SETTLEMENT AGREEMENT AND CONSENT ORDER

ACI WORLDWIDE CORP. ACI PAYMENTS, INC.

WHEREAS, ACI Payments, Inc. is a Delaware corporation with headquarters located in Elkhorn, Nebraska and assigned an NMLS identifier number of 936777 (“ACI Payments”). ACI Payments is a wholly owned subsidiary of ACI Worldwide Corp., a Nebraska corporation (“ACI Corp.”). ACI Corp. has direct and/or indirect control over ACI Payments and shares integrated services involving information technology (“IT”) and other operational aspects of the enterprise pursuant to intercompany agreements. For purposes herein, ACI Payments and ACI Corp. shall be collectively referred to as “ACI”.

WHEREAS, the States of Alabama, Alaska, Arizona, Arkansas, California, Connecticut, Delaware, Florida, Georgia, Hawaii, Idaho, Illinois, Iowa, Kansas, Maine, Maryland, Michigan, Minnesota, Mississippi, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah, Vermont, Washington, West Virginia, the Commonwealths of Kentucky, Pennsylvania, Puerto Rico, and Virginia, and the District of Columbia (individually, a “Participating State,” and collectively, the “Participating States”) have each agreed, through its respective state money transmission regulatory agency, to negotiate and enter into this Settlement Agreement and Consent Order (hereinafter referred to as the “Agreement” or “Order”).

WHEREAS, the state money transmission regulators of the Participating States (hereinafter referred to individually as a “State Money Transmission Regulator,” and collectively as the “State Money Transmission Regulators”) are respective members of the Conference of State Bank Supervisors (“CSBS”) and the Money Transmitter Regulators Association (“MTRA”) and have agreed to address enforcement concerns with ACI in a collective and coordinated manner, working through the Multi-State MSB Examination Taskforce (“MMET”). The State Money Transmission Regulators and ACI are collectively referred to herein as the (“Parties.”)

WHEREAS, ACI Payments is licensed as a money transmitter under the respective laws of each Participating State.

WHEREAS, the Speedpay bill payment solution is marketed as an electronic platform providing electronic bill presentment and payment services, including allowing for one-time and recurring billing and payment processing capabilities (the “Speedpay Platform”). ACI Corp. acquired the Speedpay Platform in May 2019 with a two-year transition services agreement with the previous owner of Speedpay. Speedpay was subsequently merged into ACI Payments. Commencing March 1, 2021, ACI assumed IT responsibility for supporting and maintaining the Speedpay Platform. At the time of this transition, the Speedpay Platform was still hosted in the previous owner’s IT environment with certain services still provided by legacy vendors. These legacy vendors were in place prior to the purchase of the Speedpay Platform and were retained by ACI as part of the ownership transition and continued to support both the production and testing environments. The State Money Transmission Regulators contend that these legacy vendors, at the time of the transition and thereafter, were not adequately integrated into ACI’s risk and compliance framework, specifically with identifying the risk category each represented, so as to ensure that the defense protocols at ACI were properly tracking their activities as it related to supporting the Speedpay Platform.

WHEREAS, a large U.S. residential mortgage lending and servicing company (the “Mortgage Company”), utilizes the Speedpay Platform for payment processing services as it relates to its residential mortgage servicing activities. Specifically, ACI, as a vendor for the Mortgage Company, regularly processes mortgage payments for certain mortgage borrowers whose loans are being serviced by the Mortgage Company. ACI creates Automated Clearing House (“ACH”) files used to facilitate bill payment for those borrowers and remitting the debited funds to the Mortgage Company’s bank account and remitting credited funds to borrowers’ bank account.

WHEREAS, on or about April 23, 2021, ACI conducted testing to optimize the Speedpay Platform’s ACH processing code to increase the rate at which ACH files were generated for production through the Speedpay Platform for the Mortgage Company (the “Speedpay Optimization Project”). To accomplish the Speedpay Optimization Project, ACI’s testing methodology required the use of customer information previously obtained through its processing of debit and credit transactions for the Mortgage Company. The State Money Transmission Regulators determined that, during the Speedpay Optimization Project, the legacy vendors’ circumvention of internal data security controls and a lack of segregation between internal production and testing environments resulted in 1,432,821 ACH debit and credit entries to be unintentionally and erroneously sent to the ACH Network. These entries related to 478,568 customer borrowers of the Mortgage Company and reflected a total dollar value of $2,389,173,559.05 (the “Money Transmission Instruction Error”).

