Terms of Use
Merchant Services Agreement
The terms and conditions outlined in this Merchant Services Agreement (“MSA”) pertain to FINCRA Framework Agreement (“FFA”) and apply to FINCRA’s platform and services. Any translation of the FFA, MSA, or other FINCRA agreements, contracts, or documents are provided for convenience only and may not accurately represent the information in the original English language version of such document.
By using the Service(s), You agree to (i) be legally bound by the FFA (if executed by you) and other applicable agreements for FINCRA’s various services that You may use; (ii) be legally bound by the pricing on our website or otherwise agreed with you in writing; (iii) agree to receive all agreements, communications, contracts, disclosures, notices, and any other items electronically to either the email address(es) You provided to FINCRA or any other email addresses you may subsequently provide to FINCRA, via FINCRA’s platform and/or website.
You agree to provide (i) certain data about You, (ii) your Legal Representative, and (iii) any other information FINCRA may require to provide the service(s).
This MSA comprises of:
-
The general terms and conditions (“Terms and Conditions”);
-
The Services schedule (“Service Schedule”)
-
The General schedules (“General Schedules”);
-
Data Processing Agreement (“DPA”)
TERMS AND CONDITIONS
DEFINITIONS AND INTERPRETATION
In this Agreement, unless the context otherwise requires, the following expressions have the following meanings:
-
“Affiliate” means an entity that directly or indirectly Controls, is Controlled by or is under common Control with an entity.
-
“API” means Application Programming Interface.
-
“Business Day“; means a day other than a Saturday, Sunday or public holiday on which banks are open for general business as communicated by us.
-
“Card Scheme” means Visa, Verve, Mastercard or any other applicable card scheme.
-
“Control“; means an ownership, voting or similar interest representing fifty percent (50%) or more of the total interests of the entity in question. The term “Controlled”; shall be construed accordingly.
-
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
-
“Data” means the quantities, characters, or symbols on which operations are performed by a computer, which may be stored and transmitted in the form of electrical signals and recorded on magnetic, optical, or mechanical recording media.
-
“Data Protection Laws” means all applicable data protection laws and regulations applicable to a Party’s processing of Personal Data under this Agreement.
-
“Data Subject” means a natural person who can be identified directly or indirectly by reference to the Personal Data collected by the Parties.
-
“Further Guidance” means all internal or external documents, guidance, policies, and processes outlined or issued by FINCRA and communicated to You in relation to the Solution and services.
-
“Parties” means You and FINCRA
-
“PCI Standards” means the information security standards administered by the Payment Card Industry Security Standards Council.
-
“Personal Data” means any information relating to a Data Subject and containing an identifier such as a name, an identification number, location data, photo, email address, bank details, posts on social networking websites, medical information, and other unique identifiers such as but not limited to Media Access Control (MAC) address, Internet Protocol (IP) address, International Mobile Equipment Identity (IMEI) number, International Mobile Subscriber Identity (IMSI) number, Subscriber Identification Module (SIM). Personal Data shall include any online identifier or any one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that Data Subject.
-
“Processing and process” either mean any activity that involves the use of Personal Data or as the Data Protection Laws may otherwise define processing or process. It includes any operation or set of operations which is performed on Personal Data or sets of Personal Data, whether or not by automated means, such as collection, recording, organising, structuring, storing, adapting or altering, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, Processing also includes transferring Personal Data to third parties.
-
“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
-
“Security Incident” means any unauthorised or unlawful breach of security that leads to the accidental or unlawful destruction, loss, or alteration of, or unauthorised disclosure of or access to, Personal Data transmitted, stored or otherwise processed;
-
“Security Measures” means processes adopted by each Party to protect its Data. Such measures include but not limited to protecting systems from hackers, cyberattacks, viral attacks, data theft, damage by rain, fire or exposure to other natural elements. These measures also include setting up firewalls, storing data securely with access to specific authorised individuals, employing data encryption technologies, developing organisational policy for handling personal data (and other sensitive or confidential data), protection of email systems and continuous capacity building for staff.
