises, Citi will promptly notify the Supplier. Where APRA conducts
an on-site visit of the Supplier’s premises, the Supplier must not disclose or
advertise that APRA has conducted such a visit without the prior written consent
of Citi. The Supplier will use its best endeavours to satisfy APRA about any
questions or concerns it may raise about the Services. The Supplier agrees that
the existence of, and any information relating to, any investigation, question
or concern raised by APRA about the services provided by the Supplier to Citi or
in relation to Citi, is Confidential Information. C. DO NOT CALL REGISTER ACT
AND TELECOMMUNICATIONS ACT OBLIGATIONS Where telemarketing call services make up
any part of the Services provided by the Supplier to Citi under the Agreement,
the Supplier must comply with the: (i) Do Not Call Register Act 2006 (Cth); and
(ii) Part 6 of the Telecommunications Act 1997 (Cth), and take all reasonable
steps to ensure that its employees, agents and subcontractors comply with these
Acts. Where fax marketing services make up any part of the Services provided by
you to Citigroup under the Agreement, you must comply with Part 6 of the
Telecommunications Act 1997 (Cth), and take all reasonable steps to ensure that
your Personnel comply with that Act. D. PRIVACY The parties acknowledge and
agree that: (a) Citi is subject to the Privacy Act 1988 (Cth) including the
Australian Privacy Principles (“APPs”); 3

GRAPHIC [g145181ko01i005.gif]

 


(b) the APPs require that Citi shall ensure that any recipient of Personal
Information (defined below) handles such Personal Information in accordance with
the APPs: (c) the Supplier must:- a. only collect use and disclose Personal
Information strictly for the purpose for which that Personal Information was
disclosed to it; b. unless otherwise instructed by Citi, only store Personal
Information for the period necessary to fulfil that purpose and must destroy
that information when it is no longer required and upon request from Citi; c.
comply with any of Citi’s reasonable requests or directions in respect to the
Personal Information; d. protect Personal Information it holds from misuse,
interference and loss, as well as maintain/implement systems and processes to
ensure the security of personal information; e. reasonably assist Citi to
resolve any request for access, correction or a complaint in relation to
Personal Information; f. provide individuals with the right to access and seek
correction of Personal Information; g. promptly notify Citi if it is aware of
any misuse, interference and loss, unauthorised access, modification or
disclosure by itself or its personnel; h. only disclose Personal Information to
others in compliance with these requirements after obtaining Citi’s consent and
in accordance with any conditions Citi reasonably deems fit to impose; i. allow
Citi or any applicable regulatory body to audit the Supplier’s compliance of
these requirements and any records the Supplier holds containing the Personal
Information, subject to the Supplier’s obligations of confidentiality to other
parties and any other law or authority with jurisdiction over Supplier; and j.
comply with any additional reasonable requirements notified to it by Citi from
time to time in respect of Personal Information. (d) For the avoidance of doubt,
Personal Information is a form of “Confidential Information” as defined in the
Agreement; (e) For the purposes of this section D, “Personal Information” means
information or an opinion about an identified individual, or an individual who
is reasonably identifiable: (a) whether the information or opinion is true or
not; and (b) whether the information or opinion is recorded in a material form
or not. E. TAXES Other than as specified below, the Supplier will be responsible
for all taxes of any kind in connection with the provision of Services under the
Agreement. For the purposes of this clause, “Consideration”, “Creditable
Acquisition”, “GST”, “Input Tax Credit”, “Recipient”, “Supply”, “Tax Invoice”
and “Taxable Supply” have the same meaning as in the GST Act. 1. This clause
applies if one party (the supplier) makes a Taxable Supply to another party (the
Recipient) and the Consideration for that Supply (apart from any payable under
this clause) is not expressed to be inclusive of GST. 2. If this clause applies,
the Recipient must pay the supplier an additional amount on account of GST. 3.
The additional amount payable on account of GST is, generally, equal to the
Consideration for that Supply (apart from any payable under this clause)
multiplied by the prevailing GST rate. 4. To the extent that the Consideration
for the Supply (other than that payable under this clause) is payable as a
reimbursement for an expense incurred by the supplier as a result of a
Creditable Acquisition it makes, the additional amount will be calculated by:
(i) first reducing the Consideration for that Creditable Acquisition by any
Input Tax Credit to which the supplier is entitled on making the Creditable
Acquisition; and 4

GRAPHIC [g145181ko01i006.gif]

 


(ii) then applying the prevailing GST rate to that reduced amount. 5. The
additional amount is to be paid when the Recipient pays or provides any of the
Consideration for the Supply, provided always that such amount will only be
payable if a Tax Invoice for the Supply is provided to the Recipient. F. LEGALLY
REQUIRED DISCLOSURES Where the Supplier is required to disclose Citi’s
Confidential Information under any applicable law, regulation or an order from a
court, regulatory agency or other governmental authority having competent
jurisdiction, and is further required to notify Citi of the order, the Supplier
must promptly send a copy of the order and accompanying documentation by
facsimile transmission to the General Counsel, Citigroup Pty Limited, +612 8225
5238. G. ADDITIONAL TERMINATION RIGHTS In addition to any right available to
Citi under the Agreement, Citi may terminate the Work Order immediately upon the
occurrence of an “Event of Default” by the Supplier. Any right of termination
will not limit Citi from exercising any other rights or remedies it may have at
law or in equity. For the purposes of this clause F, “Event of Default” means
the occurrence of any one of the following: (i) a representation or warranty of
the Supplier is false or misleading in any material respect when it was made;
(ii) the Supplier: a. suspends payment of its debts generally; b. becomes
insolvent within the meaning of the Corporations Act 2001; c. enters into or
resolve to enter into any arrangement, composition or compromise with, or
assignment for the benefit of, its creditors or any class of them; d. has a
receiver, receiver and manager, controller, managing controller, administrator,
official manager, trustee of provisional or official liquidator appointed over
its assets and/or undertakings; or e. is the subject of an application that is
filed or an order that is made or a resolution that is passed for its winding up
or dissolution other than for the purposes of reconstruction or amalgamation. H.
SCOPE OF SERVICES Unless expressly stated in the Work Order, the Supplier agrees
that: (i) the Agreement and/or Work Order is not an exclusive arrangement
between Citi and the Supplier; (ii) Citi may purchase services similar to the
Services from other suppliers; and (iii) Citi does not commit to purchase any
volume or dollar amount of Services. I. GOVERNING LAW AND JURISDICTION
Notwithstanding any term to the contrary in the Agreement and/or Addendum, the
governing law and jurisdiction clause as it applies to Work Orders entered into
by Affiliates and branches of Citibank, NA located in Australia, is varied as
follows: “The validity of this Agreement as it applies to the Work Order, the
construction and enforcement of its terms, and the interpretation of the rights
and duties of the parties to the Work Order shall be governed by the laws of New
South Wales, Australia. The Parties to the Work Order submit to the
non-exclusive jurisdiction of the courts of New South Wales and of the
Commonwealth of Australia.” 5

GRAPHIC [g145181ko01i007.gif]

 


SCHEDULE B — BANGLADESH LAW REQUIREMENTS (version 2 - 14 February 2017) A.
GENERAL The requirements set out hereunder which are imposed by the Bangladesh
Bank (the central bank of Bangladesh) and may change from time to time,
including by BRPD Circular No-02 dated 19 January 2015 attached hereto as
Annexure A as a reference, shall be applicable to the Services and the
Deliverables under the Agreement. B. AUDIT, INSPECTION AND MONITORING Supplier
agrees that the Services it performs and the Deliverables it provides are
subject to examination and regulation of the Bangladesh Bank or any competent
court of law, or other judicial, quasi-judicial, statutory, regulatory or
supervisory authority or any agent appointed by any of them. Citi shall be
entitled to access all books, records and information relevant to the activities
of Supplier in relation to Citi, and conduct audits thereof. Citi shall be
entitled to monitor continuously, and assess the performance of Supplier so that
any necessary corrective measures can be taken immediately. Supplier shall
provide all material and information in the form and format Citi may require.
Supplier confirms that it has all relevant approvals from all relevant
authorities and that no additional approval from anybody in any jurisdiction
will be required for Citi, Bangladesh regulators or anybody engaged/ approved by
Citi or the Bangladesh regulator for conducting any on-site/ off-site audit,
review or control activity. C. RESTRICTION ON TYPE OF SERVICES The Services to
be provided by Supplier are subject to the approval from the Bangladesh Bank.
Pursuant to Section 12 of the Bank Companies Act, 1991 and BRPD Circular No-02
dated 19 January 2015, issued by the Banking Regulation and Policy Department of
the Bangladesh Bank, Citi shall not remove and/or transfer any records and/or
documents (including any information retained by electronic means) relating to
Citi’s business to a place outside Bangladesh, without the prior permission in
writing of the Bangladesh Bank. Similar approvals may be required from other
applicable regulatory authorities of Citi. For example:Section 19 of The
Securities and Exchange Ordinance, 1969, Section 35 (e) (f) of The Merchant
Banking Rules, Section 11 of The Custody Rules 2003 restrict sharing customers’
information without approval of the Bangladesh Securities and Exchange
Commission. Supplier shall not allow access to Citi’s data by any person other
than those authorized by Citi. Supplier shall contact Citi to confirm such
authorization by Citi. Supplier shall obtain consent from Citi for any
sub-contracting or sub-outsourcing of 6

GRAPHIC [g145181ko01i008.gif]

 


the activities to be carried out by Supplier in relation to Citi, or for making
any direct contact with a customer of Citi. D. RESTRICTION ON THE
REMOVAL/TRANSFER OF CITI’S RECORDS/DOCUMENTS The Supplier and its Affiliates
shall not transfer and/or allow access to Citi’s records and/or documents
(including any memory dump), to any other party, outside the premises of the
Supplier and its Affiliates, without ensuring Citigroup standard information
security measures being in place. The Supplier shall inform Citi’s Branch
Information Security Officer (BISO) of such actions giving details of security
measures taken. E. RESTRICTION ON THE REMITTANCE OF FEES BY CITI Due to Section
5 of the Foreign Exchange Regulation Act 1947, Citi shall not remit any fees or
any other payment to Supplier. Citi shall only make such payment if there is a
specific prior approval of the Bangladesh Bank. F. CONTINGENCY ARRANGEMENTS
Supplier shall establish and maintain appropriate contingency plans, including a
plan for disaster recovery and periodic testing of backup facilities. G.
INSOLVENCY AND MATERIAL CORPORATE CHANGE The Agreement shall be terminated in
the event of Supplier filing an application for being declared insolvent or is
adjudged insolvent by a competent authority. Any material change in the
corporate structure of Supplier must be notified to Citi. Annexure A: Guidelines
on Outsourcing Arrange 7

GRAPHIC [g145181ko01i009.gif]

 


SCHEDULE C — CHINA LAW REQUIREMENTS (Version 6 — 17 January 2017) [NOTE:
According to China’s regulatory requirement on outsourcing, besides those
provided in this China Law Requirements, the following provisions shall also be
covered by the service contract, and please ensure they are so covered: (1) the
scope and standards of the outsourcing service; (2) the arrangements for the
confidentiality and safety of the outsourcing service; (3) the settlement
mechanism for the outsourcing disputes; and (4) the liabilities for breach of
contract. If the Master Agreement and/or the Work Order does not cover the above
provisions, it should be added to this Schedule of China Law Requirements.] 1.
Cooperation for Outsourcing Due Diligence Prior to the outsourcing of any
Services by Citi to Supplier, the Supplier shall reasonably cooperate with Citi
to fulfill all legal and regulatory requirements in respect of the Services for
the purpose of Citi’s due diligence of the Supplier. 2. Audit and Inspection
Right 2.1 Citi, its auditors, or its authorized regulator shall have the right
to audit the Supplier to ensure compliance with the Master Agreement and/or the
relevant Work Order in relation to the Services. Supplier shall cooperate with
Citi’s internal and external auditors and regulators. Supplier shall keep
complete and accurate records of all of its work and expenses in providing the
Services to Citi for a period not less than two (2) years from the date which
the record was created or such other longer period as requested by Citi in
writing. 2.2 The Supplier shall require any subcontractor appointed (if
applicable) to also maintain complete and accurate records of all of its work
and expenses in relation to the Service subcontracted to it. Supplier shall
ensure and procure that these requirements are set forth in its arrangements
with any subcontractor. 2.3 The Supplier shall allow Citi, its auditors and/or
its regulators to (i) to obtain records and documents of transactions and
information of Citi given to, stored at or processed by Supplier, (ii) access
any report and findings made on the Supplier in conjunction with the Services
performed for Citi, (iii) access to the business premises of the Supplier in the
exercise of its rights herein; and (iv) inspect, examine and audit the
Supplier’s operations and records insofar as they are relevant to the Services.
3. Cross-border Outsourcing1 3.1 For any cross-border outsourcing, the Supplier
shall be, and shall ensure its sub-contractor(s) be in one of the countries or
jurisdictions set forth in the attached Appendix A, representing those countries
or jurisdictions where the regulator(s) have signed a memorandum of
understanding or other agreement (the “MOU”) with PRC banking regulators. No
cross-border outsourcing shall take place in any country or jurisdiction not
listed in the attached Appendix A without the prior written consent of Citi. 4.
Controls 4.1 The Supplier shall regularly report Service related matters to Citi
in accordance with Citi’s reasonable requirements. 1 This provision is only
applicable when the Supplier is incorporated outside of mainland China. 8

GRAPHIC [g145181ko01i010.gif]

 


 

4.2 The Supplier shall promptly notify Citi of any issue which may affect the
provisions of the Services or of any problems, accidents or disruptions which
may have a material impact on the Services. 4.3 Except for the Services provided
in the Master Agreement and/or the relevant Work Order, the Supplier shall not
conduct any other activity in the name of Citi. 4.4 The Supplier shall ensure
that the software and/or hardware (if any) applied to the Service shall not
infringe upon any patent, copyright, trademark, trade secret or other
proprietary right of Citi and any third party. 4.5 The Supplier shall logically
segregate and separate its service resources related to the Services provided to
Citi from those of Supplier’s other clients or customers, and ensure that only
Citi has the highest access authority to Citi’s business system and data. 5.
Continuity of Business 5.1 The Supplier and Citi shall each use reasonable
efforts to develop, maintain and adhere to a plan providing measures to be taken
by the Supplier in the event of various contingencies, in order to ensure the
Supplier’s ability to continue providing the Services. The Supplier’s
established service continuity plans and its agreed targets therein shall be
consistently managed by Supplier, and shall in all circumstances satisfy the
requirements of business continuity of Citi. 6. Termination 6.1 Where the
Supplier is found to be unable to protect Citi’s customer information or Citi’s
customer rights are jeopardized due to Supplier’s failure to protect Citi’s
customer information, Citi shall have the right, in addition to others rights or
remedies that are available to Citi under the Master Agreement and/or the Work
Order and/or applicable law, to terminate, with immediate effect upon notice,
the services provided to or for the benefit of Citi in the People’s Republic of
China under any Work Order or relevant agreement. 7. Transition Services 7.1
Upon the termination of the Master Agreement and/or the relevant Work Order for
any reason whatsoever (including a default by either party), each party shall
provide such information, cooperation and assistance to the other party, as such
other party may reasonably request, to assure an orderly return or transfer to
the requesting party or its designee of all proprietary data (and related
records and files) materials and/or facilities (if any) of the requesting party.
7.2 If the Master Agreement and/or the relevant Work Order is terminated for any
reason other than a circumstance which could expose the Supplier to ongoing
damages or liability, the Supplier shall provide such assistance to Citi as Citi
reasonably requests to transition to another service provider of Citi’s choice,
subject to Citi’s agreement to pay the Supplier’s reasonable costs and expense
for such transition assistance. 8. Assignment and Subcontracting 8.1 The
Supplier is prohibited from (i) completely transferring/assigning or outsourcing
all of the Services to a third party and /or, (ii) sub-contracting any key part
of the Services to a third party. Additionally, the Supplier shall ensure that
its sub-contractor(s) does not further transfer/assign the sub-outsourced
business to any third party. 9

GRAPHIC [g145181ko03i001.gif]

 


8.2 If the Services are sub-outsourced, the Supplier shall monitor the
subcontractor and shall, in accordance with the provisions of the Master
Agreement and/or the relevant Work Order, obtain prior approval from or provide
notice to Citi regarding the changes of subcontractor (if any). 8.3 All
provisions of the Master Agreement and/or the relevant Work Order shall be
binding upon and shall inure for the benefit of the Supplier and Citi and their
legal successors and permitted assigns. 9. Protection of Personal Information
9.1 Personal information relating to Citi’s customer shall include personal
financial information, which means the personal information obtained, processed
or stored by Citi through business operation or through access to credit report
systems, payment system and other systems, including the following: (1) Personal
identification information, including name, gender, nationality, form of ID, ID
number, expiration date of ID, occupation, contact, marriage status, family
information, residential address, work address, photo, etc. (2) Personal
property information, including income, real estate ownership, vehicle
ownership, tax amount, housing fund payment, etc. (3) Personal account
information, including account number, account opening time, account opening
bank, account balance, account transaction information, etc. (4) Personal credit
information, including credit card repayment information, loan repayment
information and other information formed in personal economic activities which
can reflect such person’s credit condition. (5) Personal financial transaction
information, including personal information obtained, preserved or stored by
Citi in its payment and settlement, wealth management, security box businesses
and the personal information disclosed when Citi’s customer does business with
insurance company, security company, fund company and other third party
institution through Citi. (6) Derivative information, including personal
consumption habit, investment willingness, and other information derived from
processing and analyzing the original information which can reveal a person’s
particular features. (7) Other personal information obtained or stored through
establishment of business relationship with a person. (hereinafter called
“Personal Information”) 9.2 The Supplier agrees to take effective measure to
protect the Personal Information obtained through the provision of the Service,
ensure information security, confidentiality and avoid unauthorized disclosure
or misuse during the collection, transmission, processing, storage and usage of
such Personal Information. 9.3 The Supplier agrees not to send Personal
Information (which was obtained in China) outside of China, and ensure the
storage, processing and analysis of Personal Information is conducted within
China. 10

GRAPHIC [g145181ko03i002.gif]

 


9.4 Upon the termination of the Master Agreement and/or the relevant Work Order,
the Supplier shall destroy or return to Citi, subject to Citi’s instruction, all
personal financial information of Citi’s customer obtained through providing the
Services to Citi.  10. Governing Law and Jurisdiction  Where both Citi and
Supplier are entities incorporated in China, the governing law shall be the PRC
law, and all claims or disputes arising out of or in connection with Master
Agreement and/or the relevant Work Order shall be submitted to the PRC court
where Citi is located.  Appendix A — Memorandum of Understanding List (As of
June 2016)  MOU List as of June  30 2016.xlsx  11

GRAPHIC [g145181ko03i003.gif]

 


SCHEDULE D — HONG KONG LAW REQUIREMENTS (Version 3 — 26 October 2015) [Note: it
is assumed that Services provided by the Supplier under the Agreement do not
involve its provision / marketing of banking services / product to customers,
sale / transfer of personal data or deployment of any online tracking (i.e.,
collection by website operators / owners of information regarding users’ online
interaction with the websites). If the Services involve any of the above, please
contact Hong Kong legal counsel as additional provisions (such as PDPO and the
related Info Leaflet “Online Behavioural Tracking”) would need to be
incorporated into the Agreement.] Where Services and/or Deliverables are
provided by Supplier or its Affiliates (collectively, “Supplier”) to or for the
benefit of Citi and/or its Affiliates in Hong Kong, this Schedule E shall be
added to and deemed to be expressly incorporated into the Agreement (and any
work order or purchase order (as applicable, “Work Order”) executed by Citi
and/or its Affiliates for work to be performed in Hong Kong): 1. Provision of
Services and/or Deliverables. (a) During the term of the Agreement, each Party
shall designate their respective representatives who will be the key contacts
for coordinating management meetings/visits and addressing issues relating to
the Services and/or Deliverables and such other arrangements or transactions as
contemplated under the Agreement. (b) Supplier agrees to participate in and
report to Citi on performance reviews to be conducted on a regular basis as
reasonably required by Citi. (c) Supplier shall render Services and/or furnish
Deliverables with due care according to its security and operation control
process, which are designed to ensure accuracy and timeliness on all its service
delivery. (d) Supplier shall ensure that any records and reports (including but
not limited to the invoices) in whatever form prepared by Supplier in accordance
with the Agreement and any of Citi’s Confidential Information shall be subject
to Citi’s document retention policy (a copy of which shall be provided by Citi
to Supplier). Such records, reports and information shall be made available for
Citi’s inspection at any time provided that sufficient prior written notice
shall be given to Supplier. (e) The Agreement shall be reviewed and revised as
needed by the parties on an annual basis. However, if the Agreement is not
reviewed and/or revised in a year, the then current Agreement shall continue to
apply. 2. Fees and Expenses. The fees charged by the Supplier to Citi in respect
of the provision of the Services and/or Deliverables shall be reviewed and
agreed by Supplier and Citi on an annual basis. However, if such fees are not
revised in a year, then the previously agreed fees shall continue to apply. 3.
Confidential Information. (a) Without prejudice to the confidentiality
provisions under the Agreement, the Receiving Party may also disclose the
Disclosing Party’s Confidential Information to any relevant Affiliate which is
bound to comply with the obligations of confidentiality at least as stringent as
those set forth in the Agreement. 12

GRAPHIC [g145181ko03i004.gif]

 


(b) If the Receiving Party shall be under a legal, regulatory, administrative or
judicial obligation to disclose any Confidential Information, such party shall,
where it is practical and legally able to do so, give the Disclosing Party
prompt notice thereof. (c) Supplier shall ensure that Citi’s Confidential
Information shall be segregated or compartmentalized from Supplier’s own or its
other customers’ Personal Information. (d) The Receiving Party acknowledges and
agrees that the unauthorized disclosure or use of any Confidential Information
of the Disclosing Party may cause irreparable damage to such other party which
could not be adequately compensated by monetary damages. The Receiving Party, to
the extent possible, therefore authorizes the Disclosing Party to seek any
temporary or permanent injunctive relief necessary to prevent such disclosure or
use, or threat of disclosure or use, without proof of actual damages. The
provisions of this subsection shall survive the termination of the Agreement.
(e) To the extent that Supplier receives, obtains or generates Citi’s
Confidential Information as a result of the performance of its obligations under
this Agreement, and notwithstanding anything to the contrary contained in this
Agreement, Supplier agrees that it will, and will ensure that each of its
Personnel will, comply with the following requirements: (i) not disclose,
transfer or use any of Citi’s Confidential Information except to the extent
necessary to carry out its obligations under or permitted by this Agreement and
for no other purpose; (ii) not disclose or transfer any of Citi’s Confidential
Information to any third party, including, without limitation, its third party
service providers without the prior written consent of Citi and subject to the
further requirements of this section and (to the extent Citi’s Confidential
Information constitutes Personal Data (as defined below)) Section 4; (iii) host
and use Citi’s Confidential Information only in Hong Kong and not export or
transmit Citi’s Confidential Information to any other jurisdiction without the
prior written consent of Citi; (iv) employ appropriate administrative, technical
and physical safeguards to prevent unauthorized or accidental access,
disclosure, transfer, processing, erasure, loss or use of Citi’s Confidential
Information received by it. (v) comply with all the obligations of
confidentiality at least as stringent as those applicable to Supplier and all
applicable rules and regulations concerning confidentiality to ensure that
Citi’s Confidential Information is protected against unauthorized or accidental
access, disclosure, transfer, processing, erasure, loss or use; (vi) promptly
provide such information regarding its privacy and information security systems,
policies and procedures as Citi may request from time to time; and (vii) not
keep any of Citi’s Confidential Information for longer than is necessary for
processing of such data. Upon the request by Citi or the cessation of the
provision of certain Services and/or Deliverables to Citi, or at any time after
any of such information has been processed by Supplier, Supplier will, at Citi’s
option, as soon as reasonably practicable return or securely destroy any such
Information in its possession or under its control. Supplier will certify in
writing that it has fully complied with its obligations under this subsection
(and that no copies of such information have been retained) within seven (7)
calendar days following the date it receives a request from Citi for such a
certification. 13