WHEREAS, on becoming aware of the Money Transmission Instruction Error, the State Money Transmission Regulators, as coordinated by the MMET, commenced a multi-state money transmission investigation to cover all aspects of this incident, including investigating the facts and circumstances surrounding the incident, evaluating consumer impact, analyzing the root cause of the incident, evaluating remedial steps taken by ACI, and investigating other matters associated therewith (the “Multi-State Investigation”). The Multi-State Investigation was conducted by the State Money Transmission Regulators from the states of Arkansas, Maryland, Michigan, and Texas. The Multi-State Investigation of ACI was conducted pursuant to their respective statutory authorities, and in accordance with the protocols established by the Protocol for Performing Multi-State Examinations as well as the Nationwide Cooperative Agreement for MSB Supervision (collectively the “CSBS/MTRA Protocol and Agreement”).

WHEREAS, ACI became aware of the Money Transmission Instruction Error the morning of the day following the submission of the erroneous files and took immediate steps with the intent to reverse the erroneous debits and credits to minimize the impact of Money Transmission Instruction Error on consumers and to ensure a similar incident could not occur in the future. ACI represented to the State Money Transmission Regulators during the course of the investigation that although these credits and debits were reflected on the consumers’ respective accounts, the steps taken to reverse the erroneous debits and credits, resulted in approximately 99.998% of the erroneous debit entries being offset before any funds moved from consumer accounts. By the end of May 2021, all of the accounts impacted by erroneous debit entries were represented by ACI to have received offsetting credit entries. The remaining impacted customer accounts contained credits of ACI’s funds that were deposited into consumers’ accounts as part of the process of reversing the erroneous debits. As of the end of August 2021, this credit balance was approximately $2.9 million. Although the full indirect consumer impact is undetermined as of the Effective Date of this Agreement, the Multi-State Investigation identified approximately 2,710 consumers that reported to the Mortgage Company that they had experienced financial harm as a result of the Money Transmission Instruction Error.

WHEREAS, shortly after ACI became aware of the Money Transmission Instruction Error, ACI investigated all of its server settings and prevented communication between all applicable production and testing/quality assurance servers. ACI also conducted an internal review of ACI’s Third-Party Risk Management (TPRM) program and identified opportunities to improve the program approach and enhance program methodology. ACI has implemented those improvements and enhancements. Finally, during the Multi-State Investigation, ACI represented to the investigation team that it has implemented and is in the process of implementing additional safeguards to prevent duplicate transactions from being processed and has put a hold on any transfers of production data from the production databases to a testing/quality assurance environment.

WHEREAS, the Multi-State Investigation determined that the Money Transmission Instruction Error was possible due to significant defects in ACI’s privacy and data security procedures and technical infrastructure supporting its licensed activity. Specifically, it was determined that while at the time of the Money Transmission Instruction Error. ACI maintained relatively detailed enterprise risk management framework, including third-party risk management policies and procedures, and that ACI managers maintained a level of oversight related to vendors supporting the Speedpay Platform, the level of supervision and training of those vendor personnel and system controls did not ensure that (1) these vendors followed required policies, procedures and practices, such as sending production database requests to the correct group and validating that the databases were scrubbed and (2) that there were sufficient technological safeguards to enforce the forgoing policies and procedures.

WHEREAS, the State Money Transmission Regulators and ACI enter into this Agreement with the understanding that the State Attorneys Generals have entered or will enter into an Assurance of Voluntary Compliance (the “AG AVC”) in coordination with this Agreement.

WHEREAS, certain terms and conditions are contained in the AG AVC and in this Agreement. Notwithstanding the coordinated nature of the two settlements, to the extent that the terms and conditions contained in this Agreement conflict with any provisions of the AG AVC, the terms and conditions of this Agreement shall control.

WHEREAS, by reciting in this Order information about the AG AVC, the State Money Transmission Regulators are not asserting independent jurisdiction or authority to enforce the AG AVC, unless otherwise authorized to do so under any applicable state or federal law, rule, or regulation.

WHEREAS, ACI enters into this Agreement solely for the purpose of resolving disputes with the State Money Transmission Regulators, including concerning the conduct described herein related to the Money Transmission Instruction Error, and neither admits nor denies that it violated the laws of the Participating States. ACI acknowledges that the State Money Transmission Regulators have and maintain jurisdiction over the underlying dispute, including all matters referred to in these recitals, and therefore have the authority to fully resolve the matter.

WHEREAS, ACI acknowledges that the State Money Transmission Regulators are relying, in part, upon ACI’s representations and warranties stated herein in making their determinations in this matter. ACI further acknowledges that this Agreement may be revoked and the State Money Transmission Regulators may pursue any and all remedies available under the law against ACI, if the State Money Transmission Regulators later find that ACI knowingly or willfully withheld information from the State Money Transmission Regulators.

WHEREAS, the State Money Transmission Regulators have legal authority to initiate administrative actions based on the conduct described herein related to the Money Transmission Instruction Error.