-
“Sensitive Data” means (a) financial, genetic, biometric or health information; (b) racial, ethnic, political or religious affiliation, trade union membership, or information about sexual life or sexual orientation; (c) other information that falls within the definition of "special categories of data" under applicable Data Protection Laws.
-
“Solution” means the FINCRA’s API, website, applications, and other software provided and/or used by FINCRA for the provision of the Service(s).
-
“Sub-processor” means any processor engaged by a Processor or its Affiliates to assist in fulfilling its obligations with respect to providing service according to this Agreement. Sub-processors may include third parties or Affiliates of the Processor but shall exclude the Processor’s employees or consultants.
Words denoting the singular number only shall include the plural and vice versa. Words denoting any gender include all genders and words denoting persons shall include firms and corporations and vice versa.
The provisions of the Schedules and Annexure to this Agreement shall form part of this Agreement as if set out here. Where there is a conflict or inconsistency between the provisions of this MSA, FFA and Terms and Conditions on the website, the order of superiority shall be (1) MSA and (2) FFA and (3) Terms and Conditions.
SERVICES
FINCRA shall provide the services described in the FFA or as described in the Service Schedule.
INTELLECTUAL PROPERTY RIGHTS
Subject to the provisions of this Agreement, FINCRA grants you and you accept a limited, non- exclusive, non-transferable, non-assignable Licence to use the Solution for your internal use only. You shall not and shall not permit your affiliates or any third party to translate, decompile, recompile, reverse engineer, update or modify all or any part of the Solution or merge the Solution into any other solution. Except as provided in this Agreement, no other Licence under any patents, copyrights, trademarks, trade secrets or any other intellectual property rights, express or implied, are granted by FINCRA to You under this Agreement. All patents, copyrights, circuit layouts, mask works, trade secrets and other proprietary rights in and/or related to the Solution are and will remain the exclusive property of FINCRA, whether or not specifically recognized or perfected under the laws of the jurisdiction in which the Solution is used or licensed. You will not take any action rights (e.g, decompile, alter, or reverse engineer) that jeopardizes any proprietary FINCRA’s Solution or acquire any right in the Solution. You shall not allow any third party to have access to the Solution or derivative works from the Solution without FINCRA’s prior written consent. Unless otherwise agreed on a case-by-case basis, FINCRA will own all rights in any copy, translation, modification, adaptation or derivation of the Solution or other items of Confidential Information, including any improvement or development thereof. You will obtain, at FINCRA’s request, the execution of any instrument that may be appropriate to assign these rights to or perfect these rights in FINCRA’s name. You grant FINCRA the right to use your company’s/corporate name or/and logo (“Logo”) on FINCRA’s website, or in any marketing materials.
FEES AND PAYMENT TERMS
The sums to be paid by You to FINCRA under this Agreement are as set out in the FFA or on the website. By accepting this Agreement, you confirm you have read and agree to pay us the relevant Fees as set out in the FFA (where applicable), website or any other documents. All fees are exclusive of applicable taxes and duties which shall be borne by You. FINCRA may amend the fees payable under this Agreement at any time and shall give You notice of such changes.
FINCRA may recover and withhold from You:
-
any Refunds;
-
any Chargebacks;
-
any Fines;
-
any amounts required to cover:
-
potential or expected Refunds, Chargebacks, Chargeback Costs, Fines, taxes, levies, VAT, withholding taxes, any liability or potential liability relating to a transaction or this Agreement;
-
any other charges or amounts incurred by or due to FINCRA under or in connection with this Agreement.
-
The exercise by FINCRA of any of its rights under this clause shall be without prejudice to any other rights or remedies (including but not limited to set-off) to which FINCRA or its Affiliates are otherwise entitled (by operation of law, contract, or otherwise).
SET-OFF
FINCRA may set off any debts or liabilities due from You or your Affiliates to FINCRA or any of FINCRA’s Affiliates under this Agreement against any debts or liabilities owed by FINCRA or any of its Affiliates to You or your Affiliates, regardless of the place of payment or currency of either obligation. If the obligations are in different currencies, then FINCRA may convert either obligation at a market rate of exchange in its usual course of business for the purpose of the set-off.