GRAPHIC [g145181ko03i005.gif]

 


The Supplier warrants that its Personnel have been properly trained in respect
of the handling of Citi’s Confidential Information such that they will comply
with the relevant requirements under the Agreement. If Supplier engages any
third party, whether within or outside Hong Kong, to process personal data on
behalf of Supplier, Supplier shall adopt contractual or other means (i) to
prevent any personal data transferred to such third party from being kept longer
than is necessary for processing of the data; and (ii) to prevent unauthorized
or accidental access, processing, erasure, loss or use of the data transferred
to such third party for processing. (f) At all times during the duration of this
Agreement, Supplier will have in place, and will regularly and thoroughly test,
security arrangements which are sufficient to: (i) protect the integrity and
security of any of Citi’s Confidential Information which has been disclosed to,
processed by, generated by or otherwise handled by Supplier or any of its
Personnel in the course of the performance of Supplier’s obligations under this
Agreement and any other agreement; and (ii) ensure that any of Citi’s
Confidential Information is not lost, destroyed, accessed, transferred, ,
processed, used or disclosed without appropriate authorization or by accident
while it is in the possession or under the control of Supplier or any of its
Personnel. On request from Citi, Supplier will use all commercially reasonable
efforts to demonstrate to Citi its compliance with this subsection, and will
ensure that each of its relevant Personnel does so. (g) Supplier will, as part
of the Services and/or Deliverables provided, conduct an audit reviewable by
Citi of the security arrangements in place in the format and frequency set forth
in the applicable Work Order, to ensure that the security arrangements comply
with the relevant policies in place to safeguard Citi’s Confidential
Information. (h) If Supplier becomes aware that the security of any of Citi’s
Confidential Information has been (or may be) compromised, then it will
immediately: (i) inform Citi; (ii) take whatever action is necessary to minimize
the impact of the security breach, correct the causes of the breach to the
fullest extent possible and advise Citi of the status of its remedial actions;
and (iii) promptly investigate the underlying causes of the breach and prepare
and deliver to Citi a written report which details the causes, and sets out the
measures Supplier proposes to implement to prevent reoccurrence of the breach.
(i) If Supplier is required under any relevant laws or regulations to supply any
of Citi’s Confidential Information to any government authority outside Hong Kong
for examination, Supplier shall inform Citi of such examination and shall seek
written consent from Citi before releasing / disclosing such data and
information to such governmental authority, as the case may be. Citi shall not
unreasonably withhold or delay to provide to Supplier such written consent if it
is required, subject to obtaining the necessary consent from the Hong Kong
Monetary Authority (“HKMA”) or other relevant government authorities, if
applicable. (j) Notwithstanding anything herein to the contrary, this Section 3
shall survive termination of this Agreement. 14

GRAPHIC [g145181ko03i006.gif]

 


4. Personal Data (a) In this Section 4: (i) “Personal Data” means any data (1)
relating directly or indirectly to a living individual, (2) from which it is
practicable for the identity of the individual to be directly or indirectly
ascertained, and (3) in a form in which access to or processing of the data is
practicable; for present purposes Personal Data includes names, addresses,
emails, dates of birth, telephone numbers. (ii) “Data Subject” means an
individual who is the subject of any part of the Transfer Data, and for present
purposes Data Subjects include Citi’s past and present customers whose personal
data is transferred to Supplier (for the avoidance of doubt, “past customers”
refer to customers who cease their banking relationship with Citi after personal
data is transferred to Supplier); (iii) “Transfer Purposes” means purposes for
which Personal Data is transferred by Citi and/or its Affiliates in Hong Kong to
Supplier, and includes enabling Supplier to provide the Services and perform the
Work Order; and (iv) “Transfer Data” means any Personal Data relating to Citi’s
customers transferred or to be transferred by Citi and/or its Affiliate(s) in
Hong Kong to Supplier in connection with the Agreement or any Work Order. (b)
Supplier acknowledges that Citi is subject to the Personal Data (Privacy)
Ordinance (Cap. 486 of the Laws of Hong Kong) (“PDPO”) including without
limitation the Data Protection Principles (“DPP”) therein. Supplier agrees that
it shall, and shall ensure that each of its Personnel shall, comply with the
PDPO and other requirements imposed by the Privacy Commissioner of Personal Data
from time to time. (c) For the avoidance doubt, Personal Data may be
Confidential Information and vice versa, depending on the nature of the
information in question. In the event that certain information constitutes both
Personal Data and Confidential Information, both Sections 3 and 4 shall apply.
(d) Supplier shall not collect any Personal Data for and on behalf of Citi
unless Citi has approved in writing the collection and specified a Personal Data
collection form and Personal Data collection statement to be used for such
collection. If Citi has given its aforesaid approval, Personal Data collected by
the Supplier on behalf of Citi shall be regarded as part of the Transfer Data
for the purposes of this Schedule, and the collection and use of such Personal
Data shall be conducted by Supplier strictly in accordance with the Personal
Data collection statement and other directions given by Citi from time to time.
(e) Supplier shall not transfer or provide any Transfer Data to any party
without Citi’s prior written consent. (f) If Supplier engages any third party,
whether within or outside Hong Kong, to process the Transfer Data on behalf of
Supplier (and Citi’s prior written consent has been obtained), Supplier shall
adopt contractual or other means (i) to prevent any Transfer Data transferred to
such third party from being kept longer than is necessary for processing of the
data; and (ii) to prevent unauthorized or accidental access, processing,
erasure, loss or use of the Transfer Data transferred to such third party for
processing. (g) Supplier represents, warrants and undertakes the following:- (i)
Supplier shall process or use the Transfer Data for the Transfer Purposes to the
exclusion of any other purpose. Where the Transfer Data is to be used for a new
15

GRAPHIC [g145181ko03i007.gif]

 


purpose, Supplier shall, with Citi’s permission, obtain the prescribed consent
of the Data Subject under the PDPO; (ii) Supplier shall hold the Transfer Data
securely in accordance with the requirements of DPP4 of the PDPO. Supplier shall
have in place appropriate technical and organizational measures and standards to
protect the Transfer Data against unauthorized or accidental access, processing,
erasure, loss or use, including without limitation:- (A) having robust policies
and procedures in place and providing adequate training for its staff; and (B)
adopting physical and computer security measures; (iii) Supplier shall not
retain the Transfer Data longer than is necessary for the fulfillment of the
Transfer Purposes (including any directly related purpose(s)). (iv) Supplier
shall use the Transfer Data exclusively for the Transfer Purposes and shall not
transfer or disclose, either free of charge or in return for any benefits, the
Transfer Data to any third party, except when it is compelled to do so under the
applicable laws. (v) Supplier shall immediately rectify, erase or return the
Transfer Data on receiving instructions to this effect from Citi. Supplier
undertakes in particular to rectify, erase or return all or part of the Transfer
Data or other Personal Data if it appears that such measures are required by the
requirements of the PDPO. (vi) Supplier has and shall at all times have in place
accessible documents which clearly specify its policies and practices in
relation to Personal Data. (vii) Supplier shall ensure that Data Subjects have
rights of access to and correction of their Personal Data in the same way as
they would have had under the PDPO. (viii) Supplier shall not disclose, transfer
or allow access to the Transfer Data to a third party data user or data
processor (“Sub-transferee”) located outside Hong Kong unless it has obtained
the prior written consent from Citi and: (A) the sub-transfer is made to a place
that has in force any law which is substantially similar to, or serves the same
purposes as the PDPO; (B) such Sub-transferee becomes a signatory to this
agreement or another written data transfer agreement which imposes the same
obligations on it as are imposed on Supplier under this Section 4; or (C)
adopted all reasonable non-contractual measures and auditing mechanisms to the
reasonable satisfaction of Citi to monitor the Sub-transferee’s compliance with
the obligations under this Section 4 as if they are applicable to that
Sub-transferee. (h) Upon Citi’s request, Supplier shall submit its data
processing facilities, policies and procedures, data files, documentation and
any other relevant information for reviewing, auditing and/or certifying by Citi
or an inspection body composed of independent members and in possession of the
required professional qualifications bound by a duty of confidentiality,
selected by Citi, to ascertain compliance with its warranties and undertakings
in this Schedule. (i) Without prejudice to the confidentiality provisions of the
Agreement and Section 3 hereunder, Supplier acknowledges and agrees that
Citigroup may maintain computer systems in data centers and in various countries
throughout the world and that Citigroup and its Personnel 16

GRAPHIC [g145181ko03i008.gif]

 


may collect, store, process, disseminate or use the Personal Information in
manner that causes it to be transferred or accessed from computer systems owned
or operated by or on behalf of Citigroup or its Personnel throughout its global
computer network provided that the PDPO (if applicable) is complied with. (j)
Supplier has no reason to believe that there are currently in force any local
laws that would have adverse effect on its warranties or undertakings above, and
Supplier shall notify Citi if it becomes aware of any such laws. (k) Supplier
has the legal capacity and the authority to give the warranties and undertakings
in this Section 4. (I) Supplier shall promptly inform Citi of its inability to
fulfill any of its obligations in this Section 4. (m) Supplier shall promptly
notify Citi about any abnormalities or any loss, accidental or unauthorized
access or processing, erasure or other use of the Transfer Data. (n) Supplier
shall deal with promptly and properly all reasonable enquiries from Citi
relating to the fulfillment of its obligations hereunder and Supplier shall
abide by the reasonable instructions and advice (if any) of Citi or any
supervisory authority in this regard. (o) Supplier shall ensure its staff who
handles the Transfer Data will carry out the security measures and obligations
specified in this Section 4. (p) Supplier shall notify Citi about Supplier’s
contact person in relation to the handling of the Transfer Data, and shall
cooperate with Citi, Data Subjects and relevant authorities concerning all
enquiries within reasonable time. 5. Compliance with Applicable Laws. (a)
Supplier agrees to cooperate with Citi’s internal and external auditors and the
relevant regulatory authorities including, but without limitation, the HKMA, the
Hong Kong Securities and Futures Commission, and the Hong Kong Privacy
Commissioner for Personal Data for their (or any person appointed by them)
review, supervision, audit, or inspection of materials or the status of
operation by Supplier in connection with the Services and/or Deliverables
provided by Supplier pursuant to the Agreement. Supplier shall notify Citi of
any overseas regulatory authorities which seek access to any of Citi’s
Confidential Information. (b) Supplier shall report to Citi if there is any
material change in the Services and/or Deliverables or any material problems,
incidents, accidents or disruption which has/have a material impact on the
Services and/or Deliverables. 6. Inspection and Right to Audit. (a) Supplier
agrees that the Services it performs and/or the Deliverables it furnishes for a
branch of U.S. bank in The Hong Kong Special Administrative Region of the
People’s Republic of China (“Hong Kong”) are subject to examination of the HKMA
and the Office of the Comptroller of the Currency (“OCC”). Supplier shall, upon
reasonable notice, allow Citi, its management, its auditors and/or its
regulators, the opportunity of obtaining, inspecting, examining and auditing
Supplier’s operations, contingency plans and the business records (including but
not limited to copies of the independent audit and financial review report)
which are relevant to the Services and/or Deliverables provided hereunder by
Supplier including but not limited to Supplier’s critical processes to confirm
that Supplier’s processes meet or exceed industry standards in such area of
contingency 17

GRAPHIC [g145181ko03i009.gif]

 


planning, continuity of business plans, software engineering and test processes,
change control procedures, critical staff succession planning and compliance
with applicable laws and regulations. Supplier shall cooperate fully with Citi’s
internal or external auditors to ensure a prompt and accurate audit. If Citi
provides recommendations for enhancing Supplier’s critical processes, Supplier
shall use its best effort to implement the recommended and/or corrective
measures and/or correct any practices which are found to be deficient as a
result of any such audit within a reasonable time after receipt of Citi’s audit.
Supplier shall notify Citi, within reasonable time, any changes to any of the
aforesaid plans. (b) If an audit leads Citi to conclude that Supplier has
breached the provisions of this Agreement or that any of Supplier’s business or
professional practices related to its performance of Services and/or its
furnishing of Deliverables presents a risk of unauthorized disclosure of Citi’s
Confidential Information, Supplier and Citi shall use their best efforts to
reach a mutually satisfactory resolution. Supplier shall also use its best
efforts to correct any practices which are found to be deficient as a result of
any such audit within a reasonable time after receipt of Citi’s audit report.
(c) Citi shall be entitled to enter all or any of Supplier’s premises from time
to time to inspect and examine Supplier’s operations and to check that Supplier
is complying with its obligations under this Agreement. Citi shall endeavour to
give reasonable notice of its exercise of its rights hereunder but in
circumstances where Citi is of the view that it would prejudice Citi’s interests
to give such notice, no prior notice shall be required to be given by Citi.
Citi’s rights under this Section may be exercisable by Citi from time to time
without Supplier’s consent and Citi is empowered to take all necessary or
reasonable steps in order to exercise its rights under this Section fully. (d)
Supplier will submit a yearly financial report audited by a certified accountant
to Citi for the assessment of Supplier’s financial health in supporting the
Services and/or Deliverables. (e) Under no circumstances shall Supplier have any
lien over any or all of the properties that are proprietary to Citi herein
stipulated; Supplier shall at all times hold the documents available for Citi to
use, take, or move at Citi’s sole discretion. 7. Continuity of Business. (a) If
any of the disaster or disruption events occurs, shall have occurred, happened
or come into effect; namely the circumstances are beyond the reasonable control
of the Supplier, which affects the provision or receipt of the whole or any of
the Services and/or Deliverables, the Supplier must: (i) immediately notify and
consult Citi; and (ii) provide recovery services and otherwise do everything
reasonably necessary to reestablish the provision of the Services and/or the
Deliverables. (b) If a party receives advance warning or notice of the
possibility of the occurrence of any disaster or disruption, that party shall
notify the other party and the parties shall use their best endeavours to make
such alternative or emergency arrangements as may be necessary or desirable in
order to ensure that the Services and/or the Deliverables are continuously
provided in accordance with this Agreement. 18

GRAPHIC [g145181ko03i010.gif]

 


 

8. Subcontracting (a) Supplier may not subcontract the performance of any of its
obligations in the Agreement without the prior written consent of Citi. To the
extent that Supplier subcontracts to third parties any of its obligations set
forth in the Agreement with the consent of Citi, Supplier shall remain fully
responsible for such obligations and for all acts or omissions of its
subcontractors or agents. Nothing in the Agreement shall be construed to create
any contractual relationship between Citi and the subcontractors or agents
aforementioned, except as may be otherwise required by law. (b) For purposes of
this Section 9, the use by Supplier of individual independent contractors who
are designated or assigned to perform the Services and/or to furnish the
Deliverables under the direct management and supervision of Supplier and subject
to Citi’s policies and standards of confidentiality undertaking shall not
constitute an assignment, transfer or subcontracting, and shall not require
Citi’s prior approval. 9. Amendment. Notwithstanding any terms under the
Agreement to the contrary, to the extent that any term in the Agreement is in
conflict with any applicable Hong Kong laws and regulations, the HKMA’s
Outsourcing Guidelines or Citi’s Outsourcing Policy, Citi shall notify Supplier
with a suggested amendment to the Agreement to the extent necessary to comply
with such laws and regulations, Guidelines and Policy, and Supplier shall have
the option either to accept such amendments (which shall become effective upon
notification) or to terminate the Agreement by giving 30 days’ notice in writing
to Citi. 10. Termination. Citi shall have the right to terminate any Work Order
(which has been or shall be entered into with any relevant Citi entity in Hong
Kong) or the services provided to or for the benefit of any relevant Citi entity
in Hong Kong (or the provision of any part of the relevant Services and/or
Deliverables to Hong Kong) under any Work Order or relevant agreement with
immediate effect and without penalty by giving three (3) days prior written
notice to the other party in the event that the HKMA or any other competent
authority requires Citi to do so, or to make alternative arrangements in
relation thereto (it being agreed that a certificate from the relevant party
that this has occurred shall be conclusive of that fact). The right of
termination in this paragraph is in addition and independent to those in the
Agreement. 11. Governing law. This Schedule shall be governed by, and construed
in accordance with, the laws of Hong Kong, and the parties hereby agree to
submit to the non-exclusive jurisdiction of the Hong Kong courts. 12. Privacy
disputes Without prejudice to Section 12, in the event of a dispute or claims
brought by a Data Subject or the privacy enforcement authority concerning the
processing of the Transfer Data against any or all parties hereto, the parties
shall inform each other about any such disputes or claims, and shall cooperate
with a view to settling them amicably in a timely fashion. 13. Third party
rights 19

GRAPHIC [g145181ko05i001.gif]

 


Nothing in this Schedule, whether expressed or implied, is intended to, or will,
confer on any person any benefit or any right to enforce any term which such
person would not have but for the Contracts (Rights of Third Parties) Ordinance
(Cap. 623 of the Laws of Hong Kong). 20

GRAPHIC [g145181ko05i002.gif]

 


SCHEDULE E — INDIA LAW REQUIREMENTS (Version 5 — 23 March 2017) 1. SUPPLIER
REPRESENTATIONS Supplier represents, warrants and covenants to Citi that: the
Services shall be executed, and provided to Citi, taking due and proper note of
Citi’s requirements; Supplier shall employ same standards of care for the
Services as that is expected of Citi; Supplier complies with all applicable law
(including but not limited to all information technology and data privacy laws
in India), has, and shall at all relevant times, have the requisite and valid
licenses and permissions from all regulatory and statutory authorities, for
provision of the Services; there is no litigation or proceeding or dispute
pending or threatened against it or any of its Affiliate which may affect its
ability to provide the Services in accordance with the terms of the Agreement
and/or have an adverse impact on the Services or the quality and integrity
thereof, in any manner; it shall promptly inform Citi of any event or situation
which may effect its ability to provide Services effectively, including but not
limited to situations of financial distress faced by the Supplier or events
resulting in material change in strategic goals or significant changes in
Supplier Personnel. 2. STANDARD OF SERVICES Supplier represents, warrants and
covenants that: (i) apart from Citi, the Supplier renders similar services to
various Corporates and as part of normal course of business activity of the
Supplier, the Supplier deploys/rotates its employees/personnel/representatives
amongst various Corporates. Accordingly, at all points of times, it will be the
obligation of Supplier to ensure that the presence of its
employees/personnel/representatives in Citi and/or its
affiliates/subsidiaries/Citi group entity shall not exceed 238 days in a
calendar year (unless otherwise agreed to in writing by Citi, and which could
enhance the period to a maximum of three calendar years); (ii) the Services the
Deliverables, and any information or materials provided to Citi in connection
with this Agreement will be provided, in a timely and professional manner, by
qualified and skilled individuals with appropriate expertise, and in conformity
with standards generally accepted in Supplier’s industry and the financial
services industry, and (iii) the Services will conform to the Services
description set forth in this Agreement, including any applicable Work Orders.
If Supplier fails to provide the Services as warranted and Citi so notifies
Supplier within thirty (30) Business Days following the date Supplier declares
the Services to have been completed, then Supplier will re-perform the Services
at no additional charge. In the event, the Services are received by a customer
of Citi, the Supplier agrees to forward to Citi any service complaint it
receives from the customers of Citi in a prompt and timely manner. The Supplier
also warrants to remedy the complaints it receives from the customers as a part
of its Services rendered to Citi hereunder. If Supplier is unable or unwilling
to re-perform the Services as warranted, then Citi shall be entitled to address
such customer complaints (directly or through other supplier) and recover the
fees paid to Supplier for the deficient Services or the amount paid to other
supplier whichever is higher. 21

GRAPHIC [g145181ko05i003.gif]

 


3. INDEPENDENT SERVICE PROVIDER Supplier shall provide the Services as an
independent service provider on a non-exclusive basis. Service Provider shall
not use subcontractors for all or part of the Service without prior consent of
Citi, such consent shall be provided by Citi only after review of such
subcontracting agreements. Nothing contained in the Agreement or otherwise shall
be deemed to create any partnership, joint venture, employment, or relationship
of principal and agent, or master and servant between the Parties hereto or any
of their respective employees, affiliates, subsidiaries, related business
entities, agents, contractors or subcontractors or to provide either Party with
any right, power or authority, whether express or implied, to create any duty or
obligation on behalf of the other Party. Supplier acknowledges that the Services
provided are solely within its control, and confirms that neither Supplier nor
any Supplier Personnel, including contractors or subcontractors of Supplier (if
any), will hold out as anything but that (i) Supplier is an independent and
nonexclusive service provider to Citi, and (ii) that the employees of Supplier
are employees solely of Supplier and that other representatives, agents,
contractors or subcontractors of Supplier are those of Supplier. Supplier shall
cooperate with, and extend support to, the foregoing position, in the event of
any finding related to an employment, partnership or joint venture relationship
between Supplier or any of its employees, representatives, agents, contractors
or subcontractors on the one hand and Citi on the other hand. Supplier asserts
that upon employing/engaging with any persons, Supplier shall, at that time,
clearly communicate to such persons that Supplier is the sole employer of such
persons. Supplier declares and agrees (i) that it has the inalienable and
exclusive right, and at all times retains that right, to exercise full control
of and supervision over the performance of Supplier’s obligations hereunder and
full control over the employment, direction, compensation and discharge of all
its employees and other Supplier Personnel; (ii) that it will be solely
responsible for all matters relating to payment of salaries and wages of all its
employees and other Supplier Personnel, and for due and proper compliance with
compensation and benefits requirements for all its employees and other Supplier
Personnel under applicable laws, insurance, fidelity insurance and such other
insurance, social security withholding, and all other laws, rules and
regulations governing such matters and for the redressal of grievances of its
employees and other Supplier Personnel; (iii) that it shall be responsible for
its own acts and those of it employees and other Supplier Persons including
contractors (if any) and subcontractors (if any) during the performance of
Supplier’s obligations to Citi under this Agreement. Supplier and Supplier
Personnel are not entitled to unemployment insurance benefits from Citi as a
result of the Services or this Agreement. Supplier and Citi agree that the
Agreement shall not be construed as an agreement for establishing a joint
venture or partnership between Citi and Supplier. Supplier further warrants that
it will not do or purport to do any act, deed, thing or matter which will
prejudice the interests of Citi, in any manner whatsoever. 4. CONTINUITY OF
BUSINESS The Supplier agrees and confirms that it has in place a robust
contingency and business 22