WHEREAS, the intention of the State Money Transmission Regulators in effecting this settlement is to resolve the operational and IT concerns and violations related to ACI’s licensed activities, including those described in in these recitals, and to close the Multi-State Investigation as it relates to the Money Transmission Instruction Error. The State Money Transmission Regulators reserve all of their rights, duties, and authority to enforce all statutes, rules, and regulations under their respective jurisdictions against ACI regarding any money transmission activities outside the scope of this Agreement. Additionally, a State Money Transmission Regulator may consider this Agreement and the facts set forth herein in connection with, and in deciding, any examination, action, or proceeding under the jurisdiction of that State Money Transmission Regulator, if the basis of such examination, action, or proceeding is not a direct result of the specific activity identified herein; and that this Agreement may, if relevant to such examination, action or proceeding, be admitted into evidence in any matter before a State Money Transmission Regulator.

WHEREAS, ACI hereby knowingly, willingly, voluntarily, and irrevocably consents to the entry of this Order, which is being entered pursuant to the authority vested in each State Money Transmission Regulator and agrees that it understands all of the terms and conditions contained herein. ACI acknowledges that it has full knowledge of its rights to notice and a hearing pursuant to the laws of the respective Participating States. By voluntarily entering into this Agreement, ACI waives any right to notice and a hearing, and review of such hearing, and also herein waives all rights to any other judicial appeal concerning the terms, conditions, and related obligations set forth in this Agreement. ACI further acknowledges that it has had an opportunity to consult with independent legal counsel in connection with its waiver of rights and with the negotiation and execution of this Agreement, and that ACI has either consulted with independent legal counsel or has knowingly elected not to do so.

WHEREAS, ACI represents that the persons signing below are authorized to execute this Agreement and to legally bind ACI Payments and ACI Corp. respectively.

WHEREAS, in that the Parties have had the opportunity to draft, review and edit the language of this Agreement, the Parties agree that no presumption for or against any party arising out of drafting all or any part of this Agreement will be applied in any action relating to, connected to, or involving this Agreement. Accordingly, the Parties agree to waive the benefit of any State statute, providing that in cases of uncertainty, language of a contract should be interpreted most strongly against the party who caused the uncertainty to exist.

NOW, THEREFORE, this Agreement having been negotiated by the Parties in order to resolve the issues identified herein related to the Money Transmission Instruction Error, without incurring the costs, inconvenience and delays associated with protracted administrative and judicial proceedings, it is by the State Money Transmission Regulators listed below, as coordinated through the CSBS/MTRA Protocol and Agreement, hereby ORDERED:

I. JURISDICTION

1. That pursuant to the licensing and supervision laws of the Participating States, the Participating States have jurisdiction over ACI as described herein and may enforce the terms of this Agreement thereon unless otherwise stated in this Agreement.

II. RISK AND COMPLIANCE PROGRAMS

1. ACI Corp., under the supervision of its board of directors (the “Board of Directors”), shall maintain at all times an Enterprise Risk Management Program (“ERMP”) to identify, measure, monitor and control risk. The ERMP shall include the requisite policies and procedures to effectively address ACI’s activities with specific attention to applicable State and Federal laws and regulations. The ERMP includes the privacy strategy and framework (the “Information Security Program”) and cybersecurity strategy and framework (the “Cybersecurity Program”) and shall at all times be tailored to the nature, size, complexity, and risk profile of ACI. The ERMP shall also include customary strategic planning as undertaken by management and overseen by the Board of Directors and a Compliance Management System (“CMS”) which complies with all the relevant requirements set forth by the Consumer Financial Protection Bureau.

2. Staff Training. ACI shall maintain at all times a comprehensive training program to ensure that all relevant staff engaged in ACI’s money transmission business are aware of and receive regular training on, ACI’s policies and procedures and updates thereto, as they relate to Consumer Information that ACI uses to move funds to or from an individual’s financial account(s), whether in paper, electronic, or other form, that is handled or maintained by or on behalf of ACI, and affiliate of ACI, or a Third-Party Vendor thereto, and each employee’s job function. “Consumer Information” has the same meaning as “customer information” as that term is defined in 16 C.F.R. 314.2(d). “Third-Party Vendor” means a person or entity that is engaged by ACI to process or assist in the processing of consumer payments.

3. Internal Audit. The Board of Directors shall maintain at all times an internal audit program through a dedicated Internal Audit Department (“IAD”). The IAD shall report directly to the Board or the Board’s Audit Committee, so as to provide the Board of Directors with independent and objective information as to whether major business risks are being managed appropriately and whether the company’s risk management and internal control framework is operating effectively.

4. Monitor and Review of ACH Entries. ACI must utilize at all times processes to monitor and reconcile all ACH entries submitted to the Originating Depository Financial Institution (“ODFI”) to ensure the accuracy and integrity of such entries. Controls shall include the prevention of duplicate ACH files from being processed by the ODFI and address potentially duplicative ACH files in a timely matter. ACI shall also perform daily reviews of ACH files to reconcile the ACH files sent to the ODFI with the information provided to ACI by the ODFI.