FINCRA may charge You interest in respect of payment of any sum due under this Agreement. FINCRA may suspend the processing of any transaction, and/or any connected transaction, or withhold settlement until the satisfactory completion of any investigation if FINCRA has reasonable suspicion that a transaction may be fraudulent or involve other criminal activity. You shall not be entitled to claim or demand, any interest or other compensation whatsoever in respect to any such suspension or delay.
WARRANTIES AND DISCLAIMER
-
You warrant that all corporate action required to enter into this Agreement and the exercise of your rights and the performance of your obligations under this Agreement have been duly taken.
-
You warrant that You are duly registered and have the full capacity and corporate authorisation to enter into this Agreement and discharge the obligations and responsibilities created herein.
-
You warrant that You have the required licenses and regulatory approvals to conduct your business and enter into this Agreement.
-
You will use the services in accordance with the terms of this Agreement, all applicable law, Card Scheme Rules and Further Guidance. In particular, You will not use the services in a manner that could result in a violation of anti-money laundering, counter-terrorist financing, and similar legal and regulatory obligations.
-
You shall comply with any technical specifications available on FINCRA’s website, which FINCRA reserves the right to modify at any time.
-
You will keep FINCRA indemnified against all actions, claims, proceedings and all legal costs or other expenses arising out of any breach of the above warranties or out of any claim by a third party based on any facts which if substantiated would constitute such a breach or a breach of other relevant legal or settlement obligation or contractual duty.
-
FINCRA warrants to You that no element of the Solution or services constitutes a breach of any patent, copyright, or other intellectual property in its country of operation.
-
FINCRA neither warrants that the operation of the Solution or any ancillary products or services will be uninterrupted nor error-free nor will it be 100% fraud or fail-proof.
-
Except as outlined in this Agreement, FINCRA makes no express or implied representations or warranties concerning the Solution or its condition, merchantability, or fitness for any particular purpose or use by You.
-
FINCRA disclaims and excludes any warranty that is not expressly stated in this Agreement.
-
You and FINCRA warrant that you are not contemplating or in the process of being wound
up.
INDEMNITY
You hereby agree to indemnify and hold harmless FINCRA in respect of all claims, demands, damages, losses, liabilities, expenses, costs, suffered or incurred by FINCRA arising out of or in connection with any default or omission by You in the performance of any of your obligations here under or as referred to in this Agreement, or use of the Solution.
LIMITATION OF LIABILITY OF FINCRA
Except as set out in this Agreement, FINCRA excludes all conditions, warranties and representations, expressed or implied by (i) statute, (ii) common law or (iii) otherwise, in relation to the Solution and services provided hereunder.
FINCRA is not liable to You under any circumstance, whether for negligence, breach of contract, misrepresentation or otherwise, for:
-
loss or damage which is incurred by You as a result of:
-
third party claims;
-
viruses, malware, IP spoofing, exposure of API keys, fraudulent or malicious attacks, disruptive codes, power cuts or service interruptions or other IT or hardware or software problems or faults;
-
decisions by any relevant court, regulatory or other authority or the operation of Applicable Law; and/or
-
loss of profit, goodwill, business opportunity or anticipated saving suffered by You;
-
-
indirect, consequential, punitive, exemplary or similar loss or damage (including damage to reputation) suffered by You; and/or
-
loss or damage which may be the consequence, wholly or partially, of a breach of the
Agreement by You.
The entire liability of FINCRA under or in connection with this Agreement whether for negligence, breach of contract, misrepresentation or otherwise, is limited to the total Fees earned by FINCRA under this Agreement during the one (1) month period immediately preceding the date the first of such claim arose. Nothing in this Agreement shall operate to exclude or restrict the liability of FINCRA for death or personal injury where such liability cannot be lawfully excluded or limited. Notwithstanding any provision to the contrary, FINCRA shall not be liable in the event that abnormal and unforeseeable circumstances beyond its control prevent it from fulfilling it obligations under this Agreement. No liability shall be raised against FINCRA more than One (1) year after the accrual of the cause of such liability. The limit of liability expressed in this entire clause applies irrespective of the number of claims. FINCRA shall not be liable for any loss which occurs during a routine maintenance of its Solution, of which it has given You notice of. FINCRA will not be liable for the actions or inactions of any third party not acting on the instructions of FINCRA; neither will FINCRA be liable for the actions nor inactions not directly traceable to it. This entire clause of Limitation of Liability shall survive the termination of this Agreement.