GRAPHIC [g145181ko05i004.gif]

 


resumption plan, including adequate resources, systems and all other
infrastructure requirements, in place, to ensure that Services would not be
adversely affected in any manner on account of any factors including but not
limited to systems break-downs and/or natural and/or man-made disasters, which
may cause disruption in the normal functioning of the Supplier. Additionally,
the Supplier shall conduct periodic testing to check the effectiveness,
satisfactory state and readiness of the aforesaid continuity of business plan.
The Supplier shall, if so requested by Citi, permit Citi to conduct joint
testing of the aforesaid continuity of business plan along with the Supplier. 5.
POST-TERMINATION OBLIGATIONS Commencing upon notice by either Party of
expiration or termination of this Agreement and continuing through the effective
date of expiration or termination, the Supplier confirms that the Supplier shall
not deny Citi reasonable termination assistance as requested by Citi to allow
the use of Services without interruption or adverse effect and to facilitate the
orderly transfer of the subject matter of the Agreement as desired by Citi. If
requested by Citi in this regard, the Supplier undertakes that the Supplier will
also reasonably co-operate with a third party service provider in connection
with the preparation and implementation of a transition plan by such third party
and/or Citi upon the termination or expiration of this Agreement. It is hereby
clarified that such termination assistance shall be provided to Citi by the
Supplier at no additional costs except to the extent of fee for Services as may
be calculated on any pro-rata basis that is applicable. 6. INSPECTION AND RIGHT
TO AUDIT 6.1 The Supplier shall keep complete and accurate records of all
operations and expenses in connection with the Services. All the said records
shall be kept on file by the Supplier for a period of 8 (Eight) years from the
date the record is made or as otherwise set forth by applicable law, and in any
event, shall not be excised without first having duly and adequately and timely
informed Citi in writing and also providing Citi with the option of having such
records transferred into the custody of Citi. 6.2 The Supplier shall, at
reasonable hours, allow Citi, its management, its auditors and/or regulators
(including Indian and United States regulators and Citigroup auditors), the
opportunity of inspecting, examining and auditing the Supplier’s operations,
including its security practices and control processes, including practices and
procedures in relation to data security, and business records directly relevant
to the Services, and financial agreements, its balance-sheet and profit and loss
account and audit reports, and all other documents which the Supplier may be
called upon to produce for the purposes of ascertaining the financial viability
of the Supplier as a service provider. The Supplier shall, as and when requested
by Citi , provide access to and make available to any of Citi’s officers /
employees/ management or internal / external auditors, regulators and their
representatives, the necessary records for inspection / examination / audit, and
cooperate to the fullest extent so as to clarify on any activities and to assure
a prompt and accurate audit related to the Services. 6.3 The Supplier shall
co-operate with Citi’s internal or external auditors, and regulators to assure a
prompt and accurate audit/inspection. The Supplier shall also co-operate in good
faith with Citi to correct any practices, which are found to be deficient as a
result of any such audit, within a reasonable time after receipt of reports. 23

GRAPHIC [g145181ko05i005.gif]

 


Such audits or reviews will be at the expense of Citi. However, if the audit
discovers discrepancies or overcharges, then upon completion of such audit or
review, the Supplier shall be bound and liable to promptly reimburse to Citi for
such discrepancies or overcharges, and for the cost of the audit. 6.4 In
addition to what is provided hereinabove, the Supplier shall on an year-on-year
basis provide to its independent auditors (“Auditors”) access at reasonable
hours to Supplier Personnel and to Supplier’s records and other pertinent
information, all to the extent relevant to the performance of Supplier’s
financial, regulatory and Service obligations under the Agreement. Such access
shall be provided for the purpose of performing audits and inspections by the
Auditors. The Supplier shall without delay submit the audit report to Citi. Citi
and the Supplier shall develop and agree upon an action plan to promptly address
and resolve any deficiencies, concerns and/or recommendations in such audit
report in relation to the Services, and the Supplier, at its own expense, shall
undertake remedial action in accordance with such action plan. The audit fees
incurred under this clause shall be to the Supplier’s sole account. 7.
MONITORING RESPONSIBILITY Except as otherwise directed by Citi, the Supplier
agrees to meet with Citi, on a monthly basis, for the purpose of reviewing the
Services provided by Supplier pursuant to the requirements of the Agreement. The
Supplier shall submit a monthly report to Citi which shall include, but not be
limited to, the following information, (i) a status report on Services provided
during the month, identifying, in particular, any performance standards not met;
and (ii) any other information requested by Citi. The Supplier agrees to meet
with Citi on a quarterly basis to review all aspects of the Services provided
and/or any other matters of mutual interest to the Supplier and Citi. Further,
the Supplier agrees to meet with Citi at anytime at the request of Citi to
review the Services provided by Supplier. The Supplier agrees to provide Citi
with any and all information requested by Citi for the purpose of documenting
and/or analyzing the Services provided. Citi will select, at its sole
discretion, the information reports necessary for its management information
needs. 8. CONSENT FOR DISCLOSURE Unless consent is prohibited by law, Supplier
hereby consents to the transfer and disclosure by Citi of any information
relating to the Supplier or any Service (i) to and between the branches,
representative offices, affiliates and agents of Citi and third parties selected
by any of them, wherever situated, for confidential use (including in connection
with the provisions of any service and for data processing, statistical and risk
analysis purposes); and (ii) to any person to (or through) whom Citi transfers
or assigns (or may potentially transfer or assign) all or any of its rights,
benefits and obligations hereunder, or with (or through) whom Citi enters into
(or may potentially enter into) any sub-participation or the like in relation
to, or any other transaction under which Services are to be made or received by
reference to, the Agreement and this Addendum. Citi and any branch,
representative office, affiliate, agent or third party may transfer and disclose
any such information as required by law, court, regulator or legal process.
Further, this provision shall be in addition to, and not in substitution for,
any other provision agreed to between the parties (whether before or after the
date hereof) which gives broader rights of disclosure to either party than
contained herein. 24

GRAPHIC [g145181ko05i006.gif]

 


9. GOVERNING LAW AND JURISDICTION Where both Citi (or Affiliate) and/or Supplier
are located in or entities incorporated in the India, the governing law shall be
the laws of India, and all claims or disputes arising out of or in connection
with Agreement and/or the relevant Work Order shall be submitted to the court in
India where Citi (or Affiliate) is located. 25

GRAPHIC [g145181ko05i007.gif]

 


SCHEDULE F — INDONESIA LAW REQUIREMENTS  (Version 3 — 17 February 2017) 1.
PROVISIONS REQUIRED BY LOCAL LAWS OR REGULATIONS For the purposes of the
Agreement and each Work Order made between the Supplier and Citi (or Affiliate)
in Indonesia, the following wording shall be added to the Agreement in its
entirety: 2. GENERAL REQUIREMENTS FOR ALL SERVICES(2) The following provisions
shall apply to all Services provided by the Supplier to Citi: 2.1 Examinations
or Audits by Regulators of the Supplier(3) Supplier shall notify Citi of any
examination or audit by regulators of the Supplier which impacts the Services of
Citi or the confidential information (including Indonesia data) of Citi. The
notice must be addressed to Citi’s Country Compliance and must be received by
Citi 3 (three) weeks before the examination or the audit commences. The Supplier
should not release any Indonesia data without the approval of Citi. 2.2 Audits
by Financial Services Authority / Otoritas Jasa Keuangan (“OJK”) (or any
successor authority) on Citi(4) In the event of an audit conducted by OJK (or
any successor authority) on Citi, any data requested to the Supplier must be
provided by the Supplier to Citi within 5 (five) Indonesia business days from
the date of request by Citi. 2.3 Critical Event(5) The Supplier agrees to also,
as soon as possible, notify Citi of the occurrence of any critical event in
regard to Citi, i.e. an event which may result in a financial loss to Citi
and/or impede the smooth running of Citi’s operations. 2.4 Assignment and
Subcontracting(6) The Supplier shall provide prior notification to Citi in the
form of Appendix I hereof, for any assignment or subcontracting by the Supplier
of any of its rights, obligations or responsibilities under the Agreement and
the Work Order. If agreed by Citi, the notification can be made through e-mail
to the designated person of Citi. 2.5 Classification of Services where Citi is
Citibank, N.A., Indonesia In the case where Citi is Citibank, N.A., Indonesia,
depending on whether or not a specific Service is classified by Citibank, N.A.,
Indonesia as an Information Technology Service (2) Regulations: a. OJK
Regulations No 9/ POJK.03/2016 on Outsourcing (“OJK Reg. No 9/ 2016”). b. OJK
Regulations No 38/ POJK.03/2016 on Risk Management Implementation on Information
Technology (“OJK Reg. No 38/2016”) c. SEBI No 9/30/2007 on Risk Management
Implementation on Information Technology (SEBI no 9/2007) d. SEBI No
14/20/DPNP/2012 on Prudential Principal on Outsourcing. (3) Section 10.3.3.1 of
SEBI no 9/2007 (4) Section 10.3.3.1 of SEBI no 9/2007 (5) Section 10.3.3.1 of
SEBI no 9/2007 (6) Section 10.3.3.1 of SEBI no 9/2007 26

GRAPHIC [g145181ko05i008.gif]

 


pursuant to the regulation of OJK(7) (or any successor authority), different
requirements may apply to the Service. The Supplier shall obtain confirmation
from Citibank, N.A., Indonesia on the classification of Services provided under
the Agreement. Reference should also be made in any Work Order. 3. SPECIFIC
REQUIREMENTS FOR INFORMATION TECHNOLOGY SERVICES(8) In addition to the
requirements as, set forth in Section 2 above, the provisions under Section 3 of
this Schedule shall apply to the Services where it is identified as Information
Technology Services in the Agreement or in any Work Order. 3.1 Definitions(9) a.
Information Technology is a technology to gather, organize, keep, process,
announce, analyze, and/or publish information; which are related to computer,
telecommunication and other electronics means used to operate financial data
and/or provide banking services; b. Data Centre is a main facility for data
processing for Citi by Supplier, consisting of hardware and software to support
the operational activities of Citi continuously; c. Disaster Recovery Centre is
a substitute facility, in the event the Data Centre experiences a disturbance or
dysfunction, among others due to: no electricity to the computer room, fire,
explosion or computer damage, temporarily used during the recovery of the
Supplier’s Data Centre, to ensure business continuity; d.
Technology-based-Transaction Processing is an activity in the form of addition,
amendment, deletion of data and/or data authorization to be performed on the
application system(s) used to process Citi transactions. 3.2 Information
Technology Services For all Services that are identified as Information
Technology Services, the following requirements shall apply:(10) a. The Supplier
must apply reasonable information technology control principles (the application
of both physical and logical security measures) which shall be evidenced by an
independent audit report commissioned by Supplier. b. The Supplier shall provide
technical document(s) to Citi in relation to the Information Technology Services
being provided, which include among others the Information Technology processes
and data base structure. c. The Supplier shall provide qualified and competent
personnel in accordance with the Information Technology Services being provided.
The Supplier must do transfer of knowledge to Citi, so that there will be a
personnel in Citi that understands the Information Technology processes and
applications provided by the Supplier, which may be done among others by way of
providing trainings to Citi. d. The Supplier must report to Citi of any request
for access or disclosure of the confidential information, to the extent that
such confidential information must be disclosed under applicable laws. (7) OJK.
Reg No 38/2016 (8) OJK Reg No 38/2016 (9) In accordance to Section 1 of OJK Reg.
No. 38/2016 (10) Section 10.3.3.1 of SEBI no 9/2007 27

GRAPHIC [g145181ko05i009.gif]

 


e. The Supplier must report to Citi in the event of any change of situation
which may limit or hinder the rights of Citi or OJK (or any successor authority)
to access information in regard to the Information Technology Services. f. Upon
request by Citi, the Supplier shall provide Citi with report of the monitoring
result on its performance related to a Work Order. g. In addition and without
prejudice to the business continuity or disaster recover provisions of the
Master Agreement, the Supplier shall ensure that the Disaster Recovery Plan is
tested from time to time. For Information Technology Services that are
specifically identified as maintenance of a Data Centre, Disaster Recovery
Services and/or Technology-based Transaction Processing Services, additional
requirements as set forth in Subsection 3.3 of this Schedule shall apply. 3.3
Data Centre, Disaster Recovery Services and Technology-based Transaction
Processing Services For Information Technology Services that are specifically
identified as maintenance of Data Centre or Disaster Recovery Services and/or
Technology-based Transaction Processing Services, in addition to the requirement
of Subsection 3.2 of this Schedule, the following requirements shall apply:(11)
a. Submission of Documents Prior to Initiation of Services As part of the
requirement for Citi to apply to OJK (or any successor authority) for approval
of the outsourcing of Data Centre, Disaster Recovery Services and/or
Technology-based Transaction Processing Services to Supplier, the Supplier shall
submit to OJK (or any successor authority) via Citi a written confirmation from
the regulatory or statutory authority having local jurisdiction over the
Supplier that: (i) Supplier is within its supervisory jurisdiction; (ii) the
authority shall allow OJK (or any successor authority), at a reasonable time, to
examine Supplier’s provision of services to Citi. In the event there is no
authority having jurisdiction over the Supplier, the Supplier shall advise Citi
of the circumstance. Citi shall seek advice from OJK (or any successor
authority) of a confirmation acceptable to OJK (or any successor authority) in
lieu of the above written confirmation. b. Risk Management Controls: Supplier
shall provide Citi, on an annual basis, an appraisal on the risk management
controls in effect at the Supplier. The foregoing report must be submitted no
later than a month after the completion of such review. For the purpose of this
clause Appendix II hereto is a summary of the least coverage to be observed in a
technology risk management pursuant to the prevailing regulation. c. Submission
of Independent Audit Report The Supplier shall submit an independent audit
report on Data Centre, Disaster Recovery Services and/or Technology-based
Transaction Processing Services to OJK (or any successor authority) via Citi on
an annual basis. The report must be submitted to OJK (or any successor
authority) within 2 (two) months after the completion of the audit. d. Data
Transmission (11) Section 10.3.3.1 of SEBI no 9/2007 28

GRAPHIC [g145181ko05i010.gif]

 


 

The Supplier shall ensure the availability of online means of communication,
security on data access and transmission from and to the Data Centre, Disaster
Recovery Centre and Technology-based Transaction Processing Centre and shall
have clear stipulations regarding security in the submission of necessary source
document to and from Data Centre, Disaster Recovery Centre, and Technology-based
Transaction Processing Centre. 4. WITHHOLDING TAXES AND TAX RECEIPTS The
Supplier shall upon Citi’s request furnish Citi with a Certificate of Residence
issued by the competent tax authority of the Supplier on an annual basis. 5.
LANGUAGE(12) The Supplier agrees that to the extent that Law No. 24 of 2009 of
the Republic of Indonesia (“Law No.24/2009”) on Flag, Language, State Emblem and
National Anthem applies to this Agreement (as an agreement to which an
Indonesian entity is a party), the Supplier shall, within 30 (thirty) days after
being requested by Citi (or Affiliate) from time to time, or if required by any
implementing regulations under Law No. 24/2009, translate this Agreement into
Indonesian language and ratify the Indonesian language translation. An
Indonesian language version of this Agreement is only intended for compliance
with the above mentioned Law No.24/2009 as a reference between the parties to
this Agreement. The parties agree that in the event of any inconsistency between
the English language and the Indonesian language version, the English language
version shall prevail. The Supplier acknowledges that it fully understands the
language and the content of this Agreement and the Supplier agrees that it will
not use the provisions under Law No.24/2009 to invalidate this Agreement. 6.
GOVERNING LAW AND JURISDICTION Where both Citi (or Affiliate) and Supplier are
located in or entities incorporated in the Republic of Indonesia, the governing
law shall be the laws of the Republic of Indonesia, and all claims or disputes
arising out of or in connection with Master Agreement and/or the relevant Work
Order shall be submitted to the court in Indonesia where Citi (or Affiliate) is
located. Appendix I Appendix II (12) Law No. 24 of 2009 of the Republic of
Indonesia on Flag, Language, State Emblem and National Anthem. 29

GRAPHIC [g145181ko07i001.gif]

 


SCHEDULE G — JAPAN LAW REQUIREMENTS (Version 3 — 6 June 2014; re-validated 10
January 2017) I. General 1.1 Unless otherwise a separate Work Order, Statements
of Work or any additional ancillary agreement (collectively “Work Order”) is
directly made and entered into by and between the Supplier or its local
Affiliate (collectively, the “Supplier”) and any Affiliate of Citi in Japan
(“Citi”), the Supplier shall be subject to Section II of this Schedule in
connection with providing the Services to Citi or for the benefit (whether
direct or indirect) of Citi. 1.2 Where necessary or appropriate, in Citi’s
determination, for Citi to receive the Services in Japan, the Supplier and Citi
will enter into a separate Work Order setting forth such additional terms and
conditions applicable in Japan. The Japanese local agreements may address as
necessary any specific legal, regulatory, human resource or procedural
requirements necessary for compliance with applicable Japanese laws, due to
variations in practices or as otherwise agreed to by the Parties. If a separate
Japanese local agreement is made and entered into by and between the Supplier
and Citi, such Japanese local agreement shall supersede this Addendum including
this Schedule. II. Provisions required by JAPANESE laws or regulations If Citi
receives the Services from the Supplier, or if the Services are for the benefit
(whether direct or indirect) of Citi, the following additional terms and
conditions shall be applied to provision of the Services in addition to the
master agreement to which this Schedule applies (“Master Agreement”). 1.
Protected Information If Citi or its affiliates is required to furnish, supply,
disclose, or make available the Protected Information (defined below) to
Supplier in connection with provision of the Services, the following additional
terms and conditions shall be applied to the Parties in addition to the Master
Agreement: 1.1 The “Protected Information” means and includes personal
information of a natural person (the “Personal Information”) within the meaning
of the Act on the Protection of Personal Information of Japan (Law No. 57 of
2003, as amended from time to time. Hereinafter referred to as the “PIP”) and
non-public information of an artificial person held by Citi. 1.2 If Citi or its
affiliates furnishes, supplies or discloses to Supplier Citi’s Protected
Information in connection with the Services or otherwise, and the Supplier
obtains or 30

GRAPHIC [g145181ko07i002.gif]

 


accesses such Protected Information, the Supplier shall take the following
necessary and appropriate measures to prevent divulgence, loss, or destruction
of the Protected Information in accordance with the PIP and other laws and
regulations of Japan (collectively, the “Japanese Laws”). (1) The organizational
security measures to ensure that the Supplier will disclose the Protected
Information only to those of the Supplier’s personnel who have a need to know
such Protected Information (only to the extent necessary) in order to fulfill
the purposes contemplated by the Work Order, and set forth internal rules for
use of and access to the Protected Information, which is subject to the
Supplier’s periodical review; (2) The individual security measures to ensure
that the Supplier will instruct and supervise its personnel who uses or has
access to the Protected Information to prohibit the personnel from committing
unauthorized disclosure, access, use and misappropriation of the Protected
Information; and (3) The technological security measures to ensure that the
Supplier will implement systems to limit access to the Protected Information and
monitor such access. 1.3 Pursuant to the Japanese Laws, the Supplier
acknowledges and agrees that: (1) Citi reserves the rights to supervise and
audit the Supplier in connection with the provision of the Services and the
Protected Information disclosed to the Supplier; (2) Citi reserves the rights
not to furnish, supply, disclose, or make available the Protected Information to
the Supplier in connection with provision of the Services IF the Supplier fails
to comply with the terms and conditions set forth in this Schedule; (3) The
Supplier shall use the Citi’s Protected Information only for the purpose of
providing the Services and shall not destroy, alter, misappropriate, reproduce,
or store the Protected Information nor divulge or disclose the Protected
Information, in any form or manner, to a third party without the prior written
consent of Citi; and (4) The Supplier shall be responsible for damages arising
out of, or relating to divulgence, loss, alteration, misappropriation, and/or
unauthorized disclosure of the Protected Information caused by the Supplier. 1.4
Notwithstanding Section 2 hereof, the Supplier shall not outsource handling of
Citi’s Protected Information to the Supplier’s subcontractor UNLESS the Supplier
satisfies all of the following requirements in addition to Sections 2 and 3 of
this Schedule: 31

GRAPHIC [g145181ko07i003.gif]

 


(1) The Supplier shall obtain the prior written consent of Citi; and (2) The
Supplier shall cause its subcontractor to adopt the adequate security measures
as set forth in Section 1.2 of this Schedule. 1.5 Except as otherwise expressly
provided for by the Master Agreement and the Work Order, upon the request of
Citi at any time during the term of the applicable Work Order or after the
termination thereof, the Supplier shall promptly return or destroy the Protected
Information or its duplicates supplied to, or otherwise obtained by, the
Supplier in connection with the Services, in the form or manner specifically
instructed by Citi. If the Protected Information was stored or saved in the
Supplier’s computers, servers, or any other electromagnetic medium, the Supplier
also shall delete or purge such stored or saved Protected Information in the
form or manner specifically instructed by Citi. 1.6 Where the Supplier is
required to disclose Citi’s Protected Information under any applicable law,
regulation or an order from a court, regulatory agency or other governmental
authority having competent jurisdiction, and is further required to notify Citi,
the Supplier must promptly send a copy of the order and accompanying
documentation by facsimile transmission to Citi. 2. Subcontracting 2.1 The
Supplier shall not subcontract any part of the Services to a third party,
including its Affiliates, without the prior written consent of Citi. 2.2 If the
Supplier subcontracts any part of the Services to a third party, the Supplier
shall select a subcontractor which meets satisfactory criteria, including but
not limited to, all of the following three (3) criteria: (1) A subcontractor
who, in light of Citi’s coherent business operations, is able to provide Citi
and Supplier with the Services at the reasonably sufficient level in the
industry; (2) A subcontractor whose financial and management conditions are
sufficient enough to provide Citi and Supplier with the Services in accordance
with the Master Agreement, applicable Work Order, this Schedule and
subcontracting agreement, and to indemnify Citi for damages arising out of, or
relating to the Services; and (3) A subcontractor will not risk the reputation
of Citi. 2.3 A subcontracting agreement to be entered into by and between the
Supplier and a subcontractor shall contain satisfactory stipulations, including
but not limited to, all of the following four, (4) terms and conditions: 32

GRAPHIC [g145181ko07i004.gif]

 


