Requirements for Equifax Synthetic ID Fraud Alert

1. These terms and conditions apply to Client’s receipt of and use of the Synthetic Fraud Alerts, as described below, and Client acknowledges it will request and receive the Synthetic Fraud Alert, subject to the terms of the additional terms and conditions set forth below.

2. Synthetic ID Alerts provide flags and attributes that can help identify synthetic identity fraud through the use of aggregated and anonymous authorized user transactions from a separate anonymous database of potential synthetic identity fraud transactions that may have association with the subject consumer.

3. When Synthetic ID Alerts are delivered with a credit report, Synthetic ID Alerts includes authorized user output fields (Authorized User Velocity & ID Discrepancy flags plus other associated authorized/terminated user counts) and a Final assessment flag. Although Synthetic ID Alert are not consumer reports, this version of the Synthetic ID Alert may only be purchased at the same time that Client purchases a consumer report in connection with the extension of credit or account review.

4. Synthetic ID Alerts are for identity fraud risk alert purposes only and are not to be used for determining an individual’s eligibility for credit or any other FCRA permissible purpose or in any way for the purpose of taking “adverse action,” in whole or in part, against a consumer, as defined in the ECOA and. Regulation B, or for suspending a consumer’s account. As such Client will not use the Synthetic ID Alert in its decision-making process for denying credit but will use the Synthetic ID Alerts as an indication that the consumer’s identity and personally identifiable information should be independently verified to form a reasonable belief that Client knows the true identity of the consumer. Client certifies that it shall use the Synthetic ID Alerts exclusively within Client’s own organization for the purpose of identity fraud prevention and for no other purpose. Client will not resell or otherwise redistribute the Synthetic ID Alerts.

5. Client understands that the information supplied by Synthetic ID Alerts may or may not apply to the consumer who has applied to Client for credit, service, dealings, or other financial transactions.

6. Client also understands and agrees that the information contained in the Synthetic ID Alerts is proprietary to Equifax and shall not be used as a component of any database or file build or maintained by Client. The use of each Synthetic ID Alert shall be limited to one time use in conjunction with the specific transaction for which the Synthetic ID Alert is requested and provided. Client’s obligations with regard to the use of the Synthetic Fraud Alerts will survive any termination for as long as the Synthetic ID Alerts are in Client’s custody or control. EQUIFAX MAY, BY WRITTEN NOTICE TO CLIENT, IMMEDIATELY TERMINATE OR SUSPEND THE PROVISION OF THE SYNTHETIC ID ALERT SERVICE IF EQUIFAX HAS A REASONABLE BELIEF THAT CLIENT HAS VIOLATED THE TERMS AND CONDITIONS APPLICABLE TO THE SYNTHETIC ID ALERTS.

7. Equifax, and its data suppliers (including government agencies) (a) makes no warranty, express, implied or statutory, and specifically disclaims all warranties with respect to the Limited Access Death Master File information incorporated into the Synthetic ID Alerts (the “Death Master Flag”), including but not limited to, implied warranties of merchantability and fitness for any particular use or that use of the Death Master Flag constitutes compliance with any law or regulation; (b) assume no liability for any direct, indirect or consequential damages flowing from any use of any part of the Death Master Flag, including infringement of third party intellectual property or privacy rights; and (c) assume no liability for any errors or omissions in the Death Master Flag. The Death Master Flag contains inaccuracies. As such, neither Equifax, NTIS, nor the Social Security Administration which provides the Death Master Flag to NTIS, guarantees the accuracy of the Death Master Flag. The LADFM does not contain death records for all deceased persons. Therefore, the absence of a particular person in the Death Master Flag is not proof that the individual is alive. Further, it is possible for the records of a person who is not deceased to be included erroneously in the Death Master Flag. Client acknowledges and agrees that the Death Master Flag does not guarantee the identity of or information regarding any individual and that Client has processes in place to independently verify the information provided in the Death Master Flag.

8. Specifically with regard to the Death Master Flag included with the Synthetic ID Alerts, Client certifies that:

(I) Its access to the Death Master Flag is appropriate because Client (i) has a legitimate fraud prevention interest, a legitimate business purpose pursuant to a law, governmental rule, regulation, or fiduciary duty; (ii) has systems facilities, and procedures in place to safeguard such information, and experience in maintaining the confidentiality, security, and appropriate use of such information, (iii) agrees to satisfy such similar requirements, and (iv) it will provide a renewal certification from time to time upon request from Equifax.

(II) It will not share the Death Master Flag with any person or entity unless they first meet the requirements of this section. Client understands that any successful attempt by any person to gain unauthorized access to or use of the Death Master Flag that Equifax may immediately terminate Client’s access to the Synthetic ID Alerts. In addition, any successful attempt by any person to gain unauthorized access may under certain circumstances may result in penalties as prescribed in 15 CFR § 1110.200 levied on Client and the person attempting such access.

Client will take appropriate action to ensure that all persons accessing the Death Master Flag through it are aware of their potential liability for misuse and/or penalties for attempting to gain unauthorized access. Any such access or attempted access is a breach, or attempted breach, of security, and Client must immediately report such events to Equifax.

1. Client will provide, at a minimum, the fields noted as “Required.” ** If only last 4 digits of SSN are provided on input, the following flags cannot be returned: Shared SSN (Name), SSN Verified, Invalid SSN and Death Master Hit Flags.

Client, at its own expense, will prepare and deliver to Equifax at mutually agreed to intervals (but no less than every ninety (90) days) and in a mutually agreeable form and medium its most current identity fraud performance feedback data (" Feedback Data"). Feedback Data will be used to configure and enhance the performance of products and services related to potentially fraudulent activity. For purposes of this Addendum, “performance” means identity fraud outcome of decisions at time of origination or account management. Client will encrypt all Feedback Data as directed by Equifax and comply with such data security policies as Equifax may from time to time make known to Client in writing. Client hereby grants to Equifax a perpetual, irrevocable right and license to use, distribute, modify, create derivative works from, and copy the Feedback Data, combine the Feedback Data with other data, incorporate the Feedback Data into current and future databases, use the Feedback Data to develop and enhance products and services, and share the Feedback Data with third parties in conjunction with the evaluation of products and services. Feedback Data provided to Equifax hereunder shall only be subject to the license provided herein and shall not be deemed Client Data or Client Confidential Information. Client will notify Equifax upon learning that any Feedback Data supplied is inaccurate or incomplete. Client will provide Equifax with any corrections or additional Feedback Data necessary to make the Feedback Data supplied complete and accurate and will implement procedures