RELATIONSHIP BETWEEN PARTIES
This Agreement shall not in any way constitute a partnership or joint venture between You and FINCRA or constitute either Party an Agent of the other. The relationship between You and FINCRA is on a principal-to-principal basis only. This Agreement is not intended to confer on any person other than You and FINCRA any express or implied benefit or burden.
CONFIDENTIALITY
You and FINCRA shall treat as confidential all confidential information and shall not divulge such confidential information to any person (except as provided for in this Clause) without the other Parties’ prior written consent. The Receiving Party shall be responsible for any breach of the obligations of confidentiality by its representatives and/or affiliates.
The Receiving Party may disclose Confidential Information only:
-
as required by law or by any regulation or similar provision, provided that the Receiving Party, where possible, gives the Disclosing Party not less than seven (7) Business Days written notice of such disclosure to enable the Disclosing Party to take whatever steps it deems necessary to protect its interest in this regard;
-
and shall to the extent possible disclose only the portion of the information necessary;
-
to its representatives who need to know it strictly for the purpose of carrying out that Party’s obligations under this Agreement, on the basis that such representatives will keep the same confidential on the terms of this Agreement; or
-
to its affiliates.
For this purpose, the term “Confidential Information” means all information relating to the Disclosing Party which is obtained, whether in writing, pictorially, in machine readable form or orally or by observation in connection with this Agreement, including but without limitation, financial information, know-how, processes, ideas, intellectual property schematics, trade secrets, technology and other customer-related information, sales statistics, market, market intelligence, marketing and other business strategies and other commercial information of a confidential nature but does not include information which is known to the Receiving Party without any limitation or restriction on use or disclosure before receipt of such information from or on behalf of the disclosing party or becomes publicly available, other than as a breach of this Agreement, or becomes lawfully available to the Receiving Party from a third party free from any confidentiality restriction or any information required to be disclosed under any relevant law or any binding judgment or order of court or arbitration tribunal or any stock exchange regulations or under direction from any relevant regulatory authority or law enforcement agents, or was developed by the receiving party or its affiliates independently of the Confidential Information received from the disclosing party hereunder. The obligations as to confidentiality shall survive the termination of this Agreement for a period of 3 years after the termination of this Agreement.
You agree to maintain the applicable Payment Card Industry Data Security Standard (PCI DSS) requirements to the extent that You shall possess or otherwise store, process, or transmit cardholder data under this Agreement.
FORCE MAJEURE
If any of the parties hereto is prevented from fulfilling its obligations under this Agreement because of any supervening event beyond its control (including but not limited to an Act of God, Natural Disaster, or Civil Disorder) “Force Majeure Event” the Party unable to fulfil its obligations shall immediately give notice in writing of this to the other party and shall do everything in its power, including but not limited to accepting assistance from 3rd parties and/or the other Party, to resume full performance. As soon as reasonably possible after the start of the Force Majeure Event, the
affected Party shall notify the other Party in writing of the details and effect of the Force Majeure Event. As soon as reasonably possible after the end of the Force Majeure Event, the Affected Party shall resume the performance of its obligations under this Agreement. If the period of incapacity exceeds two months, either Party may terminate this Agreement.
TERM AND TERMINATION
Term
This Agreement shall commence from the date of acceptance or posting and shall remain in force until terminated by either Party in accordance with this Agreement.
Either Party may terminate this Agreement at any time by giving 30 days notice in writing to the other Party.