(1) Description of the services to be subcontracted, the service level standards
for providing the services, and procedures for terminating the subcontracting
agreement; (2) The subcontractor’s liability for damages arising out of
subcontractor’s failure to perform the services in accordance with the
subcontracting agreement or subcontractor’s breach of the subcontracting
agreement (placing a security deposit, collateral, or lien if necessary); (3)
Items to be reported by the subcontractor to the Supplier in connection with the
provision of the services and subcontractor’s management conditions; and (4)
Cooperation with internal and external auditors and regulators of Citi and/or
the Supplier. 2.4 A subcontracting agreement to be entered into by and between
the Supplier and a subcontractor shall not violate the applicable Japanese Laws.
2.5 The Supplier shall adopt sufficient internal control measures, including but
not limited to, designating a project manager who is responsible for the
subcontracted services, monitoring a subcontractor and its performance, and
establishing audit functions. 2.6 A subcontractor shall provide the Supplier
with a periodical report on the status of subcontracted services and the
subcontractor, upon request of Citi and/or the Supplier, must provide Citi
and/or the Supplier with necessary information in a prompt manner. 2.7 The
Supplier shall audit a subcontractor periodically to ensure that such
subcontractor complies with applicable Japanese Laws and all terms and
conditions set forth in the Master Agreement, applicable Work Order and this
Schedule. 2.8 The Supplier shall prepare a continuity of business plan in order
to provide Citi with continuous Services in case of emergency or subcontractor’s
failure to perform the Services in accordance with the subcontracting agreement.
2.9 The Supplier, upon the request of Citi, shall provide Citi with information
of its subcontractor, including but not limited to, name of the subcontractor
and its project manager, contact information of the subcontractor, description
of the services subcontracted, and the subcontracting agreement. 3. Continuity
of Business Plan 3.1 The Supplier must maintain a continuity of business plan
(“COB Plan”). The COB Plan must enable the Supplier to provide the Services and
comply with the terms of the Master Agreement, notwithstanding an event that
disrupts, impairs or prevents the Supplier from otherwise providing the Services
or complying with its obligations thereunder. 33

GRAPHIC [g145181ko07i005.gif]

 


3.2 The COB Plan must include procedures to ensure that the Supplier is able to
provide the Services and otherwise comply with its obligations under the Master
Agreement, notwithstanding that an agent, consultant or contractor of the
Supplier is incapable of providing the Services to the Supplier. 3.3 The COB
Plan must be: (1) based upon a formal assessment of the applicable risks; (2)
reviewed and updated on a regular basis and at least annually; (3) tested at
least annually; and (4) subject to quality assurance review at least annually.
4. Representation and Warranties for Anti-Social Forces 4.1 For the purpose of
this Schedule, “Anti-Social Force” means and includes a crime organization
(boryokudan), a listed member (boryokudan —in) or an affiliated member
(jun-boryokudan —in) of such crime organization, a corporate entity affiliated
with such crime organization, a corporate racketeer (sokaiya), an individual or
an organization which demands and/or acquires financial interests of others in
unlawful manners and/or causes or threatens to cause physical harm to others,
and all other equivalent or similar individuals or organizations. 4.2 The
Supplier, to the best of its knowledge, represents and warrants on or after
execution of an applicable Work Order that Supplier, its subcontractor and its
subcontractors’ personnel have never belonged to or will never belong to the
Anti-Social Force. 4.3 The Supplier, to the best of its knowledge, represents
and warrants to a Japanese Entity on or after execution of an applicable Work
Order that the Supplier and its subcontractors by themselves or through any
third party have not engaged in or will not engage in the following acts: (1)
Extortion, racketeering and/or similar unlawful demand; (2) Unreasonable demand
and/or claim beyond its legal rights and obligations; (3) Employment of
threatening language or physical force in connection with a transaction; (4)
Defamation of others and/or disruption of others’ business activities by
disseminating false or misleading statements, employing fraudulent means, or
resorting to fearful forces; or (5) Any other acts similar to the foregoing,
including but not limited to money laundering. 4.4 Citi reserves right to
terminate an applicable Work Order if the Supplier and/or its subcontractors
breaches or misrepresents any one of the representations and warranties set
forth in this Section 4 and it becomes unreasonable to maintain a contractual
relationship with Citi (or the relevant Citi affiliate). 5. Inspection and
Rights to Audit 34

GRAPHIC [g145181ko07i006.gif]

 


5.1 Citi, its auditors, or its authorized regulator shall have the right to
audit the Supplier to ensure compliance with the Master Agreement and/or an
applicable Work Order in relation to the Services. The Supplier shall cooperate
with Citi’s internal and external auditors and regulators. The Supplier shall
keep complete and accurate records of all of its work and expenses in providing
the Services to Citi for a period not less than seven (7) years from the date
which the record was created or such other longer period as requested by Citi in
writing. 5.2 The Supplier shall require any subcontractor appointed (if
applicable) to also maintain complete and accurate records of all of its work
and expenses in relation to the Service subcontracted to it. The Supplier shall
ensure and procure that these requirements are set forth in its arrangements
with any subcontractor, 5.3 The Supplier shall allow Citi, its auditors and/or
its regulators: (1) to obtain records and documents of transactions and
information of Citi given to, stored at or processed by the Supplier; (2) to
access any report and findings made on the Supplier in conjunction with the
Services performed for Citi; (3) to access to the business premises of the
Supplier in the exercise of its rights herein; and (4) to inspect, examine and
audit the Supplier’s operations and records insofar as they are relevant to the
Services. 6. Notice 6.1 If the Supplier receives Citi’s Protected Information,
the Supplier, upon a request of Citi, shall fill out all necessary information
in the Protected Information Sharing Attestation (Form 1) attached hereto and
submit Form I to Citi. .If Supplier subcontracts all or any part of handling of
the Protected Information to a third party, Supplier shall also fill out the
“Outsourcing” part of the Form 1 and submit the Form 1 to Citi prior to the
subcontracting. 6.2 If the Supplier returns or destroys the Protected
Information in accordance with Section 1.5, the Supplier, upon a request of
Citi, shall fill out all necessary information in the Protected Information
Return/Deletion Attestation (Form 2) attached hereto and submit Form 2 to Citi
without unnecessary delay. 6.3 If the Supplier outsources all or a part of the
Services to a subcontractor, the Supplier, upon a request of Citi, shall fill
out all necessary information in the Subcontract Attestation (Form 3) attached
hereto and submit Form 3 to Citi prior to such outsourcing arrangement. 6.4 If
the Supplier makes material changes in provision of the Services which give rise
to a direct or indirect impact on Citi, including but not limited to system
upgrade and/or alteration, changes in business processes, and changes in the
Subcontractor and/or its 35

GRAPHIC [g145181ko07i007.gif]

 


 supervisory management, the Supplier, upon a request of Citi, shall fill out
all necessary information in the Service Report (Form 4) attached hereto and
submit Form 4 to Citi without unnecessary delay. 6.5 Citi reserves the right to
request the Supplier for a periodic report on provision of the Services by
filling out all necessary information in the Service Report (Form 4) attached
hereto and submitting Form 4 to Citi without unnecessary delay. 7. Governing Law
and Jurisdiction This Schedule shall be governed by, and construed in accordance
with, the laws of Japan, and the parties hereby agree to submit to the
non-exclusive jurisdiction of the Tokyo District Courts. III. Governing Law and
Jurisdiction for direct Work Orders In the event a separate Work Order is
directly made and entered into by and between the Supplier and Citi,
notwithstanding any term to the contrary in the Master Agreement and/or
Schedule, the governing law and jurisdiction clause as it applies to the
applicable Work Orders entered into by and between Citi and the Supplier is
varied as follows: “The validity of this Agreement as it applies to the Work
Order, the construction and enforcement of its terms, and the interpretation of
the rights and duties of the parties to the Work Order shall be governed by the
laws of Japan. The Parties to the Work Order submit to the non-exclusive
jurisdiction of the courts of the Tokyo District Court with respect to any
dispute arising out of or in connection with the relevant Work Order and the
Services provided in Japan.” FORM 1 — PROTECTED INFORMATION SHARING ATTESTATION
Form 1.doc FORM 2 — PROTECTED INFORMATION RETURN/DELETION ATTESTATION Form 2.doc
FORM 3 — SUBCONTRACT ATTESTATION Form 3.doc 36

GRAPHIC [g145181ko07i008.gif]

 


FORM 4 — SERVICE REPORT Form 4.doc 37

GRAPHIC [g145181ko07i009.gif]

 


SCHEDULE H — KOREA LAW REQUIREMENTS (Version 3 — 25 February 2016; revalidated
17 January 2017) In addition to the provisions under the Agreement, the Supplier
shall comply with the requirements set forth below in accordance with applicable
laws of Korea. To the extent that the terms and conditions of the Agreement are
inconsistent with the terms and conditions herein, the terms and conditions
herein will prevail. 1. Requirements under the (i) Personal Information
Protection Act and (ii) Use and Protection of Credit Information Act: The
following provisions shall apply to the Supplier to the extent that the Supplier
receives Personal Information. Personal information refers to information
pertaining to a living individual which contains information identifying a
specific person with a name, a resident registration number, or similar in a
form of an image, etc. (including information that does not, by itself, make it
possible to identify a specific person but that when combined with other
information readily identifies such a person). For the avoidance of doubt,
Personal Information includes any credit information that relates to
determination of credit rating or credit transactions capacities of a person as
such term is defined under the Use and Protection of Credit Information Act. 1.1
The Supplier shall take measures, including establishment and operation of
facilities and systems, to achieve the following in connection with processing
any Personal Information: - prevent any distortion of access records to the
Personal Information; - encrypt the Personal Information for transmission
purposes; and - examine the Personal Information access records on a regular
basis. In addition, the Supplier shall take such other measures necessary to
protect the Personal Information as reasonably required by Citi. 1.2 Personal
Information Protection Officer (a) For each service provided, the Supplier shall
designate an individual to act as a Personal Information Protection Officer who
will be responsible for processing all Personal Information pertaining to a
natural person and ensure that the following duties are performed by such
person: - adopt internal policies and procedures to protect the Personal
Information (the “Personal Information Protection Procedures); - oversee and
manage the Personal Information processing practice and make any improvement on
such practice if necessary; - address any complaint the Supplier receives in
connection with the Personal Information processing; - establish an internal
control system to prevent any theft, misuse or abuse of the Personal
Information; - establish a program and educate the Supplier Personnel regarding
protection of the Personal Information; - manage and supervise maintenance and
protection of documents that include the Personal Information; and - perform any
other duties that may be necessary to process and protect the Personal
Information. 38

GRAPHIC [g145181ko07i010.gif]

 


 

(b) The Supplier shall ensure that the Personal Information Protection Officer
(i) has the authority to make inquiries or require any person who deals with the
Personal Information to report to him/her regarding processing status or
processing system of the Personal Information and (ii) does not suffer from any
disadvantage in performing his/her duties set forth in Section 1.2(a) above. 1.3
Upon occurrence of any breach of the Personal Information Protection Procedures
or theft of the Personal Information (the “Occurrence”), the Supplier shall,
without delay, take necessary measures to minimize the damage or loss and
immediately notify Citi and Citi’s Project manager of the Occurrence and the
following information as applicable: - the items of the Personal Information
that are disclosed or stolen; - the time and details of the Occurrence; -
measures that victims of the Occurrence may take to minimize their damage or
loss; - measures adopted by and reliefs to be provided by the Supplier to remedy
the Occurrence; and - contact information to which the victims may report their
damage or loss. 1.4 The Personal Information pertaining to an individual must be
made available for review, correction, or deletion, or must be subject to
suspension of being processed upon such individual’s request. In the event that
such individual to which the Personal Information pertains raises any objection
to the manners in which his/her request concerning the foregoing matters are
addressed by Citi, the Supplier shall endeavor to assist Citi in dealing with
such objection. 2. Delegation Matters under the Regulations on Business
Delegation by Financial Institutions The Supplier shall maintain a continuity of
business (“COB”) plan designed to deal with a major destruction or incapacity of
its facilities and/or systems. Pursuant to the COB plan, the Supplier shall
maintain resources, guidelines, general action steps and backup sites,
facilities and systems to resume business in case of disruption due to natural
disaster, accidents or system failure. The COB plan shall include procedures
including, but not limited to, for business site relocation, restoration of
business functions and telecommunications resumption. Redundant servers shall be
in place for several key systems and daily tape backups shall capture all key
data and be stored offsite. The Supplier’s COB plan shall be updated and tested
on an ongoing basis. 3. Requirements under Regulation on Outsourcing of Data
Processing of Financial Companies 3.1 Pursuant to the Regulation on Outsourcing
of Data Processing of Financial Companies, the outsourcing agreement between
Citi and Supplier shall include but not be limited to the following: access and
control to data transferred, joint responsibility between Citi and Supplier with
regard to damage or loss suffered by Citi’s customer arising from an IT
incident, inspection right on the Supplier by the regulator of Citi,
jurisdiction in the event of legal dispute between Citi and Supplier. 3.2. When
Citi outsources for data processing under this regulation, the Supplier may
re-outsource the outsourced business to its affiliates, in which case, the
outsourcing agreement between the Supplier and its affiliates is also subject to
the requirements as set out in this Schedule. 3.3 The outsourcing agreement
shall be governed by and construed in accordance with the laws of the Republic
of Korea. Any dispute concerning the Service Provider over the outsourcing
agreement is subject to the jurisdiction of the courts of the Republic of Korea.
39

GRAPHIC [g145181ko09i001.gif]

 


4. Requirements under the Financial Investment Services and Capital Markets Act
(FISCMA) The Supplier understands and acknowledges that, according to the
FISCMA, Citi may entrust the Supplier with part of the affairs that it carries
on as other financial businesses and incidental operations, while the Supplier
or its Subcontractors shall not be entrusted with the affairs, prescribed under
the Enforcement Decree of the FISCMA as those that are likely to undermine the
protection of investors or sound order in trading, including (i) business of a
compliance officer, (ii) business of performing internal auditing, (iii)
business of managing risk, and (iv) business of analyzing and assessing credit
risk, etc. The Supplier further understands that Citi shall report an agreement
related to the above entrustment or delegation to the Financial Services
Commission and the Supplier shall use its best efforts to facilitate the report
process. 40

GRAPHIC [g145181ko09i002.gif]

 


SCHEDULE I — MACAU LAW REQUIREMENTS (Version 2 — 22 March 2017) 1. Compliance
with the law of Macau Special Administrative Region of the People’s Republic of
China Prior to the provision of any Services by Supplier to Citi, both Parties
shall comply with all legal and regulatory requirements in respect of the
Services. 2. Audit and Inspection Right 2.1 The Supplier agrees that the
services it performs for Citi are subject to examination of relevant authorities
in Macau. Citi shall keep complete and accurate records of all of its work and
expenses in receiving the Services from the Supplier for a period of at least
ten (10) years from the date which the record was created. The Supplier shall,
upon reasonable notice, allow Citi, its management, its auditors and/or its
regulators, the opportunity of inspecting, examining and auditing the Supplier’s
operations and the business records which are relevant to the Services provided
hereunder by the Supplier including but not limited to the Supplier’s critical
processes to confirm that the Supplier’s processes meet or exceed industry
standards in such area of contingency planning, continuity of business plans,
software engineering and test processes, change control procedures, critical
staff succession planning and compliance with applicable laws and regulations.
The Supplier shall cooperate fully with Citi’s internal or external auditors to
ensure a prompt and accurate audit. If Citi provides recommendations for
enhancing the Supplier’s critical processes, then the Supplier shall give due
consideration to implementing such recommendations. 2.2 If an audit leads Citi
to conclude that the Supplier breached the provisions of this Agreement or that
any of the Supplier’s business or professional practices related to its
performance of Services presents a risk of unauthorized disclosure of
Information, the Supplier and Citi shall use their best efforts to reach a
mutually satisfactory resolution. The Supplier shall also use its best efforts
to correct any practices which are found to be deficient as a result of any such
audit within a reasonable time after receipt of Citi’s audit report. 2.3 Citi
shall be entitled to enter all or any of the Supplier’s premises from time to
time to inspect and examine the Supplier’s operations and to check that the
Supplier is complying with its obligations under this Agreement. Citi shall
endeavor to give reasonable notice of its exercise of its rights hereunder but
in circumstances where Citi is of the view that it would prejudice Citi’s
interests to give such notice, no prior notice shall be required to be given by
Citi. Citi’s rights under this clause may be exercisable by Citi from time to
time without the Supplier’s consent and Citi is empowered to take all necessary
or reasonable steps in order to exercise its rights under this clause fully. 3.
Data processing To the extent the Macau Data Protection Act (the “Act”) applies
to the Supplier in its provision of services, Supplier shall comply with the
requirements of the Act. when the Supplier is acting as data processor, and is
collecting, holding, processing, using or transferring personal data of
individuals under this Schedule J (Macau Law Requirements). To the extent
required by the Act the Supplier (i) will use appropriate technology and
organizational measures to protect the personal data collected and / or stored
with it and (ii) will ensure its employees and other persons who work for the
Supplier (on a permanent or temporary basis) are bound by obligations of
confidentiality. 41

GRAPHIC [g145181ko09i003.gif]

 


SCHEDULE J — MALAYSIA LAW REQUIREMENTS (Version .6 — 11 January 2017) 1
Definitions For the purposes of this Schedule and its Appendices, the following
terms shall have the meanings:- 1.1 “Citi Malaysia” means any Customer Affiliate
in Malaysia. 1.2 “Citi Malaysia Information” includes all tangible or intangible
information or materials, in any form or medium (and without regard to whether
the information or materials are owned by Citi Malaysia or by a third party),
that is provided or disclosed to Supplier by Citi Malaysia (including Personal
Data and Citi Malaysia’s customers’ documents and information) or where the
information or materials is provided or disclosed by Citi Malaysia to a third
party (including an Affiliate), it is accessed, observed or otherwise obtained
by Supplier. 2. Confidentiality and Security 2.1 Supplier hereby acknowledges
receipt of section 133 of the Financial Services Act, 2013 of Malaysia (“FSA”),
section 178 of the Labuan Financial Services and Securities Act, 2010 of
Malaysia (“LFSSA”) and section 43 of the Securities Industry (Central
Depositories) Act, 1991 of Malaysia (“SICDA”) (see Appendix A attached hereto).
Supplier hereby acknowledges that it has been made aware of the effect of, and
agrees and undertakes to, and to procure all Supplier Personnel and Supplier
Affiliates that it uses to provide the Services, to observe all precautionary
measures to prevent disclosure of information that will cause a violation of
section 133 of the FSA or section 178 of the LFSSA or section 43 of the SICDA.
Supplier further agrees and undertakes that it will not, and will covenant all
Supplier Personnel and Supplier Affiliates not to do anything which will violate
section 133 of the FSA or section 178 of the LFSSA or section 43 of the SICDA or
otherwise be guilty of an offence there under. 2.2 Notwithstanding anything to
the contrary and subject to the provisions of this Schedule, Supplier shall not,
without Citi Malaysia’s written consent, disclose Citi Malaysia Information to
any person (save for disclosure to Supplier’s employees (and only to the extent
necessary in order to fulfill the purposes contemplated by the relevant Work
Order)). Where the Citi Malaysia Information includes an Affiliate’s
Confidential Information, Supplier shall comply with such additional obligations
as may be required by that Affiliate as provided in the Agreement or notified in
writing to Supplier. For the avoidance of doubt, the term “person” includes
Supplier Affiliates, agents, consultants, contract non-employee workers,
contractors, sub-contractors, third party hires and third party vendors. 2.3
Supplier shall at all times take technical, personnel, organizational and other
measures to ensure:- 2.3.1 the confidentiality of Citi Malaysia Information
between its various customers; and 2.3.2 that all Citi Malaysia Information and
assets can be clearly identified and segregated so that Citi Malaysia
Information and assets can either be 42

GRAPHIC [g145181ko09i004.gif]

 


removed from the possession of Supplier or deleted, destroyed or rendered
unusable. 2.4 Supplier shall retain all documents in connection with the
provision of the Services in accordance with Citi Malaysia’s record retention
policies or for such longer periods as may be reasonably instructed in writing
by Citi Malaysia from time to time. Except as otherwise specified in the
relevant Work Order or as required under any Applicable Law, upon the request of
Citi Malaysia, Supplier will return (or purge its systems and files of, and
suitably account for) all Citi Malaysia Information supplied to, or otherwise
obtained by, Supplier in connection with the relevant Work Order. Supplier will
certify in writing that it has fully complied with its obligations under this
Clause 2.4 within seven (7) days following the date it receives a request from
Citi Malaysia for such a certification. 2.5 Supplier shall not, without Citi
Malaysia’s express prior written approval, send any Citi Malaysia Information
to, store Citi Malaysia Information at, or provide access to Citi Malaysia
Information from, any facility or data center outside of the country from which
such Citi Malaysia Information was collected. 2.6 Supplier acknowledges that
Citi Malaysia and its Affiliates are global companies and may, from time to
time, collect, store, process, disseminate or use Personal Data relating to or
provided by Supplier, or any person (natural person or legal entity) that
Supplier assigns or engages (whether directly or indirectly) to exercise its
rights or fulfill its obligations under the Agreement and relevant Work Order
(collectively “Supplier Personal Data”). Supplier consents to, and warrants that
it has obtained the consents of each person whose Personal Data is provided by
Supplier or who is assigned or engaged to interact with Citi Malaysia or an
Affiliate in connection with the subject matter of the Agreement and relevant
Work Order for the collection, storage, processing, dissemination or use of such
Supplier Personal Data by Citi Malaysia and the Affiliates for all purposes
relating to the business contemplated under the Agreement and the relevant Work
Order, including without limitation Citi Malaysia’s or an Affiliate’s
administration of applicable policies or the administration of Citi Malaysia’s
or an Affiliate’s vendor management program. 2.7 This Clause 2 (Confidentiality
and Security) of this Malaysia Law Requirements Schedule shall survive
termination or expiration of the relevant Work Order. 3 Business Continuity
Management 3.1 Supplier represents, warrants and covenants that it has in place
a satisfactory and a fully documented and adequately resourced Business
Continuity Management (“BCM”) plan comprising (1) a Business Continuity Plan
(“BCP”) evidencing how Supplier shall, under exceptional circumstances, be in a
position to perform its obligations under the relevant Work Order, including but
not limited to continuity of service and (ii) a Disaster Recovery Plan (“DRP”)
evidencing how Supplier shall, in the event of a disaster, be in a position to
perform its obligations under the relevant Work Order, including but not limited
to disaster (whether natural or man-made) recovery plans that minimize the
probability and impact of interruption to Citi Malaysia’s business, back up
processing, protecting program and data files and equipment for the orderly and
expeditious provision of the Services. 3.2 Supplier further represents and
warrants that in respect of each Work Order, the BCP and the DRP shall be in
place for the entire term of the relevant Work Order and for such period where
transition services are provided by Supplier to Citi Malaysia. Supplier is
required to declare its state of business continuity readiness to Citi 43

GRAPHIC [g145181ko09i005.gif]

 