5. Production System Segregation and the Use of Consumer Information. With regard to its software and other technological programs and products, ACI shall at all times require that its production environment, either logically or physically, is separate from its development and test environments. For a period of five (5) years, when testing ACI software or systems ACI must use only Synthetic Data, meaning data that is artificially manufactured, rather than generated by real-world transactions. Synthetic Data is not to be traceable to any specific Consumer Information and is used to protect Consumer Information from inadvertent or unauthorized disclosure, use, or access. The Qualified Individual(s), as described in further detail below, may permit an exception to the requirement in the prior sentence only if the Qualified Individual determines that (a) it is not reasonably practical to obtain rigorous and reliable results from a given test without using data that reflects the structure, volume, specificity, and diversity of Consumer Information, and (b) such Consumer Information is subject to documented controls, as approved by a Qualified Individual, to ensure it is handled, processed, and disposed of in a secure manner and in conformity with the obligations in this Agreement. If the Qualified Individual grants an exception under this paragraph, the decision must be documented in writing and include the following items: the purpose and nature of the test; the date on which the test will be performed; a description of the specific dataset to be used in the test; and the reason(s) why Synthetic Data could not have reasonably been used. ACI agrees that, for a period of five (5) years, it will produce all documents relating to the granting of any exception to this paragraph upon request by any State Money Transmission Regulator.

6. Privacy Strategy and Framework – Data Processing. As part of the ERMP, ACI shall maintain at all times a privacy strategy and framework reasonably tailored to address specific privacy and security risks associated with use of Consumer Information and appropriately informed by national, and industry standards and guidelines.

7. The Information Security Program shall have the following core objectives: (1) to ensure the security and confidentiality of Consumer Information; (2) to protect against any reasonably anticipated threats or hazards to the security or integrity of such information; and (3) to protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any consumer. In furtherance of these objectives the Information Security Program shall at all times include the administrative, technical, and physical safeguards applicable to Consumer Information. Thus, the Information Security Program shall be written in one or more parts readily accessible to the relevant staff engaged in ACI’s money transmission business and shall contain administrative, technical, and physical safeguards that are appropriate to ACI’s size and complexity, the nature and scope of ACI’s activities, and the sensitivity of Consumer Information at issue.

8. ACI shall maintain at all times the ERMP to define and facilitate performance of roles and responsibilities for personnel implementing, managing, and overseeing the effectiveness of the Information Security and Cybersecurity Programs to ensure accountability; and provide adequate resources and appropriate authority and access to the Board of Directors. This ERMP governance structure shall articulate clear responsibilities and lines of reporting and escalation. ACI shall maintain at all times a risk program and maintain processes to oversee the design, implementation, and effectiveness of the ERMP.

9. As part of the ERMP, ACI shall evaluate the cyber, privacy and data processing risk and corresponding compensating controls, presented by the people, processes, technology, and underlying data that support each identified function, activity, product, and service. ACI shall then identify and assess the existence and effectiveness of controls to protect against the identified risk to inform ACI’s approach to cyber, privacy and data processing risk. Protection mechanisms should include avoiding or eliminating risk by not engaging in an identified activity or risk mitigation through controls or sharing or transferring the risk. Additionally, ACI’s risk and control assessments should consider, as appropriate, any cyber, privacy and data processing risks ACI presents to others and the financial sector as a whole.

10. As part of the ERMP, ACI shall maintain at all times systematic monitoring processes to receive, analyze, respond to relevant reports of Security Events disclosed to the organization from internal and external sources and periodically evaluate the effectiveness of identified controls. This process should ensure the root cause of such Security Events are identified and reasonably remediated. Those engaged in testing and auditing functions under the Information Security Program should be appropriately independent from the personnel responsible for implementing and managing the Information Security Program. “Security Event” means any compromise by (1) unauthorized access, (2) unauthorized use, or (3) inadvertent disclosure, that impacts the confidentiality, integrity, or availability of any Consumer Information held or stored by ACI or any Third-Party Vendor, including but not limited to a data breach as defined by the laws of any Participating State.

11. As part of the ERMP, ACI shall review the privacy and cybersecurity strategies and frameworks regularly and when events warrant to address changes in cyber, privacy and data processing risks, allocate resources, identify, and remediate gaps, and incorporate lessons learned.