Either Party may terminate this Agreement forthwith by giving notice in writing to the other Party if the other Party shall have a receiver or administrative receiver appointed or shall pass a resolution for winding-up (otherwise than for a bona fide scheme of solvent amalgamation or reconstruction) or shall cease or threaten to cease carrying on business or a court of competent jurisdiction shall make an order to that effect.
Regardless of any other provision of this Agreement, FINCRA reserves the right to terminate this Agreement forthwith or suspend access to the Solution or service(s) by notice to You if:
-
it is required or requested to do so by any regulatory authority;
-
You fail to comply with any applicable laws;
-
You fail to comply with any term of this Agreement;
-
You fail to comply with access and/or interface specifications as communicated by FINCRA;
-
FINCRA is required to do so by a Card Scheme or payment partner;
-
Fraud is committed by your customer;
-
Fraud is committed due to your act and/or omission;
-
You fail to pay any sums under this Agreement by the payment due date;
-
anything happens to You or a matter is brought to the attention of FINCRA which in its absolute discretion, it considers may affect your ability or willingness to comply with all or any of your obligations or liabilities herein;
-
FINCRA, in its absolute discretion, determines that the relationship with your business represents an increased risk of loss or liability;
-
You did not submit complete and/or accurate Know Your Customer documents; and/or
-
any fines or any other claims are brought against FINCRA by any Card Scheme, financial institution or any other third party arising from any aspect of the parties’ relationship (including in connection with any security breach, compromise or theft of Data held by You or on your behalf irrespective of whether such security breach, compromise or theft of Data was within or outside your control.
In the event of a suspension, FINCRA shall notify You in writing of the details thereof and if the breach and/or non-compliance is capable of remedy, of the requirements and the timeframe for same, that must be met by You for the suspension or restriction to be lifted. In the event of the remediation of a breach and/or non-compliance, FINCRA shall reinstate the suspended or restricted access within forty-eight (48) hours of You having complied with the requirements communicated to You by FINCRA. Any costs incurred consequent upon the suspension, restriction and/or reinstatement of the access shall be borne by You.
NOTICES
Save as stated otherwise elsewhere in this Agreement, any notice required in connection with this Agreement shall be in writing and shall be addressed to [email protected] for FINCRA and in your case, to the email You provided at onboarding.
Unless there is evidence that it was received earlier or later, a notice is deemed given:
-
if sent by electronic mail, the next Business Day assuming that no notification of failure to deliver the electronic mail was received by the sending party;
-
if sent by registered first class post 7 Business Days after posting it.
ADDITIONAL SERVICES
From time to time, FINCRA may offer additional services with a view to supporting You in your business (the “Additional Services”). These Additional Services may be subject to separate terms and conditions which will be provided to you before you opt-in. Where an Additional Service includes a Fee, FINCRA will specify this to You and ensure that You first opt into any such additional Fee.
AUDIT/INSPECTION
You warrant to FINCRA that You have or shall upon the coming into effect of this Agreement, engage an independent consultant with the necessary expertise to undertake a systems and compliance audit which shall be conducted on a yearly basis to ensure adequate controls, safeguards, security and effective internal controls to protect the integrity of the information technology and related systems of FINCRA. A copy of the audit report shall be provided to FINCRA immediately upon the conclusion of each audit. You undertake that the systems audit shall be carried out in accordance with the International Standard on Auditing or other similar internationally recognized systems auditing standards. Where this is unavailable or inadequate, FINCRA or its authorised representative reserves the right to conduct such audit.
FINCRA is required by the rules of the applicable Card Schemes to appoint at any time an authorised representative/auditor to conduct a systems and/or compliance audit of You (upon reasonable notice), notwithstanding that You has confirmed to FINCRA that it has conducted an audit. You undertake to cooperate fully with and grant FINCRA’s representative full access to your operations and relevant documentation to conduct the audit. You shall also permit the authorised representatives of FINCRA and/or Card Schemes to carry out physical inspections of your place(s) of business or other facilities to verify if You comply with your obligations hereunder. If You refuse such inspection or provide inaccurate, untrue, or incomplete information, or fail to comply with the terms and conditions of this Agreement, FINCRA reserves the right to suspend access to the Solution or terminate the Services with immediate effect.