Malaysia on an annual basis. Supplier shall provide Citi Malaysia and comply
with Recovery Time Objectives (“RTO”) stipulating the timeframe required for any
of Supplier’s information technology systems and applications to be recovered
and to be operationally ready to support the Services after an outage in
accordance with such specifications as may be acceptable to Citi Malaysia. 3.3
Supplier shall test the BCP in relation to the Services and all facilities used
by it in connection with the BCP on a regular basis and at least annually and
notify Citi Malaysia of any test finding that may affect the Supplier’s
performance, the test results and action to be undertaken to address any gap in
the BCP. 3.4 Supplier shall test the DRP in relation to the Services and all
facilities used by it in connection with the DRP on a regular basis and at least
twice a year and notify Citi Malaysia of any test finding that may affect the
Supplier’s performance, the test results and action to be undertaken to address
any gap in the DRP. 3.5 If Supplier makes any significant change(s) to the BCM
or there are any adverse developments that may significantly impact the
Services, it shall notify Citi Malaysia in writing and provide a full
description of such significant change(s) and/or adverse developments
immediately. 3.6 In the event that such test(s) on the BCM in relation to the
Services are reasonably required by Citi Malaysia in connection with the testing
of its own business continuity plan, Supplier shall co-operate fully with Citi
Malaysia to ensure that such test(s) are carried out as soon as reasonably
practicable and accurately in accordance with Citi Malaysia’s reasonable
requirements. 3.7 Supplier shall allow Citi Malaysia’s internal auditors or
other independent party appointed by Citi Malaysia to review the BCM of
Supplier. 3.8 The BCP and DRP should include, at least:- 3.8.1 Procedures to be
followed in response to a major disruption to business operations. The
procedures should enable the institution to respond swiftly to a crisis
situation, recover and resume the critical business functions, resources and
infrastructure outlined in the BCP within the stipulated timeframe. 3.8.2
Escalation, declaration and notification procedures including a call tree and
contact list. 3.8.3 The conditions for BCP activation and the individual who has
the authority to declare a disaster and grant permission to execute the recovery
processes. 3.8.4 A list of all resources required to recover the critical
business functions in the face of a major disruption including but not limited
to key recovery personnel, computer hardware and software, office equipment and
relevant documentation. 3.8.5 Relevant information about the alternate and
recovery sites. 3.8.6 Procedures for restoring normal business operations, which
should include the orderly entry of all business transactions and records into
the relevant information technology systems and the completion of all
verification and reconciliation procedures. 3.9 “Business Continuity Management”
or “BCM” means a whole-of-business approach that includes policies, standards
and procedures for ensuring that specified operations can be maintained or
recovered in a timely fashion in the event of a disruption. Its purpose is to
minimize the operational, financial, legal, reputational and 44

GRAPHIC [g145181ko09i006.gif]

 


other material consequences arising from a disruption. BCP and DRP are the key
components of BCM. 3.10 “Business Continuity Plan” or “BCP” means a
comprehensive documented action plan that outlines procedures, processes and
systems necessary to resume or restore the business operation of an institution
in the event of a disruption. 3.11 “Disaster Recovery Plan” or “DRP” means a
comprehensive written plan of action that sets out the procedures and
establishes the processes for information technology systems and requirements
that are necessary to support and restore the business operation of an
institution in the event of a disruption. 4 Monitoring and Control Supplier
agrees to (i) meet with Citi Malaysia at any time and from time to time upon
prior written notice being given to Supplier at the reasonable request of Citi
Malaysia to review all aspects of the Services provided by Supplier pursuant to
the relevant Work Order and/or other matters of mutual interest to Supplier and
Citi Malaysia, and (ii) adopt any recommendations and/or measures reasonably
proposed by Citi Malaysia to ensure, inter alia, compliance with legal and
regulatory obligations. 5 Assignment and Sub-Contracting 5.1 Supplier shall not
assign, outsource or subcontract any or all of its obligations or
responsibilities set forth in the relevant Work Order to any third parties
without the prior written consent of Citi Malaysia, and for the avoidance of
doubt, the term “third parties” includes Supplier Affiliates, agents,
consultants, contract non-employee workers, contractors, sub-contractors, third
party hires and third party vendors. 5.2 To the extent that Supplier is so
permitted to assign, outsource or subcontract any of its obligations set forth
in the relevant Work Order, Supplier shall procure the compliance by all
assignees/outsourcees/sub-contractors with the provisions of the Work Order and
this Malaysia Law Requirements Schedule relating to the performance of such
obligations (including, without limitation, provisions relating to security and
confidentiality, assignment and sub-contracting, transition services, audit and
inspection and business continuity management). 5.3 Where Citi Malaysia has
consented to Supplier assigning, outsourcing or subcontracting any or all of its
obligations set forth in the relevant Work Order to a third party, Citi Malaysia
may require Supplier to, and Supplier shall (if so required by Citi Malaysia),
provide to Citi Malaysia written notification of any venation or termination of
the agreement between Supplier and that third party. If so requested by Citi
Malaysia, the written notification shall be provided to Citi Malaysia within
three (3) days of the variation or termination, or within any longer period of
time as Citi Malaysia may allow. 6 Right of Audit 6.1 Subject to Clause 7
(Examinations, Review and Audits) of this Malaysia Law Requirements Schedule,
Supplier will allow Citi Malaysia’s and an Affiliate’s internal or external
auditors (i) to inspect, examine and audit Supplier’s operations and records
insofar as they are relevant to the Services provided by Supplier, and (ii) to
obtain copies of any report and finding made on Supplier in conjunction with the
Services performed, directly or indirectly, for Citi Malaysia. Supplier shall
cooperate with Citi Malaysia’s and an Affiliate’s internal and external auditors
to ensure a prompt and accurate audit. 45

GRAPHIC [g145181ko09i007.gif]

 


6.2 Subject to Clause 7 (Examinations, Review and Audits) of this Malaysia Law
Requirements Schedule, Supplier will allow (with reasonable prior notice from
Citi Malaysia) the Office of the Comptroller of the Currency (“OCC”), the
Federal Reserve Board (“FED”), the Labuan Financial Services Authority (“LFSA”),
Bank Negara Malaysia (“BNM”), the Securities Commission of Malaysia (“SC”) and
any other authority having jurisdiction over Citi Malaysia or an Affiliate (the
OCC, FED, LFSA, BNM, SC and any other authority having jurisdiction over Citi
Malaysia or an Affiliate shall hereinafter be referred to as “Regulator”) or any
agent appointed by any Regulator, to inspect, examine and audit Supplier’s
operations and records insofar as they are relevant to the Services including
but not limited to (i) records and documents relating to transactions, (ii)
reports and findings made on Supplier in conjunction with the Services, and
(iii) the internal controls adopted by Supplier with respect to preservation of
the confidentiality of data generally and Citi Malaysia’s or an Affiliate’s
Confidential Information specifically (where applicable). Supplier will ensure
that these requirements are made part of its arrangements with any party
Supplier may engage in the outsourcing (if applicable), including any disaster
recovery and backup service providers. 6.3 Supplier confirms that, other than as
provided in Clause 7 of this Malaysia Law Requirements Schedule, no
governmental, regulatory, statutory or other approvals are required by it in
respect of the inspection, examination and audit referred to in paragraphs 6.1
and 6.2 above. 6.4 Supplier will give due consideration to the findings and
recommendations of any Regulator and those of the internal or external auditors
of Citi Malaysia or an Affiliate. The parties shall discuss, in good faith, the
feasibility of implementing said findings and recommendations, as well as the
assignment of costs in connection therewith. If Supplier elects not to comply
with the findings and recommendations, Citi Malaysia or an Affiliate shall be
entitled to terminate the relevant Work Order or any part thereof without
penalty by giving Supplier sixty (60) days (or such other period as may be
decided by Citi Malaysia) prior written notice. During the notice period,
Supplier shall not be compelled to comply with the findings and recommendations.
6.5 Supplier shall notify Citi Malaysia if any Regulator or other person seeks
access to Citi Malaysia Information or if a situation arises where the rights of
access of Citi Malaysia, an Affiliate, Citi Malaysia’s or an Affiliate’s
internal or external auditors or any Regulator is restricted or denied. 7
Examinations, Review and Audits As an examination, review or audit of the books,
accounts or transactions of Citi Malaysia may require the approval of Citi
Malaysia’s or an Affiliate’s Regulator, any such examination, review or audit
must be first approved by Citi Malaysia. 8 Malaysia’s Export Control laws
Supplier shall execute the Letter of Assurance attached hereto as Appendix B if
requested by Citi Malaysia or an Affiliate(s). 9 Transition Services Commencing
upon notice to Supplier of expiration or termination of the relevant Work Order
for any reason whatsoever (including a breach by either party) and continuing
for up to twelve (12) months (or such longer period as may be required by Citi
Malaysia) from the effective date 46

GRAPHIC [g145181ko09i008.gif]

 


 of expiration or termination, Supplier will provide to Citi Malaysia or an
Affiliate such information, cooperation and reasonable termination assistance
(“Transition Services”) requested by Citi Malaysia or an Affiliate to allow for
the provision of services without interruption or adverse effect and to
facilitate the orderly transfer of the subject matter of the relevant Work Order
as desired by Citi Malaysia or an Affiliate. If requested by Citi Malaysia or an
Affiliate, Supplier will reasonably cooperate with a third party in connection
with the preparation and implementation of a transition plan by such third party
or Citi Malaysia or an Affiliate upon the termination or expiration of the
relevant Work Order and Supplier shall promptly furnish Citi Malaysia, an
Affiliate or Citi Malaysia’s or an Affiliate’s designee with any documents,
records, information, proprietary data (and related records and files) and
materials of Citi Malaysia in the possession, power or control of Supplier or
Supplier Affiliate or Supplier Personnel and all Work Product (in its current
condition), which are required to facilitate the orderly transfer of the subject
matter of the relevant Work Order as desired by Citi Malaysia or an Affiliate.
Citi Malaysia or an Affiliate shall pay Supplier promptly the applicable fees
(as agreed between the parties prior to the commencement of the Transition
Services pursuant to this Clause 9 of this Malaysia Law Requirements Schedule)
or the reasonable value for the said services properly performed by Supplier.
Appendix A • Section 133 of the Financial Services Act 2013 of Malaysia •
Section 178 of the Labuan Financial Services and Securities Act 2010 of Malaysia
• Section 43 of the Securities Industry (Central Depositories) Act 1991 of
Malaysia Appendix A (MY_201307).doc Appendix B Customer/Vendor Letter of
Assurance / End User Certification for the purposes of the Strategic Trade Act
2010 STA Certification (revised_23102015).doc 47

GRAPHIC [g145181ko09i009.gif]

 


 SCHEDULE K— NEW ZEALAND LAW REQUIREMENTS (Version 2 — 18 January 2017) A.
REGULATOR REQUESTS FOR INFORMATION Where Citi is supervised by a banking
regulator such as the Reserve Bank of New Zealand or the Financial Markets
Authority (both a “Regulator”) the Regulator may require information from Citi
or the Supplier about the Services, the Supplier or the Agreement. Subject to
applicable law or authority in the country in which it is based, the Supplier
will give the Regulator any information relating to the Agreement as soon as
possible after Citi or the Regulator asks the Supplier to do so. Unless
prohibited by relevant law or legal authority, the Supplier will promptly inform
Citi as soon as practicable after a Regulator asks the Supplier to provide
information under this Section. The Supplier will permit the Regulator to
conduct any on-site visit of the Supplier’s premises that is necessary to the
Regulator’s role as supervisor of Citi. If a Regulator notifies Citi of its
intention to conduct an on-site visit of the Supplier’s premises, Citi will
promptly notify the Supplier. Where a Regulator conducts an on-site visit of the
Supplier’s premises, the Supplier must not disclose or advertise that the
Regulator has conducted such a visit without the prior written consent of Citi.
The Supplier will use its best endeavours to satisfy the Regulator about any
questions or concerns it may raise about the Services. The Supplier agrees that
the existence of, and any information relating to, any investigation, question
or concern raised by a Regulator about the services provided by the Supplier to
Citi or in relation to Citi, is Confidential Information. B. PRIVACY The Privacy
Act (1993) of New Zealand as amended from time to time (“Privacy Act”) applies
to the handling of all personal information collected or held by government
agencies and most businesses. Coverage of the private sector includes sole
traders, major New Zealand-owned businesses and the local arms of overseas-owned
businesses. The legislation identifies ‘personal information’ as information
about an identifiable living person, irrespective of whether it is on a computer
or a paper file. All references to ‘personal information’ in this Schedule shall
be read as references to ‘personal information’ as defined in the Privacy Act.
The parties and acknowledge and agree that: (a) each party to this Agreement
that is resident in New Zealand (each, a “New Zealand Entity”) must: (i) comply
with all applicable privacy laws, including the Privacy Act and any privacy
principles prescribed thereunder (“Privacy Laws”); and (ii) ensure that personal
information held, transferred or otherwise disclosed in connection with this
Agreement does not breach any Privacy Laws; (b) each New Zealand Entity shall be
responsible to obtain express or implied consent that the personal information
can be used for (i) the transaction to which it relates; or (ii) those other
purposes disclosed by the New Zealand Entity (“Purpose”); (c) where any party to
this Agreement that is not resident in New Zealand (each, a “Non-New Zealand
Entity”) holds personal information (i) solely as agent for the New Zealand
Entity, or (ii) for the sole purpose of safe custody, or (iii) for the sole
purpose of processing information on behalf of the New Zealand Entity, that
Non-New Zealand Entity must comply the following conditions with respect to
personal information disclosed to it by the New Zealand Entity: 48

GRAPHIC [g145181ko09i010.gif]

 


 

 A. the Non-New Zealand Entity must ensure that the personal information is
protected against (i) loss, (ii) unauthorised access, use, modification or
disclosure, or (iii) other misuse, by implementing such security safeguards in
respect of the personal information as is reasonable in the circumstances; B.
the Non- New Zealand Entity must hold the personal information in such a way
that it can readily be retrieved in the event that the New Zealand Entity (or
the individual concerned) wishes to access or correct the personal information;
C. the Non-New Zealand Entity must not keep the personal information for longer
than is required for the Purpose; D. the personal information must only be used
for the Purpose; and E. they personal information must not be disclosed to any
other person or body by the Non-New Zealand Entity unless the Non-New Zealand
Entity believes on reasonable grounds that: I. the disclosure of the personal
information is one of the Purpose for which the information was obtained or is
directly related to the Purpose; or II. the source of the personal information
is a publicly available publication; or III. the disclosure is to the individual
concerned or authorised by the individual concerned; or IV. the disclosure is
necessary: (i) to avoid prejudice to the maintenance of the law by any public
sector agency, including the prevention, detection, investigation, prosecution,
and punishment of offences, or (ii) for the enforcement of a law imposing a
pecuniary penalty, or (iii) for the protection of the public revenue, or (iv)
for the conduct of proceedings before any court or tribunal (being proceedings
that have been commenced or are reasonably in contemplation); or V. the
disclosure is necessary to prevent or lessen a serious threat to public health
or public safety or the life or health of the individual concerned or another
individual; or VI. the disclosure is necessary to facilitate the sale or other
disposition of a business as a going concern; or VII. the information is to be
used in a form in which the individual is not identified or is to be used for
statistical or research purposes and will not be published in a form that could
reasonably be expected to identify the individual concerned; or VIII. the
disclosure has been authorized by the New Zealand Privacy Commissioner under
section 54 of the Privacy Act; in all other circumstances, each Non-New Zealand
Entity must hold personal information disclosed to it by the New Zealand Entity
in the manner prescribed by the laws of the country in which it holds the
personal information; and (d) if a Non-New Zealand Entity becomes aware of a
breach of paragraph (c) above, that Non-New Zealand Entity shall promptly advise
the New Zealand Entity of such breach. C. UNSOLICITED ELECTRONIC MESSAGES ACT
(2007) The Unsolicited Electronic Messages Act (2007) applies to prohibit
unsolicited commercial electronic messages with a New Zealand link from being
sent. It requires the recipient to have consented (actual or implied) to
receiving the electronic message and the electronic messages to include accurate
information about the person who authorised the sending of the message and a
functional unsubscribe facility in order to enable the recipient to instruct the
sender that no further messages are 49

GRAPHIC [g145181ko11i001.gif]

 


 to be sent to the recipient. The Supplier must take all reasonable steps to
ensure that its employees, agents and subcontractors comply with that Act. 50

GRAPHIC [g145181ko11i002.gif]

 


 SCHEDULE L — PHILIPPINES LAW REQUIREMENTS (Version 2 — 30 April 2015) [NOTE:
With the recent changes to data privacy regulations in the Philippines, a
further update to this schedule is expected within the first half of 2017. In
the interim and pending changes to this schedule, this version represents the
current laws and regulations for the Philippines.] Philippine Legal Vehicles
(the “Phil LVs”) shall include:- (1) CITIBANK, N.A., PHILIPPINE BRANCH (2)
CITICORP FINANCIAL SERVICES AND INSURANCE BROKERAGE PHILIPPINES, INC. (3)
CITICORP CAPITAL PHILIPPINES, INC. (4) CITIGROUP BUSINESS PROCESS SOLUTIONS PTE
LTD. FORMERLY KNOWN AS CRESCENT SERVICES (PHILIPPINES) PTE. LTD. (5) CITIBANK
N.A., REGIONAL OPERATING HEADQUARTERS 1.1.1 Supplier hereby acknowledges that it
is aware of and understands the effect of, and agrees and undertakes to, observe
the Philippine bank secrecy laws as well as such other applicable legal or
regulatory restrictions, as described in Appendix I hereto (collectively
referred to herein as the “Philippine Laws and Regulations”) in connection with
the provision of the Services pursuant to the Agreement, and further agrees and
undertakes that it will not do anything which will cause the Phil LVs or any of
its customers or affiliates to violate any provision of the Philippine Laws and
Regulations or otherwise be guilty of an offense thereunder. Supplier further
undertakes to procure that its Personnel shall observe the Philippine Laws and
Regulations. Supplier undertakes that it, together with its Personnel, shall be
liable with the Phil LVs should the disclosure of information by Supplier and
its Personnel result to a violation by the Phil LVs of the Philippine Laws and
Regulations. 1.1.2 Subject to clauses 1.1.8 and 1.1.9 below, if Supplier hires
another person to assist it in the performance of the Services, or assigns or
sub-contracts any portion of its rights or responsibilities or obligations to
another person, Supplier shall cause the vendor, assignee, sub-contractor or
delegate to be bound to retain the confidentiality of the information and comply
with all other provisions of the Agreement. Supplier shall ensure that each and
every vendor, assignee, subcontractor or delegate will execute the
Confidentiality Undertaking set out in Appendix II hereto, and submit a copy of
the same to the Phil LVs upon request. 1.1.3 The parties agree that any
unauthorized use or disclosure of information by Supplier may cause immediate
and irreparable harm to the Phil Lvs for which money damages may not constitute
an adequate remedy. In such event, the parties agree that the Phil LVs may seek
injunctive relief as appropriate. 1.1.4 Supplier agrees and undertakes, and
shall procure all its Personnel, to segregate each of the Phil LV’sdata from its
own data and data of any other entity. 1.1.5 Supplier shall permit the auditors
and regulators of the Phil LVs, during normal business hours upon reasonable
advance notice, to conduct an examination of Supplier’s business and operations
in relation to the Services under the Agreement, and shall provide access to
information as may be requested by the Phil LVs. Supplier shall give due
consideration to the implementation of the recommendations of Citi or its
auditors or regulations for enhancing 51

GRAPHIC [g145181ko11i003.gif]

 


Supplier’s critical processes. Supplier shall further procure its Personnel to
comply with and satisfy the findings and recommendations of the regulators and
those of the internal and/or external auditors of Citi and/or Supplier. The
parties shall discuss, in good faith, the manner in which the said findings and
recommendations of the regulators and internal and/or external auditors shall be
implemented, as well as the assignment of costs in connection therewith. If it
is not possible or commercially expedient for Supplier to comply with the
findings and recommendations or the parties fail to agree on the implementation
of such recommendations, either party shall be entitled to terminate the
Agreement by giving the other party sixty (60) days prior written notice. During
the notice period, Supplier shall not be compelled to comply with the findings
and recommendations. 1.1.6 The Phil LVs shall at all times retain the ownership
of all master and transaction data files containing Confidential Information of
the Phil LVs. 1.1.7 Supplier shall maintain, at its sole expense, throughout the
performance of its obligations, the following insurance coverage satisfactory to
the Phil LVs: (a) fidelity insurance coverage for losses incurred as a result of
dishonesty, fraud or misconduct on the part of its Personnel; (b) fire insurance
providing coverage against loss or damage of the Phil LV’s data and equipment
due to fire; and (c) such other insurance policies as is customary for similar
service providers. None of the requirements contained herein as to types and
approval of insurance coverage to be maintained by Supplier are intended to and
shall not in any manner limit the liabilities and obligations assumed by
Supplier under the Agreement. 1.1.8 Supplier acknowledges that subcontractors,
third party hires, secondees or vendors shall not be given access to
Confidential Information until the use of such subcontractors, secondees and
third party hires and vendors have been approved by the Phil LVs. 1.1.9 The
parties acknowledge that assignment and outsourcing arrangements that require
the consent of the Phil LVs include the use of secondees, temporary staff and
any other third party hire. Upon receipt of a request from Supplier, the Phil
LVs shall review the proposed assignment and outsourcing arrangement and advise
Supplier whether the approval of, or notification to, the outsourcing governance
committee, the BSP or any relevant regulator is required for such arrangement.
Until such approval is obtained or notification is given, Supplier shall not
enter into or implement such assignment or outsourcing arrangement for Services
to the Phil LVs. 1.2.0 Supplier acknowledges that any variation to the Agreement
may require the approval of, or notification to, the outsourcing governance
committee, the BSP or any relevant regulator. Supplier shall promptly advise the
Phil LVs of any proposed amendment so that the Phil LVs may take the appropriate
action. 1.2.1 Supplier confirms that it has business continuity contingency
plans and procedures (“COB Plan”) in place which have been properly tested, and
shall provide said COB Plan to the Phil LVs upon request. 52

GRAPHIC [g145181ko11i004.gif]

 


Appendix I — PHILIPPINE LAWS AND REGULATIONS — PHILIPPINE BANK SECRECY LAWS
Philippine Law and Regs (for LCA)_Marcl Appendix II — CONFIDENTIALITY AND
SECRECY UNDERTAKING Schedule B_Confi Undertaking for Supp 53

GRAPHIC [g145181ko11i005.gif]

 


SCHEDULE M — SINGAPORE LAW REQUIREMENTS (Version 6.0 — revalidated 23 January
2017) 1. DEFINITIONS For the purposes of this Schedule / Local Country Addendum
and its Appendices, the following terms shall have the following meanings:- (1)
“Citi S’pore” shall refer to Citi and any Citi Affiliate in Singapore (each
“Citi S’pore”); (2) “Citi S’pore Information” shall include all tangible or
intangible information and materials, in any form or medium (and without regard
to whether the information is owned by Citi Spore or by a third party), that is
furnished or disclosed to the Supplier by Citi S’pore or which is collected by
the Supplier for or on behalf of Citi S’pore as part of providing the Services
or any Deliverable (including Customer Information, Protected Information and
Personal Information); (3) “Customer Information” shall be as defined in
Appendix I; (4) “Permitted Purpose” means any Use relating to or in connection
with the particular project described on a Work Order, as permitted by Citi
S’pore in writing; (5) “Protected Information” shall be as defined in Appendix
IV; (6) “Regulator” shall include the Personal Data Protection Commission of
Singapore; (7) “third parties” includes affiliates, agents, consultants,
contract non-employee workers, contractors, sub-contractors, third party hires
of the Supplier; (8) “Use” means collection, processing, disclosure or other
use;, (9) “Personal Information” shall have the same meaning as “Personal Data”,
and (if neither term is defined in the Agreement) shall mean any information
that relates to a person and that could be used, either directly or indirectly,
to identify such person, whether a natural person or a legal entity; and (10)
“Work Order” shall include “Purchase Order” or “Statement of Work”. 2.
CONFIDENTIAL INFORMATION (INCLUDING PERSONAL INFORMATION) 2.1 Notwithstanding
anything to the contrary and subject to the provisions in this Schedule / Local
Country Addendum, the Supplier (i) shall not, without Citi S’pore’s prior
written consent, disclose Citi S’pore Information (including Customer
Information, Protected Information and Personal Information) provided pursuant
to any Work Order in any manner except as expressly authorized by the Agreement
and Work Order, and (ii) shall treat information with at least the same degree
of care that it treats its own confidential information, but in no event with
less than a reasonable degree of care. The Supplier undertakes to Use Citi
S’pore Information solely for the Permitted Purpose and in accordance with all
of Citi S’pore’s further instructions relating to such Use which Citi S’pore may
issue from time to time (including instructions to completely cease Use of any
specific Citi S’pore Information), and shall not retain any Personal Information
comprised in the Citi S’pore Information longer than is necessary to Use the
Citi S’pore information for the Permitted Purposes (unless mandatorily required
by Applicable Law). 54