12. To maintain the ERMP, ACI shall: a. Designate one or more qualified individual(s) responsible for overseeing, implementing, and enforcing the Information Security Program and Cybersecurity Program (for purposes herein, a “Qualified Individual”). Given the size, operational complexity, and overall risk profile of ACI, each Qualified Individual shall be retained by ACI Corp., and have the authority, responsibilities, and duties commonly understood for their position, and in accordance with the expected role of this position given a business enterprise having the size, operational complexity, and overall risk profile of ACI. Each Qualified Individual shall directly deliver reports, make presentations, and shall have the authority to unilaterally escalate issues to the appropriate ACI Board of Directors, the appropriate committee(s) of the Board of Directors, and the appropriate members of senior management. Additionally, each Qualified Individual shall have the requisite background, experience, and skillset necessary to fulfill the duties of this position; b. Base the Information Security Program on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of Consumer Information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information. ACI shall periodically perform additional risk assessments that reexamine the reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of Consumer Information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and reassess the sufficiency of any safeguards in place to control these risks. A risk assessment shall be written and shall include: i. Criteria for the evaluation and categorization of identified security risks or threats ACI faces; ii. Criteria for the assessment of the confidentiality, integrity, and availability of ACI’s information systems that contains Consumer Information or that is connected to a system that contains Consumer Information and including the adequacy of the existing controls in the context of the identified risks or threats ACI faces; and iii. Requirements describing how identified risks will be mitigated or accepted based on the risk assessment and how the Information Security Program will address the risks. c. Design and implement safeguards to control the risks ACI identities through the risk assessment, including: i. Maintaining at all times and periodically reviewing access controls, including technical and, as appropriate, physical controls to (1) authenticate and permit access only to authorized users to protect against the unauthorized acquisition of Consumer Information and (2) limit authorized users’ access only to Consumer Information that they need to perform their duties and functions, or in the case of Consumers, to access their own information; ii. Identifying and managing the data, personnel, devices, systems, and facilities that enable ACI to achieve business purposes in accordance with its relative importance to business objectives and ACI’s risk strategy; iii. Protecting though encryption all Consumer Information held or transmitted by ACI both in transit over external networks and at rest. To the extent ACI determines that encryption of Consumer Information, either in transit over external networks or at rest, is infeasible, ACI may instead secure such Consumer Information using effective alternative compensating controls reviewed and approved by ACI’s responsible Qualified Individual; iv. Maintaining at all times secure development practices for in-house developed applications utilized by ACI for transmitting, accessing, or storing Consumer Information and procedures for evaluating, assessing, or testing the security of externally developed applications ACI utilizes to transmit, access, or store Consumer Information; v. Maintaining at all times multi-factor authentication for any individual accessing Consumer Information on ACI’s systems, unless ACI’s Qualified Individual has approved in writing the use of reasonably equivalent or more secure access controls; or the individual accesses Customer Information on behalf of a financial institution that is also subject to multi-factor authentication regulations before accessing Consumer Information on ACI’s systems. vi. Disposing of Consumer Information in any format no later than two years after the last date the information is used in connection with the provision of a product or service to which it relates, unless such information is necessary for historic payments research, is otherwise required to be retained by law, regulation or rule, or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained. Disposal of Consumer Information must be by means that protect against unauthorized access to the Consumer Information, such as by shredding, erasing or otherwise modifying the Consumer Information in the records, to make the Consumer Information unreadable or undecipherable through any means. vii. Maintaining at all times procedures for change management; and viii. Maintaining at all times policies, procedures and controls designed to monitor and log the activity of any authorized users (such as employees, contractors, agents, or other persons that participate in ACI’s business operations and is authorized to access and use any of ACI’s information systems and data) and detect unauthorized access or use of, or tampering with, Consumer Information by such users. d. Regularly test or otherwise monitor the effectiveness of the safeguards’ key controls, systems, and procedures, including those to detect actual and attempted attacks on, or intrusions into, ACI’s information systems. For information systems, monitoring and testing shall include continuous monitoring or periodic penetration testing and vulnerability assessments. Absent effective continuous monitoring or other systems to detect, on an ongoing basis, changes in ACI’s information systems that may create vulnerabilities, ACI shall conduct: i. Annual penetration testing of ACI’s information systems determined each given year based on relevant identified risks in accordance with the risk assessment; and ii. Vulnerability assessments, including any systemic scans or reviews of ACI’s information systems reasonably designed to identify publicly known security vulnerabilities in ACI’s information systems based on the risk assessment, at least every six months; and whenever there are material changes to ACI’s operations or business arrangements; and whenever there are circumstances ACI knows or has reason to know may have a material impact on its information security program. e. Maintain at all times policies and procedures to ensure that ACI is able to comply with the Information Security Program by: i. Providing relevant personnel with security awareness training that is updated as necessary to reflect risks identified by the risk assessment; ii. Utilizing qualified information security personnel employed by ACI, an affiliate of ACI, or a Third-Party Vendor of ACI sufficient to manage ACI’s information security risks and to perform or oversee the Information Security Program; iii. Providing information security personnel with security updates and training sufficient to address relevant security risks; and iv. Verifying that key information security personnel take steps to maintain current knowledge of changing information security threats and countermeasures. f. Oversee Third-Party Vendors, by: i. Taking reasonable steps to select and retain Third-Party Vendors that are capable of maintaining appropriate safeguards to ensure at a minimum the confidentiality, integrity, and availability of the Consumer Information at issue; ii. Requiring ACI’s Third-Party Vendors by contract to implement and maintain such safeguards; and iii. Periodically assessing ACI’s Third-Party Vendors based on the risk they present and the continued adequacy of their safeguards. g. Evaluate and adjust ACI’s Information Security Program in light of the results of the testing and monitoring required herein; any material changes to ACI’s operations or business arrangements; the results of risk assessments performed under the requirements described herein; or any other circumstances that ACI knows or has reason to know may have a material impact on ACI’s Information Security Program. h. Maintain at all times a written Security Event response plan designed to promptly respond to, and recover from, any event resulting in unauthorized access to, or disruption or misuse of, an information system or Consumer Information stored on such information system, or Consumer Information held in physical form materially affecting the confidentiality, integrity, or availability of Consumer Information in ACI’s control. Such Security Event response plan shall address the following areas: i. The goals of the Security Event response plan; ii. The internal processes for responding to the event; iii. The definition of clear roles, responsibilities and levels of decision-making authority; iv. External and internal communications and information sharing; v. Identification of requirements for the remediation of any identified weaknesses in information systems and associated controls; vi. Documentation and reporting regarding the event and related Security Event response activities; and vii. The evaluation and revision as necessary of the Security Event response plan following such event. i. Require ACI’s Qualified Individual to report in writing, at least annually, to ACI Corp.’s Board of Directors. The report shall include the following information: i. The overall status of the Information Security Program and ACI’s compliance with the Information Security Program; and ii. Material matters related to the Information Security Program, addressing issues such as risk assessment, risk management and control decisions, Third-Party Vendor arrangements, results of testing, confirmed Security Events and management’s responses thereto, and recommendations for changes in the Information Security Program. j. Establish a written plan addressing business continuity and disaster recovery.