GRAPHIC [g145181ko11i006.gif]

 


2.2 Notwithstanding anything stated to the contrary, all Citi S’pore Information
disclosed to the Supplier shall remain the property of Citi S’pore. 2.3 The
Supplier shall at all times be capable of logically or physically segregating,
clearly identifying and protecting all Citi S’pore Information, documents,
records and assets that are processed by and/or stored with the Supplier
pursuant to the Agreement and Work Order. The Supplier shall take all necessary
technical, personnel and organizational measures in order to: 2.3.1 maintain the
confidentiality of Citi S’pore Information between its various customers; and
2.3.2 prevent unauthorised access, collection, use, disclosure, copying,
modification, disposal or similar issues. 2.4 If the Supplier is directed by
court order, subpoena or other legal or administrative proceeding, regulatory or
supervisory agency’s request or similar process to disclose any Citi S’pore
Information, the Supplier shall notify Citi S’pore in writing (unless it has a
legal obligation to the contrary), with a copy of such document attached, in
sufficient detail immediately upon receipt of such court order, subpoena, legal
or administrative, regulatory or supervisory agency’s request or similar
process, in order to permit application by Citi S’pore for an appropriate
protective order. 2.5 The Supplier shall: 2.5.1 notify Citi S’pore if any
overseas regulator or authority were to seek access to Citi S’pore Information
or if a situation were to arise where the rights of access of Citi S’pore or
Monetary Authority of Singapore (“MAS”) as set out in this Schedule have been
restricted or denied; 2.5.2 attend to whatever queries MAS may have and
cooperate with MAS in supervising the outsourcing risks to Citi S’pore,
including complying, as soon as possible, with any request from MAS or Citi
S’pore for the Supplier or its sub-contractors to submit any reports on the
security or control environment of the Supplier or its sub-contractors in
relation to the Services; and 2.5.3 as soon as it becomes aware of any breach or
potential breach of security relating to Citi S’pore Information, any
unauthorised Use or loss of Citi S’pore Information, or any breach of its
obligations relating to Citi S’pore Information, in addition to its obligations
in this regard under the Agreement: (i) in the case of unauthorised Use of Citi
S’pore Information, take reasonable measures, including legal proceedings, to
restrain or prevent such unauthorised Use; and (ii) use all reasonable endeavour
to prevent a recurrence of the same. 2.6 Where required by Citi S’pore in
respect of Citi S’pore Information which is Personal Information, Supplier shall
provide Citi S’pore with full details of its internal procedures and processes
with regards to its Use of Personal Information (“Data Protection Processes”)
and will work with Citi S’pore within the agreed timescales to prepare and agree
in writing (amending its current procedures as required), a method for ensuring
its procedures comply with Citi S’pore’s requirements as notified to Supplier.
If at any time the Supplier changes any of its Data Protection Processes
affecting the Agreement and/or Work Order as agreed with Citi S’pore pursuant to
this sub-clause, it will promptly notify Citi S’pore in writing of such changes
and refrain from implementing and using any such changes unless and until agreed
by Citi S’pore. 2.7 The Supplier shall not transfer, whether within or out of
its country, any Personal Information comprised in the Citi S’pore Information
without the prior written consent of Citi S’pore. If given, the Supplier shall
provide an adequate level of protection to any such Personal 55

GRAPHIC [g145181ko11i007.gif]

 


 Information transferred in accordance with relevant Citi S’pore policies and
all reasonable instructions of Citi S’pore. 2.8 Where the Supplier provides
Services to or deals with a Citi S’pore entity that is subject to the Banking
Act, including without limitation, Citibank N.A. Singapore Branch, Citibank
Singapore Limited and Citicorp Investment Bank (Singapore) Limited, the
following provisions shall apply:- 2.8.1 The Supplier hereby acknowledges
receipt of a written notice from Citi S’pore highlighting Citi S’pore’s
obligations of confidentiality under the Singapore Banking Act and the Banking
Regulations. The written notice is attached hereto as Appendix I. 2.8.2 The
Supplier agrees to execute the Confidentiality and Secrecy Undertaking in the
form specified in Appendix II and the Supplier hereby acknowledges that it is
aware and understands the effect of, and agrees and undertakes to, and to
procure all its employees, servants, agents, representatives and Personnel to
observe all precautionary measures and prevent disclosure of information that
will cause Citi S’pore or any of its Affiliates to violate its statutory duty
pursuant to Section 47 of the Banking Act and similar provisions in the Banking
Regulations not to disclose any information relating to, or any particulars of,
an account of a customer of Citi S’pore, whether the account is in respect of a
loan, investment or any other type of transaction or deposit information to any
person except as expressly provided in the Banking Act and Banking Regulations.
2.8.3 The Supplier further agrees and undertakes that it will not, and will
covenant all employees, servants, agents, representatives and Personnel not to
do anything which will cause Citi S’pore or its Affiliates to violate any
provision of Section 47 or otherwise be guilty of an offence thereunder. 2.8.4
The Supplier shall procure the execution of the Confidentiality and Secrecy
Undertaking in the form specified in Appendix III by each of the Supplier’s
Personnel appointed or to be appointed in connection with Work Order and/or to
perform the Services or part thereof for and on behalf of Supplier. 2.8.5 The
Supplier and its employees shall not without Citi S’pore’s prior written consent
further disclose Customer Information (as defined in the Singapore Banking Act)
to any third parties unless required to do so by law. For the avoidance of
doubt, the Supplier’s Affiliate (other than one approved by Citi S’pore to
provide the Services) shall be considered a third party for the purposes of this
clause. 2.9 Where the Supplier provides Services to or deals with a Citi S’pore
entity that is subject to the Trust Companies Act, including without limitation,
CitiTrust (Singapore) Limited and Citicorp Trustee (Singapore) Limited, the
following provisions shall apply:- 2.9.1 The Supplier hereby acknowledges
receipt of a written notice from Citi S’pore highlighting Citi S’pore’s
obligations of confidentiality under the Singapore Trust Companies Act, (Cap.
336) (the “Act”). The written notice is attached hereto as Appendix IV. 2.9.2
The Supplier agrees to execute the Confidentiality and Secrecy Undertaking in
the form specified in Appendix II. The Supplier hereby acknowledges that it is
aware of and understands the effect of, and agrees and undertakes to, and to
procure all its employees, servants, agents, representatives and Personnel to
observe all precautionary measures and prevent disclosure of information that
will cause Citi S’pore or any of its Affiliates to violate its statutory duty
pursuant to Section 49 of the Act not to disclose any Protected Information
except as expressly provided in the Act. 2.9.3 The Supplier shall procure the
execution of the Confidentiality and Secrecy Undertaking in the form specified
in Appendix III by each of the Supplier’s Personnel 56

GRAPHIC [g145181ko11i008.gif]

 


 appointed or to be appointed in connection with Work Order and/or to perform
the Services or part thereof for and on behalf of Supplier. 2.9.4 The Supplier
and its employees shall not, without Citi S’pore’s prior written consent,
further disclose Protected Information to any third parties unless required to
do so by law. The Supplier further agrees and undertakes that it will not, and
will covenant all employees, servants, agents and representatives not to do
anything which will cause Citi S’pore or any of its Affiliates to violate any
provision of Section 49 or otherwise be guilty of an offence thereunder. For the
avoidance of doubt, the Supplier’s Affiliate (other than one approved by Citi
S’pore to provide the Services) shall be considered a third party for the
purposes of this clause. 2.10 Where the Supplier provides Services to or deals
with a Citi S’pore entity that is subject to the Securities & Futures Act or the
Financial Advisors Act (such as Citigroup Global Markets Singapore Pte Limited
and Citigroup Global Markets Securities Singapore Pte Limited), the following
provisions shall apply:- 2.10.1 The Supplier hereby acknowledges that it is
aware and understands Citi S’pore is a capital markets services licence holder
and is subject to statutory confidentiality obligations under the Securities and
Futures Act and the Financial Advisors Act. The Supplier agrees and undertakes
to, and to procure all its employees, servants, agents and representatives to
observe all precautionary measures and prevent disclosure of information that
will cause Citi S’pore to violate its statutory duty pursuant to not to disclose
any information relating to, or any particulars of, an account of a customer of
Citi S’pore. 2.10.2 The Service Provider further agrees and undertakes that it
will not, and will covenant all employees, servants, agents and representatives
not to do anything which will cause the Customer or any of its customers or
affiliates to violate its statutory confidentiality obligations or otherwise be
guilty of an offence thereunder. 2.10.3 The Supplier and its employees shall not
without the Citi S’pore’s prior written consent further disclose customer
information to any third parties unless required to do so by law. 2.11 Where the
Supplier collects any Citi S’pore Information from Citi Personnel or any third
party, it shall limit the collection of such Citi S’pore Information to the
Permitted Purposes or purposes ancillary or incidental to the Permitted
Purposes, and only carry out such collection after notifying or obtaining the
consent of the individual (“Subject Individuals”) in such manner as Citi S’pore
may prescribe or otherwise consistent with any Data Protection Processes where
relevant. 2.12 To the extent that the Supplier receives, from an individual (or
a person/entity acting on the individual’s behalf), a request, complaint or
other third party communication which is in any way related to Citi Singapore
Information, it will notify Citi S’pore of such request, complaint or other
communication promptly and provide Citi S’pore with its full co-operation and
assistance, including by: (i) providing Citi S’pore with full details of the
request, complaint or other communication; (ii) if required, assisting Citi to
comply with the individual’s access request within the relevant timescales set
out by Citi and in accordance with Citi S’pore’s instructions; (iii) providing
Citi S’pore with all Personal Information it holds in relation to the relevant
individual within the timescales required by Citi S’pore; and (iv) providing
Citi S’pore with any other information reasonably requested by Citi S’pore in
connection thereto. 3 BUSINESS CONTINUITY MANAGEMENT 3.1 The Supplier
represents, warrants and covenants that it has in place satisfactory business
continuity plans (“BCP”), evidencing how the Supplier shall, under exceptional
circumstances, be in a position to perform its obligations under the Agreement,
including but not limited to continuity of service, disaster (whether natural or
man-made) recovery plans that minimize the 57

GRAPHIC [g145181ko11i009.gif]

 


 probability and, impact of interruption to Citi S’pore’s business including
recovery time objectives, recovery point objectives and resumption operating
capacities, back up processing, protecting program and data files and equipment
for the orderly and expeditious provision of the Services. The Supplier will
provide Citi S’pore with all required information in relation to the BCP,
including any alternative locations or sites established by the Supplier for
such purposes. The Supplier further represents and warrants that the BCP shall
be in place for the entire term of the Agreement. 3.2 The Supplier shall test
the BCP in relation to the Services and all facilities used by it in connection
with the BCP on a regular basis and notify Citi S’pore of any test finding that
may affect the Supplier’s performance. Where requested, Supplier shall also
allow Citi S’pore to participate in and jointly test Supplier’s BCP and disaster
recovery exercises, The Supplier will ensure that all relevant personnel receive
regular training in activating the BCP and executing recovery procedures. if the
Supplier makes any substantial change(s) to the BCP or there are any adverse
developments that may substantially impact the Services, it shall notify Citi
S’pore in writing and provide a full description of such significant change(s)
and/or adverse developments immediately. 3.3 In the event that such test(s) on
the BCP in relation to the Services are reasonably required by Citi S’pore in
connection with the testing of its own business continuity plan, the Supplier
shall co-operate fully with Citi S’pore to ensure that such test(s) are carried
out as soon as reasonably practicable and accurately in accordance with Citi
S’pore’s reasonable requirements. 3.4 The Supplier shall at all times be capable
logically or physically segregating, clearly identifying and protecting all Citi
S’pore Information, documents, records and assets such that in adverse
conditions, all such information, documents, records of transactions and
information given to the Supplier, and assets of Citi S’pore, can be either
promptly removed from the possession of the Supplier in order to continue its
business operations, or deleted, destroyed or rendered unusable 4 INSPECTION AND
RIGHT TO AUDIT 4.1 The Supplier agrees that the services it performs for a
branch of a U.S. bank in Singapore are subject to examination of the Office of
the Comptroller of the Currency (“OCC”) and MAS. The Supplier shall, and procure
its sub-contractors to: 4.1.1 allow Citi S’pore to obtain copies of any report
and finding made on the Supplier and its sub-contractors in relation to the
Services under the Work Order, whether produced by the Supplier or its
sub-contractors’ internal or external auditors, or by agents appointed by the
Supplier and its sub-contractors; 4.1.2 allow the OCC, the MAS, or any agent
appointed by OCC or MAS, to (i) access and inspect the Supplier and its
sub-contractors, and to obtain records and documents, of transactions, and
information of Citi S’pore given to, stored at or processed by the Supplier and
its sub-contractors; and (ii) access any report and finding made on the Supplier
and its sub-contractors in relation to the Services under the Work Order,
whether produced by the Supplier or its sub-contractors’ internal or external
auditors, or by agents appointed by the Supplier and its sub-contractors; 4.1.3
adopt supervisory actions and additional measures which MAS may require to be
taken by Citi S’pore, depending on the potential impact of the outsourcing on
Citi S’pore and the financial system, or as circumstances warrant; and 4.1.4
adopt appropriate corrective measures, including enforcement actions, imposed by
OCC to address violations of law and regulations or unsafe or unsound banking
practices by Citi S’pore or the Supplier. 58

GRAPHIC [g145181ko11i010.gif]

 


 

4.2 The Supplier shall remove from its possession, delete, destroy or render
unusable Citi S’pore’s information, documents, records and assets as directed by
Citi S’pore, subject always to the legal requirements for the retention of
records in Singapore. The Supplier shall keep complete and accurate records of
all of its work and expenses in providing the Services to Citi S’pore for a
period of seven (7) years from the date from which the record was created. 4.3
The Supplier shall, and shall procure its sub-contractors to, upon reasonable
notice, allow Citi S’pore, its internal or external auditors, agents and/or its
regulators (the “Citi S’pore auditing parties”), the opportunity of inspecting,
examining and auditing Supplier’s and its subcontractors’ operations and
business records which are relevant to the Services provided, including but not
limited to, Supplier’s and its sub-contractors’ critical processes, to confirm
that such processes meet industry standards in such areas of contingency
planning, continuity of business plans, software engineering and test processes,
change control procedures, critical staff succession planning and compliance
with applicable laws and regulations. The Supplier shall, and shall procure its
sub-contractors to, cooperate fully with the Citi S’pore auditing parties to
ensure a prompt and accurate audit. If Citi S’pore provides recommendations for
enhancing the Supplier’s and its sub-contractors’ critical processes, then the
Supplier and its sub-contractors shall give due consideration to implementing
such recommendations. 4.4 The Supplier and its sub-contractors shall also use
its best efforts to correct any practices which are found to be deficient as a
result of any audit within a reasonable time after receipt of the audit report.
5 MONITORING AND CONTROL The Supplier agrees to meet with Citi S’pore at any
time and from time to time upon prior written notice being given to the Supplier
at the reasonable request of Citi S’pore to review all aspects of the Services
provided by the Supplier pursuant to a Work Order and/or other matters of mutual
interest to the Supplier and Citi S’pore and adopt any recommendations and/or
measures reasonably proposed by Citi S’pore to ensure, inter alia, compliance
with legal and regulatory obligations. 6 TERMINATION 6.1 Notwithstanding
anything to contrary in the Agreement and/or Work Order, Citi S’pore shall have
the right to terminate a Work Order with immediate effect and without penalty by
giving written notice in the event that: 6.1.1 in Citi S’pore’s reasonable
opinion, there has been: (i) a breach of security or confidentiality, including
but not limited to, a failure to safeguard the confidentiality of Citi S’pore
Information; (ii) a situation where the security and confidentiality of Citi
S’pore Information is lowered due to changes in the control environment of the
Supplier; or (iii) a demonstrable deterioration in the ability of the Supplier
to perform the contracted Services; 6.1.2 the Supplier undergoes a change in
ownership; 6.1.3 the Supplier shall (i) commence a voluntary case or other
proceeding seeking liquidation, reorganization or other relief with respect to
itself or its debts under any bankruptcy, insolvency, corporation or other
similar law now or hereafter in effect that 59

GRAPHIC [g145181ko13i001.gif]

 


authorizes the reorganization or liquidation of the Supplier or its debt or the
appointment of a trustee, receiver, liquidator, custodian or other similar
official of it or any substantial part of its property, or (ii) consent to any
such relief or to the appointment of or taking possession by any such official
in an involuntary case or other proceeding commenced against it, or (iii) make a
general assignment for the benefit of creditors, or (iv) fail generally to pay
its debts as they become due, or (v) take any corporate action to authorize any
of the foregoing; or 6.1.4 an involuntary case or other proceeding shall be
commenced by persons (that are not bound or affected by the Agreement and/or
Work Order) against the Supplier seeking liquidation, reorganization or other
relief with respect to it or its debts under any bankruptcy, insolvency or other
similar law now or hereafter in effect seeking the appointment of a trustee,
receiver, liquidator, custodian or other similar official of it or any
substantial part of its property, and such involuntary case or other proceeding
shall remain undismissed and unstayed for a period of 60 days; or an order is
entered by a court of competent jurisdiction affecting substantially all of the
property or affairs of the Supplier against which proceedings have been
commenced under bankruptcy, insolvency or other similar laws as now or hereafter
in effect and such order shall remain undismissed and unstayed for a period of
60 days. 6.2 Commencing upon notice to Supplier of termination (or for a
material amendment) of the Work Order and continuing through the effective date
of termination (or amendment), the Supplier will provide to Citi S’pore
reasonable termination (or amendment) assistance requested by Citi S’pore to
allow the use of the Services without interruption or adverse effect and to
facilitate the orderly transfer of the subject matter of the Work Order to a
third party supplier or “bridge-institution13” as desired by Citi S’pore. If
requested by Citi S’pore, the Supplier will reasonably cooperate with the third
party supplier or bridge-institution in connection with the preparation and
implementation of a transition plan by such party. 6.3 Upon termination of the
Agreement and/or Work Order, the Supplier shall allow Citi S’pore to remove from
the Supplier all Citi S’pore Information previously provided to the Supplier
(including without limitation, information incorporated in computer software or
held in electronic storage media, together with any analyses, compilations,
studies, reports or other documents or materials containing any such data,
Customer Information or Protected Information, as are in the possession or
control of the Supplier), and Citi S’pore shall be allowed to delete, destroy or
render unusable by the Supplier all such data, customer information or protected
information previously given. The Supplier shall certify in writing to Citi
S’pore within seven (7) days of the termination of the Agreement and/or Work
Order that it has not retained any such data, Customer Information or Protected
Information in any form whatsoever. 7 ASSIGNMENT AND SUB-CONTRACTING 7.1
Notwithstanding anything to the contrary in the Agreement and/or Work Order, the
Supplier shall not assign, outsource or subcontract any or all of its
obligations set forth in the Agreement and/or Work Order to any third parties
without the prior written consent of Citi S’pore. Supplier’s use of a
sub-contractor pursuant to any consent provided is subject to the condition that
Supplier will ensure that its own agreement with such sub-contractor includes
provisions that permit Citi S’pore and its (or its Affiliates’) regulators,
internal and external auditors and agents to have reasonable access to the books
and records of the subcontractor, as well as the right to perform audits on the
sub-contractor, under the same terms and conditions as described in Section 4
(Inspection and Rights of Audit). 7.2 To the extent that the Supplier is so
permitted by Citi S’pore to assign, outsource or subcontract any of its
obligations set forth in the Agreement and/or Work Order pursuant to the
sub-clause above, the Supplier shall procure the compliance by all
assignees/outsourcees/sub-contractors (and their respective Personnel) with the
provisions of the Agreement, Work Order and this Schedule / Local Country
Addendum relating to the 13 As defined in the Monetary Authority of Singapore
“Guidelines on Outsourcing” dated 27 July 2016. 60

GRAPHIC [g145181ko13i002.gif]

 


performance of such obligations (including, without limitation, provisions
relating to security and confidentiality, audit and inspection and business
continuity management). Supplier is solely responsible for all acts and
omissions of its sub-contractors, including the performance and risk management
practices of such sub-contractors, as if such acts and omissions were its own
and nothing herein shall be construed to create any contractual relationship
between Citi S’pore and any sub-contractor. 8 SUPPLIER PERSONNEL 8.1 Supplier
shall ensure that all its Personnel involved in the provision of the Services
are assessed to meet and comply with Citi S’pore’s hiring policies and
standards, as made known to Supplier, for the respective services or roles they
are providing or performing. Examples of the relevant assessment criteria,
include but are not limited to: 8.1.1 whether they have been the subject of any
proceedings of a disciplinary or criminal nature; 8.1.2 whether they have been
convicted of any offence (in particular, that associated with a finding or
fraud, misrepresentation or dishonesty); 8.1.3 whether they have accepted civil
liability for fraud or misrepresentation; and 8.1.4 whether they are financially
sound. 9 NOTIFICATION OF ADVERSE DEVELOPMENTS 9.1 Supplier shall immediately
notify Citi S’pore of any adverse developments or changes, including those
affecting its Affiliates or approved assignees/outsources/sub-contractors (and
their respective Personnel), that has or could be reasonably expected to have a
material impact on the Supplier’s ability to carry out (or Citi S’pore’s ability
to receive) the Services and/or Deliverables effectively and in accordance with
the provisions of the Agreement and this Schedule. Examples of adverse
developments and changes, include but are not limited to: 9.1.1 any interruption
of Services (including unplanned unavailability of any systems, software or
infrastructure Supplier uses to deliver the Services); 9.1.2 any event that
could potentially lead to prolonged service failure or disruption to the
Services; 9.1.3 any breach of security and confidentiality of Citi S’pore
Information; 9.1.4 any force majeure or other event that would cause Supplier to
invoke business continuity or disaster recovery plans; 9.1.5 any regulatory or
enforcement action taken against Supplier or any failure of Supplier and its
Personnel to comply with this Schedule; 9.1.6 any strategic business change that
could impact Service provision such as a change of control of Supplier; 9.1.7
any proposed change to Supplier’s management or key Personnel; 9.1.8 any
material adverse change in the financial standing of Supplier; 9.1.9 any
proposed implementation of new or revised policies, processes or information
technology; and 9.1.10 any issues identified by Supplier’s internal or external
auditors that may have or has a material adverse impact on the provision of the
Services. 10 CLOUD COMPUTING SERVICES 10.1 Where Supplier has been approved by
Citi S’pore to provide public or private cloud computing services or a portion
of the Services that Supplier has been approved by Citi S’pore to provide
involve the use of public or private cloud architecture, technology or a
multi-tenanted system, 61

GRAPHIC [g145181ko13i003.gif]

 


such as Software as a Service (“SaaS”), Platform as a Service (“PaaS”) or
Infrastructure as a Service (“IaaS”), the Supplier shall: 10.1.1 clearly
identify and segregate all Citi S’pore Information using strong physical or
logical controls that have been reviewed and approved by Citi S’pore; 10.1.2
implement robust access controls that have been reviewed and approved by Citi
S’pore to protect all Citi S’pore Information at all times, including but not
limited to, up-to-date authentication, tokenization and data encryption
technology; 10.1.3 not make changes to the approved and contracted service
structure and any security settings without the prior written consent of Citi
S’pore and 10.1.4 immediately notify Citi S’pore of any breach of security and
confidentiality of Citi S’pore Information. 10.2 The Supplier hereby
acknowledges and agrees that a breach of this section 10 shall entitle Citi
S’pore to terminate the Work Order in accordance with section 6 (Termination).
11. GOVERNING LAW AND JURISDICTION Notwithstanding any term to the contrary in
the Agreement, the governing law and jurisdiction clause as it applies to this
Schedule and Work Orders entered into by Citi S’pore is varied as follows: “The
validity of this Agreement as it applies to the Work Order, the construction and
enforcement of its terms, and the interpretation of the rights and duties of the
parties to the Work Order shall be governed by the laws of Singapore. The
parties to the Work Order submit to the non-exclusive jurisdiction of the courts
of Singapore.” 12. SURVIVAL 12.1 The provision of this Schedule that, by their
nature and content, must survive the completion, rescission, termination or
expiration in order to achieve their fundamental purpose and effect hereof,
shall so survive the Agreement and Work Order, and continue to bind the
Supplier. 12.2 Without limiting the generality of the foregoing, the following
provisions shall survive: sections 2, 3.4, 6.2, 6.3, 10.1.1, 10.1.2 and 11. 62

GRAPHIC [g145181ko13i004.gif]

 


APPENDIX I — BANKING SECRECY UNDER THE SINGAPORE BANKING ACT, (CAP. 19)
APPLICABLE TO CITIBANK N.A., SINGAPORE BRANCH AND CITIBANK SINGAPORE LIMITED AND
THE BANKING REGULATIONS 2001 APPLICABLE TO CITICORP INVESTMENT BANK (SINGAPORE)
LIMITED APPENDIX II - SINGAPORE LAWS AND REGULATION — CONFIDENTIALITY AND
SECRECY UNDERTAKING (FOR THE SUPPLIER) APPENDIX III - SINGAPORE LAWS AND
REGULATIONS - CONFIDENTIALITY AND SECRECY UNDERTAKING (for Supplier’s
employees/agents/servants/Personnel) APPENDIX IV - SINGAPORE LAWS AND
REGULATIONS — CONFIDENTIALITY UNDER THE TRUST COMPANIES ACT, CAP. 336 OF
SINGAPORE (THE “ACT”) APPLICABLE TO CITITRUST (SINGAPORE) LIMITED AND CITICORP
TRUSTEE (SINGAPORE) LIMITED 63

GRAPHIC [g145181ko13i005.gif]

 


SCHEDULE N — SRI LANKA LAW REQUIREMENTS  (Version 3 — 15 February 2017) The Bank
has an obligation under the Common Law to keep the affairs of its customers
confidential. ADDITIONAL CLAUSES REQUIRED TO COMPLY WITH THE LAWS AND
REGULATIONS APPLICABLE IN SRI LANKA. In order to ensure compliance with Part V
of the Banking Act No. 30 of 1988 as amended and Section 29 of the Monetary Law
Act No. 58 of 1949 as amended, the Supplier shall comply with the additional
clauses set out in (1) below :- 1. Audit and Inspection  1.1 The Supplier shall:
1.1.1 maintain such records as may be agreed between Citi and the Supplier
relating to the Services provided by the Supplier under this Agreement. The
Supplier shall procure that any sub-contractor appointed (if applicable and
including any disaster recovery and back-up suppliers) shall also maintain
complete and accurate records of all its work in relation to the Services
sub-contracted to it; 1.1.2 subject to the approval of the applicable regulatory
authorities of the Supplier, allow Citi to conduct audits on the Supplier,
whether by its internal or external auditors, or by agents appointed by Citi;
and to obtain copies of any report and finding made on the Supplier in
conjunction with the Services performed for Citi. The Supplier shall co-operate
with Citi’s internal and external auditors to ensure a prompt and accurate
audit; 1.1.3 subject to the approval of the applicable regulatory authorities of
the Supplier, allow any duly authorised officer or representative of the Central
Bank of Sri Lanka, any competent court of law, or other judicial,
quasi-judicial, statutory, regulatory or supervisory authority or any agent
appointed by any of them, to access the Supplier to obtain records and
documents, of transactions, and information of Citi given to, stored at or
processed by the Supplier, the right to access any report and finding made on
the Supplier and to inspect, examine and audit the Supplier’s operations and
records insofar as they are relevant to the Services provided by the Supplier
under this Agreement, including but not limited to the internal controls adopted
by the Supplier with respect to preservation of the confidentiality of data
generally and Citi’s information specifically (where applicable). The Supplier
should ensure and procure that these requirements are met in its arrangements
with any sub-contractor that the Supplier may engage in the outsourcing (if
applicable), including any disaster recovery and backup suppliers; 1.1.4 adopt
whatever supervisory actions and additional measures which the Central Bank of
Sri Lanka, any competent court of law, or other judicial, quasi-judicial,
statutory, regulatory or supervisory authority or any agent appointed by any of
them may require to be taken by Citi, depending on the potential impact of the
outsourcing on Citi and the financial system, or as circumstances warrant, as
communicated by Citi to the Supplier; 1.1.5 adopt whatever appropriate
corrective measures, including enforcement actions, imposed by the Central Bank
of Sri Lanka, any competent court of law, or other 64

GRAPHIC [g145181ko13i006.gif]

 


judicial, quasi-judicial, statutory, regulatory or supervisory authority or any
agent appointed by any of them, to address violations of law and regulations or
unsafe or unsound banking practices by Citi or the Supplier. Citi will
communicate such measures to the Supplier if the request made by the Central
Bank of Sri Lanka or such other party is not addressed to the Supplier; and
1.1.6 provide such information as may be required by Citi in a timely manner in
order that Citi may comply with any requirements imposed on Citi by law, the
Central Bank of Sri Lanka, any competent court of law, or other judicial,
quasi-judicial, statutory, regulatory or supervisory authority. 1.2 The Supplier
agrees that the Services it performs for Citi are subject to examination and
regulation of the Central Bank of Sri Lanka, any competent court of law, or
other judicial, quasi-judicial, statutory, regulatory or supervisory authority
or any agent appointed by any of them. 2. Declarations of Secrecy 2.1 In terms
of Section 77 of the Banking Act No. 30 of 1988, as amended and the Banking Act
Direction No. 02/04/002/005/001 dated 1” December 1999, the Supplier shall
procure its employees, servants, agents, representatives and contractors to
execute a confidentiality undertaking, in form and substance acceptable to Citi
and the Supplier. 3. Special clause/condition in software maintenance agreements
or service agreements with software companies 3.1 In terms of the Banking Act
Direction No. 02/04/002/005/001 dated 1” December 1999 and Banking Act Direction
No 02 of 2012 on the Outsourcing of Business Operations of a Licensed Commercial
Bank and Licensed Specialized Bank, the Supplier shall ensure that where there
are any agreements with third parties (appointed with Citi’s prior written
consent) with regard to any software maintenance or services such agreements
shall include a confidentiality clause substantially similar to the clause set
out below. “The parties agree that all information provided pursuant to this
Agreement by each party to the other party is confidential and proprietary to
the party providing the information and no party shall use any information
provided by the other party for any purpose other than as permitted or required
for performance under this Agreement. Each party agrees not to disclose or
provide any information provided by the other party to any third party (with the
exception of (i) any affiliate or subsidiary, which is bound to retain the
confidentiality of the information; (ii) employees who have a need to know in
the course of receiving or performing the Services pursuant to this Agreement,
as the case may be, and such disclosure shall be to the extent required,
provided that such employees are bound to retain the confidentiality of the
information; (iii) third party vendors as necessary for the Supplier to provide
Services to Citi under this Agreement, provided that such vendors are bound to
retain the confidentiality of the information; and (iv) Citi’s disclosure of
data to its internal and external auditors) without the express written consent
of the other party, and each party agrees to take all reasonable measures,
including, without limitation, measures taken by each party to safeguard its own
confidential information to prevent any such disclosure by employees, agents, or
contractors. In no event shall Citi divulge to any third party the contents in
any invoices/charge documentation that it receives from the Supplier, without
the written consent of the Supplier unless pursuant to any request made by the
Central Bank of Sri Lanka, any competent court of law, or other judicial, 65

GRAPHIC [g145181ko13i007.gif]

 


quasi-judicial, statutory, regulatory or supervisory authority or any agent
appointed by any of them or by the Internal or External Auditors of Citi.
Nothing provided herein shall prevent any party from disclosing information to
the extent the information (i) is or hereafter becomes part of the public domain
through no fault of that party; (ii) is received from and furnished to a third
party without similar restriction on disclosure by such third party; (iii) is
independently developed by it; (iv) is required to be disclosed under law or any
applicable regulation, at the order of a court of law, or at the request or
order of any statutory, regulatory or supervisory authority with whom it
customarily complies; or (v) is already known to it. If either party hires
another person to assist it in the performance of this Agreement, or assigns any
portion of its rights or delegates any portion of its responsibilities or
obligations under this Agreement to another person, the assigning or delegating
party shall cause its assignee or delegate to be bound to retain the
confidentiality of the information.” 3.2 The Supplier shall obtain
confidentiality undertakings, in form and substance acceptable to Citi and the
Supplier from such software companies and the employees of such software
companies who are or will be engaged in the provision of the services
contemplated in this Agreement. 4. Form of Undertaking 4.1 Citi confirms that
the Undertaking set out in the Appendix I hereto is sufficient for the purposes
of complying with clauses 2.1 and 3.2. 5. Compliance with Banking Act Directions
No. 2 of 2012 5.1 The Supplier shall do all such things necessary to ensure that
Citi is in compliance with the Banking Act Direction No 02 of 2012 on the
Outsourcing of Business Operations of a Licensed Commercial Bank and Licensed
Specialized Bank, the following in particular: 5.1.1 The Supplier shall have a
satisfactory business continuity plan and conduct regular tests thereon. 5.1.2
The Supplier shall do all such things and provide all such information necessary
to enable Citi to make transaction reports and suspicious transactions reports
to the Financial Intelligence Unit, as provided under the Financial Transactions
Reporting Act No. 6 of 2006. APPENDIX I - UNDERTAKING14 Undertaking  2011.doc 14
Note: for Supplier’s employees, servants, agents, representatives and
contractors to execute. 66

GRAPHIC [g145181ko13i008.gif]

 


SCHEDULE O — TAIWAN LAW REQUIREMENTS  (Version 7— 17 January 2017) A. REGULATOR
CONTROL 1. Supplier shall, except to the extent prohibited or restricted by any
law, regulation, or legal authority (including but not limited to any in the
host country of Supplier): (i) adopt, , as it relates to the Services,
supervisory actions and additional measures to reasonably assist Citi’s adoption
of necessary measures which the Regulators (including but not limited to Office
of the Comptroller of the Currency, the Financial Supervisory Commission, the
Central Bank of China, and any other Taiwan regulators, collectively referred to
herein as the “Regulators”) may require to be taken by Citi (which may include
obtaining necessary approvals or consents from the regulators of Supplier, if
any, and negotiate and amend the Agreement and/or any contracts between Supplier
and any sub-contractors to incorporate contract clauses mandated by the
Regulators), depending on the potential impact of the outsourcing on Citi and
the financial system, or as circumstances warrant; and (ii) adopt whatever
appropriate corrective measures, including enforcement actions, imposed by the
Regulators to address violations of law and regulations or unsafe or unsound
banking practices of the Supplier and to reasonably facilitate Citi’s adoption
of necessary measures to address violations of law and regulations or unsafe or
unsound banking practices of Citi. (iii) allow the services it performs for
branches of a U.S. bank in Taiwan or any Citi affiliate in Taiwan to be subject
to examination and regulation of the Regulators. (iv) allow Regulators based in
Taiwan (hereinafter referred to as “Taiwan Regulators”) or any agent appointed
by Taiwan Regulators/Citi, to obtain from Supplier, in a timely manner, records
and documents, of transactions, and information of Citi given to, stored at or
processed by Supplier, the right to access any report and finding made on
Supplier and to inspect, examine and audit Supplier’s operations and records
insofar as they are relevant to the Services provided by Supplier under this
Agreement, including but not limited to the internal controls adopted by
Supplier with respect to preservation of the confidentiality of data generally
and Citi information specifically (where applicable). Supplier should ensure and
procure that requirements consistent with the foregoing are met in its
arrangements with any sub-contractor that Supplier may engage in the outsourcing
(if applicable), including any disaster recovery and backup supplier. For the
avoidance of doubt, it is understood that the abovementioned parties will be
granted access only to information of Citi and/or Citi’s customers / employees.
In addition, Citi shall ensure that any agent(s) appointed by Citi who it uses
in connection with this Section to treat any information it receives as
Confidential and, without limiting the foregoing, shall be liable to Supplier
for any breach by such agent(s). (v) allow Citi to obtain copies of any report
and finding made on the Supplier in conjunction with the Service. B.
CONFIDENTIALITY AND SECURITY Further to the confidentiality clause in the
Agreement, if Citi furnished, supplied, disclosed, or made available
Confidential Information (including Confidential Information as defined under
the Agreement and Personal Data defined below) to Supplier in connection with
provision of 67

GRAPHIC [g145181ko13i009.gif]

 


the Services (without regard to whether the information is owned by Citi or by a
third party), the following additional terms and conditions shall be applied to
the Parties: 1. “Personal Data” means and includes personal information of a
natural person within the meaning of Article 2 of the Personal Data Protection
Act (“PDPA”, the relevant extract is attached hereto in Appendix I as a
reference). 2. All Confidential Information, documents and records of
transactions provided or generated pursuant to the Agreement, any Work Order or
Statement of Work, shall remain the property of Citi. Supplier shall while the
same is in its possession hold the same for and on behalf of Citi and shall
deliver the same forthwith upon request. The retention period of each
document/record shall follow Citi’s record retention schedule. Supplier’s
obligations under this clause shall continue after the termination of the
Agreement. 3. Any Confidential Information, documents and records of transaction
disclosed by Citi may only be collected, processed, disseminated, reproduced or
used by Supplier for the purpose of providing the Services pursuant to the
Agreement. Notwithstanding any provision in the Agreement, Supplier shall not,
without Citi’s prior written consent and subject to the further requirement of
this section, further disclose the Confidential Information to an unauthorized
third party unless required to do so by law. For the avoidance of doubt,
Supplier’s affiliate or third party service providers (other than those approved
by Citi to provide the Services) shall be considered a third party for the
purpose of this clause. Further, Supplier shall procure each of Supplier’s
personnel appointed or to be appointed in connection with Work Order / Statement
of Work and/or to perform the Services or part thereof for and on behalf of
Supplier to execute the Confidentiality and Secrecy Undertaking in the form
specified in Form 1 attached hereto or other form accepted by Citi. 4. Supplier
shall treat Confidential Information with at least the same degree of care that
it treats its own confidential information, but in no event with less than a
reasonable degree of care, and shall implement and maintain adequate technical,
personnel and organizational and other necessary security measures (“Security
Measures”) that are designed to safeguard the information of the other from
being stolen, altered, damaged, destroyed, disclosed or accessed without
authorisation, misused and misappropriated. These Security Measures shall
include the following:- 4.1 Organizational security measures to ensure Supplier
will disclose the Confidential Information only to those of Supplier’s
authorized personnel who have a need to know such Confidential Information (only
to the extent necessary) in order to fulfill the purposes contemplated by the
Agreement or the Work Order, and set forth internal rules and procedures for use
of and access to the Confidential Information, which is subject to Supplier’s
periodical review; 4.2 Personnel security measures to ensure that Supplier will
(i) educate and train its personnel regarding information security practices and
procedures and any special requirement of Citi and (ii) instruct and supervise
its personnel who uses or has access to the Confidential Information to prohibit
the personnel from committing unauthorized disclosure, access, use and
misappropriation of the Confidential Information; 4.3 Technical security
measures to ensure that Supplier will implement systems or technological
controls to limit access to the Confidential Information and monitor such
access; 4.4 Other security measures to protect Personal Data as required by
Article 8 and 12 of the Enforcement Rules of the PDPA (attached hereto in
Appendix II as a reference) or by Citi to be communicated by Citi to Supplier
from time to time, and thereafter to be summarized/set out in this Clause 4.4
below: 68

GRAPHIC [g145181ko13i010.gif]

 


 

4.4.1 Allocation of management personnel and resources for protection of
Personal Data; 4.4.2 Defining the scope, classification, purpose and retention
period of Personal Data; 4.4.3 Risk assessment and management mechanism for
Personal Data; 4.4.4 Mechanisms for prevention, notification, remediation, and
handling of security incidents; 4.4.5 Internal management procedures for
collection, processing, and use of Personal Data; 4.4.6 Information security
management and personnel management; 4.4.7 Awareness promotion and educational
training; 4.4.8 Management of information security and IT infrastructure; 4.4.9
Mechanisms for information security auditing; 4.4.10 Necessary preservation of
records of use, track log files, and evidence; and 4.4.11 Continuing assessment
on any improvement on security and maintenance of Personal Data. 4.5 Other
reasonable measures necessary to protect the Confidential Information as
communicated by Citi to Supplier from time to time. 5. Supplier shall at all
times be capable of segregating and clearly identifying all of Citi’s
information, documents, records and assets that are processed by and/or stored
with Supplier pursuant to the Agreement. Supplier agrees that the Confidential
Information (in electronic, paper form or other media) shall effectively be
segregated from those of Supplier and those of other institutions (the data of
which is) handled by Supplier. The segregation shall be at least logically
distinct and the access to and use of the Confidential Information shall be
strictly controlled in order to avoid data misuse. For the sake of clarity, in
the event that the Services provided by Supplier to Citi involves multiple legal
entities (meaning other Citi entities within Taiwan, each a “Service Recipient
Entity”), Supplier shall ensure that the data of each Service Recipient Entity
shall be effectively segregated from that of other Service Recipient Entity,
that of Supplier, and/or that of other institutions (the data of which is)
handled by Supplier. 6. Upon occurrence of any security breach, theft, loss,
unauthorized disclosure or use of Confidential Information Supplier received
from Citi (the “Occurrence”), Supplier shall, without delay, take necessary
measures to minimize the damage or loss and notify Citi immediately of the
Occurrence and the following information as applicable: 6.1 the items of the
Confidential Information that are disclosed or stolen; 6.2 the time and details
of the Occurrence; 6.3 measures that Citi may take to minimize their damage or
loss; 6.4 measures adopted by and reliefs to be provided by Supplier to remedy
the Occurrence; and 6.5 contact information to which Citi may report their
damage or loss. 69

GRAPHIC [g145181ko15i001.gif]

 


7. The Personal Data pertaining to an individual may be made available for
review, correction, or deletion, or must be subject to suspension of being
processed upon such individual’s request and Citi shall endeavor to assist
Supplier in dealing with such request. In the event that such individual to
which the Personal Data pertains raises any objection to the manners in which
his/her request concerning the foregoing matters are addressed by Citi, Supplier
shall endeavor to assist Citi in dealing with such objection. 8. Except as
otherwise expressly provided for by the Agreement and the Work Order, upon
demand by Citi, or upon the termination of the Agreement and/or the relevant
Work Order, Supplier shall promptly return or destroy the Confidential
Information or its duplicates, supplied to, or otherwise obtained by, Supplier
in connection with the Services, in the form or manner specifically instructed
by Citi. If the Confidential Information was stored or saved in Supplier’s
computers, servers, or any other electromagnetic medium, Supplier also shall
delete or purge such stored or saved Confidential Information in the form or
manner specifically instructed by Citi. 9. If Supplier is directed by court
order, subpoena or other legal or administrative proceeding or similar process
to disclose any of the Confidential Information provided pursuant to this
Agreement, Supplier shall promptly notify Citi in writing (unless it has a legal
obligation to the contrary), with a copy of such document attached, in
sufficient detail promptly upon receipt of such court order, subpoena, legal or
administrative, or similar process, in order to permit application by Citi for
an appropriate protective order. 10.If Supplier receives any request from
Supplier’s or any overseas regulatory or supervisory agency to access to any
Confidential Information or if a situation were to arise where the rights of
access of Citi or Taiwan Regulator have been restricted or denied, Supplier
shall provide prompt notice of such request to Citi to enable Citi to notify its
Taiwan Regulator and seek any required regulatory approval for the provision of
such customer data by Supplier. 11.Supplier acknowledges and agrees that: 11.1
Citi reserves the rights to supervise and audit Supplier in connection with the
provision of the Services and the Confidential Information disclosed to
Supplier; 11.2 Citi reserves the rights not to furnish, supply, disclose, or
make available the Confidential Information to Supplier in connection with
provisions of the Services if Supplier fails to comply with the terms and
conditions set forth in Section B hereof; and 11.3 Supplier shall be responsible
for damages arising out of, or relating to divulgence, loss, alteration,
misappropriation, and/or unauthorized disclosure of the Confidential Information
caused by Supplier. 12. Where services entail access to Taiwan’s customer
information/confidential information: 12.1 Citi reserves the right to revoke,
restrict and monitor the use and access to Citi’s systems, customer information
and confidential information. Supplier will obtain Citi’s agreement before it
grants any of its personnel (including that of its subcontractors) access to the
systems which contains Citi’s customer information/confidential information.
Upon Citi’s request, Supplier will provide full list and job function of such
personnel. In the event of any security breaches, unauthorized access or use of
Citi’s systems/customer information/confidential information, Supplier will
promptly notify Citi without delay. 12.2 In the event Supplier uses Citi’s
customer information/confidential information to produce reports for
regional/global management for the purposes of Citigroup internal control and
management or risk analytical/management, Supplier will obtain Citi’s agreement
for the following matters:- 70

GRAPHIC [g145181ko15i002.gif]

 