13. Cybersecurity Strategy and Framework. As part of the ERMP, ACI shall maintain at all times a cybersecurity strategy and framework tailored to specific cyber risks and appropriately informed by national, and industry standards and guidelines. The cybersecurity strategy and framework shall be designed to identify, manage, and reduce cyber risks effectively in an integrated and comprehensive manner.

14. The Cybersecurity Program shall be maintained at all times to timely (a) assess the nature, scope, and impact of a Security Event; (b) contain the Security Event and mitigate its impact; (c) notify internal and external stakeholders as appropriate; and (d) coordinate joint response activities as needed. As part of the Cybersecurity Program, ACI shall implement Security Event response policies and other controls to facilitate effective Security Event response. Among other things, these controls shall clearly address decision-making responsibilities, define escalation procedures, and establish processes for communicating with internal and external stakeholders.

To ensure operational continuity and recovery in response to a Security Event, ACI shall design the Cybersecurity Program to support recovery through the responsible resumption of operations, while allowing for continued remediation, including by (a) eliminating harmful remnants of the Security Event; (b) restoring systems and data to normal and confirming normal state; (c) identifying and mitigating all vulnerabilities that were exploited; (d) remediating vulnerabilities to prevent similar events; and (e) communicating appropriately internally and externally. Security Event recovery protocols must establish that once operational stability and integrity are assured, prompt and effective recovery of operations should be based on prioritization of critical economic and other functions and in accordance with State and Federal laws and regulations. As part of recovery preparedness, ACI shall establish testing contingency plans and protocols for essential activities and key processes.

III. AGREEMENT MONITORING

1. Executive Committee. An executive committee comprised of representatives of the State Money Transmission Regulators (“Executive Committee”) shall serve as the point of contact between ACI and the State Money Transmission Regulators and shall receive reports and communications from ACI. The initial member states of the Executive Committee are: the State Money Transmission Regulators of Arkansas, Maryland, Connecticut, Texas, and Washington. The Executive Committee may substitute representation, as necessary.

2. In order to monitor the ERMP, including the Information Security Program and the Cybersecurity Program, and the specific enhancements thereto as discussed herein, ACI shall provide to the Executive Committee the following documentation and/or information according to the following terms: (1) The ERMP, including the Information Security Program and the Cybersecurity Program, within sixty (60) calendar days of the Effective Date of this Agreement, (2) any material written updates or changes to the ERMP, including the Information Security Program and the Cybersecurity Program, within thirty (30) calendar days of the conclusion of calendar years 2023, and 2024 and (3) for a period of two (2) years from the Effective Date of this Agreement, any Security Event within thirty (30) calendar days of ACI’s determination of that a Security Event has occurred, including: a. The facts of the incident; b. The number of Consumers impacted, broken down by state; c. Amount of harm experienced by Consumers, broken down by state; d. The steps ACI has taken to correct the incident; and e. The steps ACI has taken to make Consumers whole.