(i) a full list of regular management report (and samples) and the nature,
extent and recipients of such reports Supplier intends to generate; and (ii)
each ad hoc report not listed on the approved list. 12.3 Supplier will obtain
Citi’s agreement before it sends/stores/provides access to Citi’s customer
information/confidential information to any facility/data center outside Citi
premises. C. MONITORING AND CONTROL Supplier agrees to meet with Citi as
reasonable time and from time to time upon prior written notice being given to
Supplier at the reasonable request of Citi to review all aspects of the Services
provided by Supplier hereunder and/or other matters of mutual interest to
Supplier and Citi and adopt any recommendations and/or measures reasonably
proposed by Citi to ensure, inter alia, compliance with legal and regulatory
obligations. Supplier further agrees, in accordance with the standard operating
procedures set out in Citigroup corporate policies, to maintain a customer
protection system, a risk management system, an internal control system, an
internal audit system, a mechanism to cooperate with Citi to settle consumers’
disputes and the management of personnel hired by Supplier, in each case as
required by such Citigroup corporate policies. Supplier shall endeavor to follow
the requirements set forth in the applicable Outsourcing Due Diligence Form
(attached hereto in Form 5 as a reference) as provided by Citi from time to time
or other written requirement notified by Citi. Supplier agrees to conduct
regular and irregular internal audits and immediately notify Citi if the
Services cannot be duly discharged, or there is difficulty, or a threat of
encountering difficulty, in performing such Services. D. COMPLIANCE WITH LAWS
Supplier shall not violate mandatory or prohibitive provisions of the law,
public order or good morals, and shall ensure that the banking law, the
anti-money laundering law, the PDPA, consumer protection law and other
applicable laws and regulations in Taiwan (such laws and regulations to be
communicated by Citi to Supplier from time to time, and thereafter to be
summarized/set out in this Schedule) are complied with. E. SUBCONTRACTING
Further to clauses in the Agreement dealing with subcontracting:- 1.
Notwithstanding any other provisions in the Agreement or in this Schedule may
provide otherwise, Supplier shall not subcontract or outsource any or all of its
obligations set forth in this Agreement to any third party (including without
limitation Supplier’s subsidiaries or affiliates) unless obtaining the prior
written approval from Citi. 2. If Supplier is permitted to outsource or
subcontract to third parties any of its obligations set forth in the Agreement,
Supplier shall (i) procure the compliance by all assignees/ outsources/
sub-contractors with the provisions of the Agreement and the country addenda
relating to the performance of such obligations (including, without limitation,
provisions relating to security and confidentiality, audit and inspection and
business continuity management), and (ii) require all non-affiliated third party
sub-contractors to accept and comply with the terms of this Schedule, as well as
the Local Country Addendum of other relevant countries (collectively “LCAs”).
(The LCAs set out local laws and regulatory requirements applicable to
non-affiliated parties, and have been drafted to fit into standard Citi vendor
agreements. Supplier shall obtain up-to-date versions of the relevant LCAs from
Citi). Supplier shall be remain fully responsible to Citi for its 71

GRAPHIC [g145181ko15i003.gif]

 


obligations under this Agreement and for the subcontractor’s performance of such
duties and obligations regardless of whether Supplier is negligent in respect of
its selection or supervision of the subcontractor. 3. Without prejudice to the
above, and in accordance with Article 10 of the Financial Supervision Commission
(“FSC”) Outsourcing Guidelines for Financial Institutions (attached hereto in
Appendix III, as a reference), Supplier’s agreements with its subcontractors
shall, at the minimum, specify the following matters, in order to maintain the
quality of the outsourced services:- 3.1 Description of the specific outsourced
items and the scope thereof, as well as the rights and duties of the
sub-contractors. 3.2 The relevant Taiwan laws and regulations (including the
Banking Law, Anti-Money Laundering Law, the PDPA, Consumer Protection Law and
other laws and regulations) applicable to Citi with which the subcontractors
must comply (such laws and regulations to be provided/updated by Citi from time
to time). 3.3 The protection of consumer rights, including confidentiality and
security measures regarding Citi’s information. 3.4 The consumer protection,
risk management, internal control and internal audit systems to be implemented
by the sub-contractor in accordance with the standard operating procedures set
out in Citigroup corporate policies. 3.5 Procedure for settlement of consumer
disputes should follow Citigroup corporate policies. 3.6 Management of personnel
hired by the sub-contractors, including hiring, review and sanctions related to
its personnel, should follow Citigroup corporate policies. 3.7 Material events
which constitute cause for termination of the outsourcing agreement including
provisions regarding the termination or recession of the agreement upon
notification of the Regulators. 3.8 The agreement of the sub-contractors that
the Regulators may request relevant information or reports and conduct financial
audits, or may order such sub-contractors to provide relevant information or
reports within prescribed deadlines. 3.9 Agreement that the sub-contractors
shall not use the name of Citi when dealing with the public in the course of
handling the outsourced matters. 3.10 Other terms and conditions to the effect
that the sub-contractor will be subject to and comply with the terms and
conditions of the Agreement and the LCAs. 4. Supplier shall adopt sufficient
internal control measures, including but not limited to, designating a project
manager who is responsible for the subcontracted services, monitoring a
subcontractor and its performance, and establishing audit functions. 5. Supplier
shall cause the subcontractor to periodically report to Supplier on the status
of subcontracted services and the subcontractor, upon request of Citi and/or
Supplier, must provide Citi and/or Supplier with necessary information in a
prompt manner. 6. Supplier shall audit a subcontractor periodically to ensure
that such subcontractor complies with applicable Taiwan laws and regulations and
all terms and conditions set forth in the Agreement, applicable Work Order and
this Schedule. 72

GRAPHIC [g145181ko15i004.gif]

 


7. Supplier shall prepare a continuity of business plan in order to provide Citi
with continuous Services in case of emergency or subcontractor’s failure to
perform the Services in accordance with the subcontracting agreement. 8.
Supplier, upon the request of Citi, shall provide Citi with information of its
subcontractor, including but not limited to, name of the subcontractor and its
project manager, contact information of the subcontractor, description of the
services subcontracted, the subcontracting agreement, and the periodical report
on the subcontracted services. 9. Where Citi has consented to Supplier
assigning, outsourcing or sub-contracting any or all of the Services, Citi may
require Supplier to, and Supplier shall, provide to Citi written notification of
any variation or termination of the agreement between Supplier and that third
party. The written notification shall be provided to Citi within three (3) days
of the variation or termination. F. IDENTITY OF SERVICE PROVIDER Supplier, when
providing the Service, shall not hold itself out to others as Citi. Supplier
shall not engage in untrue advertisements or collect fees from consumers when
dealing with the public in the course of handling the Services. G. NOTICE 1. If
Supplier receives Citi’s Confidential Information, Supplier, upon a request of
Citi, shall fill out all necessary information in the Confidential Information
Sharing Attestation (Form 2) attached hereto or other form accepted by Citi and
submit such Form to Citi. If Supplier subcontracts all or any part of handling
of the Protected Information to a third party, Supplier shall also fill out the
Subcontract Consent and Attestation (Form 4) attached hereto or other form
accepted by Citi and submit such Form to Citi prior to the subcontracting. 2. If
Supplier returns or destroys the Protected Information in accordance with
Section B 8, Supplier, upon a request of Citi, shall fill out all necessary
information in the Confidential Information Return/Deletion Attestation (Form 3)
attached hereto or other form accepted by Citi and submit such Form to Citi
without unnecessary delay. 3. If Supplier outsources all or a part of the
Services to a subcontractor, Supplier, upon a request of Citi, shall fill out
all necessary information in the Subcontract Consent and Attestation (Form 4)
attached hereto or other form accepted by Citi and submit such Form to Citi
prior to such outsourcing arrangement. 4. If Supplier makes material changes in
provision of the Service upon occurrence of any matter which give rise to a
material impact on Citi, including but not limited to system upgrade and/or
alteration, changes in business processes, changes in ownership, and changes in
the supervisory and management of the subcontractor, Supplier shall notify Citi
promptly and, upon Citi’s request, provide relevant service report or necessary
information in relation thereto. Furthermore, if any aforementioned changes
exceed or potentially exceed the scope of services approved by the competent
authority, such changes will not be effective until approval or waiver from such
competent authority is obtained. 5. Citi reserves the right to request Supplier
to provide a service report periodically or upon Citi’s notification from time
to time on provision of the Services in a form accepted by Citi. 6. Supplier
will notify Citi promptly if there are any significant or major litigation
arising from or in relation to the services covered hereunder. 73

GRAPHIC [g145181ko15i005.gif]

 


H. ADDITIONAL DAMAGES CLAUSES 1. Without limiting any of Supplier’s rights or
remedies in the event of breach by Citi, in the event that Supplier does not
comply, or it reasonably appears that Supplier is not complying, in any material
respect with the provision of the Agreement applicable to a Service provided to
or for the benefit of Citi in Taiwan (including the service standard set forth
in the applicable work order), Citi may upon reasonable notice: 1.1 require
Supplier to take any necessary action to remedy or mitigate the relevant
deficiency in such reasonable manner as Citi may reasonably specify; 1.2 require
Supplier to compensate Citi for any actual loss incurred therefrom or any
liquidated damages, if applicable, agreed by both Parties in the Agreement or
the Work Order (if any) (provided (i) Citi has not caused or contributed to any
such failure as a result of its own act, omission or breach of the Agreement and
or work order (if any), and (ii) such failure is not caused by any force majeure
event); and/or 1.3 where there is any breach of a material obligation under the
Agreement, terminate the Services provided to or for the benefit of Citi in
Taiwan in accordance with relevant clauses. 2. In the event that any Service
level failure is subject to liquidated damages (under the applicable Work Order
or as otherwise agreed in writing by the Parties), then the payment by (or
credit from) Supplier under the relevant liquidated damage provision shall be
deemed as full satisfaction for such Service level failure, provided that
nothing in the foregoing shall limit a claim by Citi for damages in the event
that the failure constitutes a separate breach under the Agreement. In the event
of a claim for damages based on such a separate breach, Supplier shall receive a
credit for any liquidated damages paid or payable. Appendix I Article 2 of the
Personal Data Protection Act Appendix II Article 8 and 12 of the Enforcement
Rules of Personal Data Protection Act Appendix III Article 10 of the Financial
Supervision Commission (“FSC”) Outsourcing Guidelines for Financial Institutions
(see attached for Appendices) Appendices I II & III  2017.docx FORM
1—CONFIDENTIALITY AND SECRECY UNDERTAKING 74

GRAPHIC [g145181ko15i006.gif]

 


FORM 2 — CONFIDENTIAL INFORMATION SHARING ATTESTATION Form 2,SOMIZEIREraikin
FORM 3 — CONFIDENTIAL INFORMATION RETURN/DELETION ATTESTATION FORM 4 —
SUBCONTRACT CONSENT AND ATTESTATION Form 4 for LCA_subcontract con FORM 5 —
OUTSOURCING DUE DILIGENCE FORM 75

GRAPHIC [g145181ko15i007.gif]

 


SCHEDULE P —THAILAND LAW REQUIREMENTS  (Version 2— revalidated 18 January 2017)
1. Right to audit and access [Section 5 (13), Annex 3 of BOT Notification No.
SorNorSor 8/2557 dated December 25th, 2557and Section 5.5.1 (3.2) of BOT
Notification No. SorNorSor 6/2557 dated July 14,2557] With reasonable prior
written notice to the Supplier, the Supplier shall allow Citi, its regulators
(including but not limited to Bank of Thailand, the Anti-Money Laundering Office
of Thailand) or any person appointed by them and/or its internal and external
auditors to (i) access any report and finding made on the Supplier in connection
with the Services performed for Citi; (ii) access to the business premises of
the Supplier in the exercise of its right herein; (iii) inspect, examine and
audit the Supplier’s operations and records in relation to the Services provided
by the Supplier under the Agreement including but not limited to the internal
controls and the confidentiality and security system; and (iv) obtain and make
copies of reports, documents of transactions and information stored or processed
by the Supplier in connection with the Services pursuant to the Agreement. 2.
Information Security [Sections (3) ((1)) and (5(8), Annex (3) of BOT
Notification # SorNorSor 8/2557 dated December 25th, 2557 ] The Supplier agrees
and undertakes, and shall procure all its personnel, to segregate Citi’s data
from its own data and data of any other entity and to stipulate a data access
right of the Supplier’s personnel strictly to protect confidentiality of Citi
and its clients’ information. 3. Transition Services [Sections 3 (5), Annex 3 of
BOT Notification # SorNorSor 8/2557 dated December 25th, 2557 and Section 5.5.1
(4.3) of BOT Notification No. SorNorSor 6/2557 dated July 14, 2557] Upon
termination of any Service, the Supplier shall return, destroy or delete all
confidential information and personal information of Citi or its clients
previously given (including without limitation, information incorporated in
computer software or held in electronic storage media, together with any
analyses, compilations, studies, reports or other documents or materials
containing any such confidential information or personal information, as are in
the possession or control of the Supplier) subject to the legal requirements for
retention of records. The Supplier shall certify in writing to Citi within 30
days of the termination of the Services that it has not retained any such
confidential information or personal information in any form whatsoever. 76

GRAPHIC [g145181ko15i008.gif]

 


SCHEDULE Q —VIETNAM LAW REQUIREMENTS  (Version 6 — 23 March 2017) For the
purposes of each Work Order made between the Supplier and Citi, the following
terms and conditions shall be added to the Agreement and the Work Order, as
applicable, in its entirety: 1. REGULATOR CONTROL OF THE VIETNAM ENTITY The
Supplier and Citi, as the case may be, shall be subject to and shall fully
comply with and abide by the laws of the Socialist Republic of Vietnam which
include, but are not limited to, finance and banking laws and regulations
applicable to the execution and implementation in force from time to time and
each party warrants that the required approvals (if any) have been obtained and
will be maintained for the duration of the Work Order concerned. Especially, for
purposes of services provision under the Master Service Agreement and applicable
Work Order, the Supplier shall satisfy all business conditions when conducting
business in the lines of business investment which are subject to conditions in
accordance with the Law on Investment and to ensure maintenance of all such
business investment conditions during the process of business operation pursuant
to Article 8.1 Law on Enterprises No. 68/2014/QH13 dated 26 November 2014. With
regards to the foreign exchange control, Citi and the Supplier shall comply with
the requirements of the Civil Code 2005, the Foreign Exchange Control Ordinance
No. 28/2005/PL-UBTVQH11, Decree 70/2014/ND-CP dated 17 July 2014 of the
Government on foreign exchange control and any implementation guidelines,
replacement, supplement or in addition thereof and other laws and regulations as
may be applicable from time to time. 2. INFORMATION CONFIDENTIALITY, DATA
PRIVACY, STATE SECRECY AND IT SYSTEM SECURITY 2.1. The Supplier will maintain
and enforce safety and physical security procedures with respect to its access
and maintenance of Citi’s Confidential Information that are (a) at least equal
to industry standards for such types of locations, and (b) which provide
reasonably appropriate technical and organizational safeguards against
accidental or unlawful destruction, loss, alteration or unauthorized disclosure
of or access to Citi’s Confidential Information. Without limiting the generality
of the foregoing, the Supplier will take all reasonable measures to secure and
defend its location and equipment against “hackers” and others who may seek,
without authorization, to modify or access the Supplier’s systems or the
information found therein. The Supplier will periodically test its systems for
potential areas where security could be breached. The Supplier will immediately
report to Citi any breaches of security or unauthorized access to Citi’s systems
that the Supplier detects or becomes aware of. The Supplier will use diligent
efforts to remedy such breach of security or unauthorized access in a timely
manner and deliver to Citi a root cause assessment and future incident
mitigation plan with regard to any breach of security or unauthorized access
affecting Citi’s Confidential Information. 2.2. The Supplier hereby acknowledges
receipt of a written notice from Citi highlighting Citi’s Supplier’s obligations
of confidentiality and data privacy, State secrets protection and IT system
security under the laws of Vietnam. The written notice is attached hereto as
Appendix I. The Supplier hereby undertake that the Supplier shall fully
understand and strictly comply with the local laws and regulations applicable to
the services provided by the Supplier under the Agreement and Work Order,
including but not limited to the regulations as set forth in the Appendix I. 77

GRAPHIC [g145181ko15i009.gif]

 


2.3. The Supplier hereby acknowledges that it is aware of and understands the
effect of, and agrees and undertakes to, and to procure all its Personnel, third
party vendors and Supplier Affiliates to observe all precautionary measures and
prevent disclosure of information that will cause Citi to violate any applicable
regulation as mentioned herein. 2.4. The Supplier further agrees and undertakes
that it will not, and will covenant all its Personnel, third party vendors and
Supplier Affiliates not to do anything which will cause the Vietnam Entity or
any of its customers to violate the laws set out herein. 2.5. The Supplier (i)
shall not, without Citi’s prior written consent, disclose the information
provided pursuant to the Agreement and the Work Order in any manner (read with
this Schedule) and (ii) shall treat information with at least the same degree of
care that it treats its own confidential information, but in no event with less
than a reasonable degree of care. 2.6. The Supplier and its employees shall not
without Citi’s prior written consent further disclose Citi’s Confidential
Information to any person (save for disclosure to the Supplier’s employees in
compliance with Citi’s policies and procedures and applicable laws of Vietnam).
For the avoidance of doubt, the term “person” includes the Supplier’s
Affiliates. 2.7. Citi is allowed to transfer data, provide customer information
including deposits, assets, and other information to its offshore head office or
its branches at other countries provided that Citi ensures compliance with
regulations on confidentiality of information, storage, safety, State secrecy
and for internal operational purposes only. Subject to the foregoing regulation,
Citi may have Confidential Information of an Affiliate and in connection with
the Services provided by the Supplier to Citi, Citi may disclose Confidential
Information of an Affiliate to the Supplier. Citi will inform the Supplier
whether Confidential Information of an Affiliate is being provided to the
Supplier in connection with the Services provided by the Supplier to Citi. The
Supplier shall not disclose that Confidential Information to any other party
(including, for the avoidance of doubt, any other Affiliate) unless such
disclosure is with the written consent of Citi. The Supplier shall further
comply with the Schedule applicable to that Affiliate. 2.8. The Supplier shall
at all times be capable of segregating and clearly identifying all of Citi’s
information, documents, records and assets that are processed by and/or stored
with the Supplier pursuant to the Agreement and the Work Order. The Supplier
shall take technical, personnel and organizational measures in order to maintain
the confidentiality of Citi’s information between its various customers. 2.9.
The Supplier hereby acknowledges that Citi may be requested at any time by the
SBV to provide information and statistical data for purposes of assessment,
inspection and supervision of operations of the credit institutions. 2.10. Citi
shall not be permitted to provide any other organization or individual with
information of Citi’s client at Citi under the laws of Vietnam, unless requested
by competent authority or unless agreed by such clients pursuant to Civil Code
2005 (replaced by Civil Code 2015 as from 1 January 2017) and Law on Credit
Institutions. The use of personal information is restricted only for the
purpose(s) as prior agreed by the personal information’s owner; and the personal
information’s owner reserves right upon request to update, modify or revoke any
information which Citi or Supplier has been properly granted access to pursuant
to Law on Cyber-information Security and Law on Protection of Consumers’ rights.
2.11. If any Citi’s information or data (even concerning deposits and deposited
asset of the Citi’s clients) is considered as State secrets pursuant to Chapter
2 Ordinance 30/2000/PL-UBTVQH10 dated 28 December 2000 on State secrets
protection, Decision No.15/2003/QD- 78

GRAPHIC [g145181ko15i010.gif]

 


TTg issued by Prime Minister dated 20 January 2003 and Decree No. 70/2000/ND-CP
dated 21 November 2000 ("State Secrets"), Citi is only permitted to disclose of
such State Secrets to offshore entities after obtaining SBV Governor's approval
except for complicated cases requiring approval from a higher-level authority as
stated under SBV's Decision No. 1087/2003/QD-NHNN dated 17 September 2003. It is
also required that such entity after receiving the State Secrets as approved is
not allowed to disclose the same to any third party. 3. LANGUAGE Language used
in Citi's official transaction documents shall be either Vietnamese or either
bilingual including Vietnamese (pursuant to Article 20 Circular No.
40/2011/TT-NHNN dated 15 December 2011, Article 18 Decree 22/2006/ND-CP dated 28
February 2006 and Article 5.3.a Decision No. 1789/2005/QD-NHNN dated 12 December
2005). 4. WITHHOLDING TAX The Supplier being foreign contractors shall incur
value added tax and corporate income tax imposed on the Services and/or
Deliverables under the Master Service Agreement and applicable Work Order as
required by laws of Vietnam, and Citi will pay such taxes on behalf of the
Supplier pursuant to Article 1.1, Article 5.1 and Article 11 Circular
103/2014/TT-BTC dated 6 August 2014. 5. GOVERNING LAW AND JURISDICTION As from 1
January 2017, the governing law applicable to Master Agreement and/or the Work
Order shall be agreed at the parties' discretion pursuant to Article 683.1 Civil
Code 2015. All claims or disputes arising out of or in connection with the
Master Agreement and/or the relevant Work Order which is performed, in whole and
in part, in Vietnam may be submitted to the non-exclusive jurisdiction of court
in Vietnam pursuant to Article 469.1 Code on Civil Proceedings 2015 (effective
as from 1 July 2017); otherwise resolved by arbitration if the Parties have an
arbitration agreement made either prior or after the dispute arises. APPENDIX I
Appendix I­ Regulation list (6Febt 79 TTg issued by Prime Minister dated 20
January 2003 and Decree No. 70/2000/ND-CP dated 21 November 2000 (“State
Secrets”), Citi is only permitted to disclose of such State Secrets to offshore
entities after obtaining SBV Governor’s approval except for complicated cases
requiring approval from a higher-level authority as stated under SBV’s Decision
No. 1087/2003/QD-NHNN dated 17 September 2003. It is also required that such
entity after receiving the State Secrets as approved is not allowed to disclose
the same to any third party. 3. LANGUAGE Language used in Citi’s official
transaction documents shall be either Vietnamese or either bilingual including
Vietnamese (pursuant to Article 20 Circular No. 40/2011/TT-NHNN dated 15
December 2011, Article 18 Decree 22/2006/ND-CP dated 28 February 2006 and
Article 5.3.a Decision No. 1789/2005/QD-NHNN dated 12 December 2005). 4.
WITHHOLDING TAX The Supplier being foreign contractors shall incur value added
tax and corporate income tax imposed on the Services and/or Deliverables under
the Master Service Agreement and applicable Work Order as required by laws of
Vietnam, and Citi will pay such taxes on behalf of the Supplier pursuant to
Article 1.1, Article 5.1 and Article 11 Circular 103/2014/TT-BTC dated 6 August
2014. 5. GOVERNING LAW AND JURISDICTION As from 1 January 2017, the governing
law applicable to Master Agreement and/or the Work Order shall be agreed at the
parties’ discretion pursuant to Article 683.1 Civil Code 2015. All claims or
disputes arising out of or in connection with the Master Agreement and/or the
relevant Work Order which is performed, in whole and in part, in Vietnam may be
submitted to the non-exclusive jurisdiction of court in Vietnam pursuant to
Article 469.1 Code on Civil Proceedings 2015 (effective as from 1 July 2017);
otherwise resolved by arbitration if the Parties have an arbitration agreement
made either prior or after the dispute arises. APPENDIX I Appendix I -
Regulation list (6Feb2 79

GRAPHIC [g145181ko15i011.gif]

 