3. To ensure ACI maintains a comprehensive and adequate TPRM under the ERMP, including the Information Security and Cybersecurity risk, ACI shall maintain at all times the enhancements made as a result of the internal review of ACI’s TPRM program. Additionally, ACI shall engage a qualified, independent, third-party consultant to validate the implementation of the recommended enhancements, which will be documented in a report covering the methodology utilized to conduct the assessment, the information, documentation, and individuals interviewed as part of the assessment, the findings and recommendations identified by the consultant, and any other relevant information identified as a result of the assessment, and ACI will provide a copy of this assessment report to the Executive Committee within twelve (12) months of this Agreement’s Effective Date.

4. Within sixty (60) calendar days of the Effective Date, ACI shall submit to the Executive Committee a training plan, with calendar, which shall address all required areas of training pertaining to the Information Security Program and the Cybersecurity Program that shall be provided to the relevant employees of ACI, employees of ACI’s affiliates, and/or employees of any Third-Party Vendor of ACI that should receive such training. Within ninety (90) days of the Effective Date, and annually thereafter for two (2) years, ACI shall also submit to the Executive Committee an annual report, accompanied by a declaration signed by a member of senior management (such as the Chief Compliance Officer), that will confirm the training that has been provided and the recipients of said training by job function.

IV. ADMINISTRATIVE COSTS AND PENALTY

1. Administrative Penalty. That ACI shall pay an Administrative Penalty of $9,509,999.84 to be distributed equally among each Participating State (each Participating State will receive payment of $216,136.36 (the “per-state payment”)). ACI shall pay the total Administrative Penalty amount within twenty (20) calendar days following the receipt of payment instructions, by paying each Participating State the per-state payment by the means designated by each State.

2. Administrative Costs. That ACI shall pay Administrative Costs of $490,000.16 to each Participating State that also took part in the investigation or settlement to cover administrative costs associated with the investigation and investigation resolution process, with such costs allocated as follows: Alaska, $15,000; Arkansas, $100,000; Connecticut, $100,000; Kentucky, $15,000 Illinois $15,000, Maryland $100,000; Michigan, $15,000; New Hampshire, $15,000; and Texas, $100,000; and Washington, $15,000.16. ACI shall pay the Administrative Costs within twenty (20) calendar days following the receipt of payment instructions by the means designated by each Participating State receiving such payment.

3. That in the event that ACI fails to submit any Administrative Penalty or Administrative Costs set forth in this Agreement, in the amounts specified herein and in accordance with the applicable deadlines, or if any transfer of any monetary amount required under this Agreement is voided by a Court Order, including a Bankruptcy Court Order, ACI agrees not to object to a Participating State submitting a claim, nor attempt to defend or defeat such authorized claim, for any unpaid amounts against any surety bond that ACI may maintain in such Participating State as a condition of maintaining a license under the jurisdiction of that State Money Transmission Regulator.

4. That a State Money Transmission Regulator may elect to have its allocation of the Administrative Penalty set forth in Paragraph 1 of this section to be applied towards an authorized alternative under the respective Participating State’s law. Should a State Money Transmission Regulator elect to apply its allocation of administrative penalties in such an alternative manner, solely for the purpose of ensuring the effective administration of payments pursuant to the terms of this Agreement, that State Money Transmission Regulator shall notify the MMET in writing of such election on or before the Effective Date of this Agreement.

V. ENFORCEMENT

1. General Enforcement Authority: That the terms of this Agreement shall be enforced in accordance with the provisions, terms and authorities provided in this Agreement and under the respective laws and regulations of each Participating State.

2. No Restriction on Existing Examination and Investigative Authority. That this Agreement shall in no way preclude any State Money Transmission Regulator from exercising its examination or investigative authority authorized under the laws of the corresponding Participating State in the instance a determination is made wherein ACI is found not to be adhering to the requirements of the Agreement, or involving any unrelated matter not subject to the terms of this Agreement. The Parties agree that the failure of ACI to comply with any term or condition of this Agreement with respect to a particular State shall be treated as a violation of an Order of the State and may be enforced as such. Moreover, ACI acknowledges and agrees that this Agreement is only binding on the State Money Transmission Regulators and not any other Local, State or Federal Agency, Department or Office.

3. Sharing of Information and Cooperation. That the State Money Transmission Regulators may collectively or individually request and receive any information or documents in the possession of the Executive Committee or the MMET. This Agreement shall not limit ACI’s obligations, as a licensee of the State Money Transmission Regulators, to cooperate with any examination or investigation, including but not limited to, any obligation to timely provide requested information or documents to any State Money Transmission Regulator.

VI. GENERAL PROVISIONS

1. Effective Date. That this Agreement shall become effective upon execution by all of the State Money Transmission Regulators for the Participating States and when posted on the NMLS (the “Effective Date”).

2. Public Record. That this Agreement shall become public upon the Effective Date.

3. Binding Nature. That the terms of this Agreement shall be legally binding upon ACI and its successors and assigns as long as the relevant ACI entity is engaged in licensed activity. The provisions of this Agreement shall remain effective and enforceable except to the extent that, and until such time as, any provisions of this Agreement shall have been modified, terminated, suspended, or set aside, in writing by mutual agreement of the State Money Transmission Regulators collectively and ACI or ACI ceases to engage in licensed activity.

4. Standing and Choice of Law. That each State Money Transmission Regulator has standing to enforce this Agreement in the judicial or administrative process otherwise authorized under the laws and regulations of the corresponding Participating State. Upon entry, this Agreement shall be deemed a final order of each respective State Money Transmission Regulator unless adoption of a subsequent order is necessary under the laws of the corresponding Participating State. In the event of any disagreement between any State Money Transmission Regulator and ACI regarding the enforceability or interpretation of this Agreement and compliance therewith, the courts or administrative agency authorized under the laws of the corresponding Participating State shall have exclusive jurisdiction over the dispute, and the laws of the Participating State shall govern the interpretation, construction, and enforceability of this Agreement.

5. Adoption of Subsequent Orders to Incorporate Terms. That a State Money Transmission Regulator, if deemed necessary under the laws and regulations of the corresponding Participating State, may issue a separate administrative order to adopt and incorporate the terms and conditions of this Agreement. In the event a subsequent order amends, alters, or otherwise changes the terms of the Agreement, the terms of the Agreement, as set forth herein, will control.

6. Privilege. That this Agreement shall not constitute a waiver of any applicable attorney-client or work product privilege, examination privilege, confidentiality, or any other protection applicable to any negotiations relative to this Agreement.

7. Titles. That the titles used to identify the paragraphs of this Agreement are for the convenience of reference only and do not control the interpretation of this Agreement.

8. Final Agreement. That this Agreement is the final written expression and the complete and exclusive statement of all the agreements, conditions, promises, representations, and covenants between the Parties with respect to the subject matter hereof, and supersedes all prior or contemporaneous agreements, negotiations, representations, understandings, and discussions between and among the Parties, their respective representatives, and any other person or entity, with respect to the subject matter covered herein, excepting therefrom any proceeding or action if such proceeding or action is based upon facts not presently known to a State Money Transmission Regulator. The Parties further acknowledge and agree that nothing contained in this Agreement shall operate to limit a State Money Transmission Regulator’s ability to assist any other Local, State or Federal Agency, Department or Office with any investigation or prosecution, whether administrative, civil or criminal, initiated by any such Agency, Department or Office against ACI or any other person based upon any of the activities alleged in these matters or otherwise.

9. Waiver. That the waiver of any provision of this Agreement shall not operate to waive any other provision set forth herein, and any waiver, amendment and/or change to the terms of this Agreement must be in writing signed by the Parties.

10. Enforcement; No Private Right of Action Created. An enforcement action under this Agreement may be brought solely by the State Money Transmitter Regulators. No provision of this Agreement shall be construed as providing a private right of action to enforce the terms of this Agreement, nor shall any provision of this Agreement be construed as a release of any claim that a Consumer may have against ACI. The provisions of this Agreement are enforceable by the Participating State Mortgage Transmitter Regulators. The Participating State Mortgage Transmitter Regulators, jointly or individually, may make such application as appropriate to enforce or interpret the provisions of this Agreement or, in the alternative, may maintain any action within their legal authority. In any action to enforce this Agreement, the State Mortgage Transmitter Regulators may seek any appropriate relief authorized by law.

11. Costs. That except as otherwise agreed to in this Agreement, each party to this Agreement will bear its own costs and attorneys’ fees associated with this enforcement action.

12. Notices. That any notice to ACI and/or the State Money Transmission Regulators required or contemplated by this Agreement shall be delivered, if not otherwise described herein, by electronic copy to ACI through the “Primary Company Contact” for ACI Payments listed in the Nationwide Multistate Licensing System (NMLS), or similar contact system, and to the State Money Transmission Regulators by direct written notification.

13. Counterparts. That this Agreement may be executed in separate counterparts, by facsimile or by PDF. A copy of the signed Agreement will be given the same effect as the originally signed Agreement.

14. That nothing in this Agreement shall relieve ACI of its obligation to comply with applicable State and Federal law.

It is so ORDERED.

IN WITNESS WHEREOF, in consideration of the foregoing, including the recital paragraphs, and with the Parties intending to be legally bound, do hereby execute this Agreement this 16th of October, 2023.