MODIFICATIONS
FINCRA may modify any terms of this Agreement and provide notice (including posting such modification on its website www.fincra.com) to You to comply with any regulatory or legal requirements, directives, rules or instructions of a Card Scheme or a payment partner or regulatory authority. FINCRA may also modify any part of the services or Solution or Solution feature at any time and notify You or post the same on this website. Notification for the purposes of this clause shall be valid if posted on FINCRA’s website or sent via email to your registered email with FINCRA.
WAIVER
The respective rights of the Parties under this Agreement shall not be capable of being waived or varied otherwise than by an express waiver or variation in writing. Failure to exercise or any delay in exercising any rights under this Agreement shall not operate as a waiver or variation of that or any other such right; any defective or partial exercise of any of such rights shall not preclude any other or further exercise of that or any other such right; and no act or course of conduct or negotiation on the part of either Party shall preclude them from exercising any such right or constitute a suspension or variation of such right.
SEVERANCE
If any provision of this Agreement is declared by any applicable law, judicial or other competent authority to be void, voidable, illegal or otherwise unenforceable or irrelevant It shall to the extent required by such law or authority, be severed from this Agreement and rendered ineffective so far as is possible without modifying the remaining provisions of this Agreement.
NO ASSIGNMENT
Your rights, benefits or obligations under this Agreement may not be assigned or otherwise transferred in whole or in part without the prior written consent of FINCRA. However, FINCRA may assign or transfer in whole or part without your prior written consent, all or any part of this Agreement PROVIDED that FINCRA shall remain liable to you for the actions of such assignees as if it was FINCRA providing the services.
FURTHER ASSURANCES
At all times after the date hereof the Parties shall at their own expense execute all such documents and do such acts and things as may be reasonably required for the purpose of giving full effect to this Agreement.
WHOLE AGREEMENT
This Agreement constitutes the entire agreement between the Parties with respect to the subject matter hereof and supersedes any prior written or oral agreement between You and FINCRA in relation to its subject matter and the Parties confirm that they have not entered into this Agreement upon the basis of any representation that are not expressly incorporated herein.
INDUCEMENT AND ANTI-CORRUPTION
FINCRA complies with all anti-bribery and anti-corruption Laws in any relevant jurisdiction and all applicable anti-bribery and anti-corruption regulations and codes of practice. You shall not offer or give any FINCRA employee or third Parties any gratification, bribe or consideration of any kind as an inducement or reward for doing or not doing or having done or omitting to do a favour or for a disfavour done to another in the discharge of official duty, duties or in relation to any matter connected with his/her job functions or relating to the business of FINCRA. Any breach of the terms of this clause by You or by your employees, Subcontractors, agents or anyone acting on their instructions (whether with or without your knowledge) shall entitle FINCRA to terminate this Agreement forthwith. Termination shall be without prejudice to other remedies available to FINCRA at law. You owe FINCRA a duty to report any violation of this clause by FINCRA’s employees, agents or representatives to FINCRA via FINCRA’s anonymous whistleblowing channel [email protected] phone +2348037452930.
RESERVE BALANCE
You understand that FINCRA may require You to maintain a minimum amount (“Reserve Balance”) from time to time as a condition of continued access and use of any of the services in the Services Schedule or FFA. You understand that FINCRA may, at its discretion or as may be required by its payment partners, draw upon the Reserve Balance to cover your liability to FINCRA in the course of your use of any of the services. For the avoidance of doubt, You hereby authorise FINCRA to debit the Reserve Balance to the extent of any sum owed to FINCRA under this Agreement either as cost of FINCRA’s provision of the services under this Agreement or otherwise. Where You fail to maintain the requisite Reserve Balance, FINCRA reserves the absolute right, without limitation, to suspend any of the services to You or terminate this Agreement. FINCRA reserves the right to cause the Reserve Balance to be held for up to 180 days following the termination of this Agreement or for such additional time as may be required to ensure that FINCRA is not exposed to liability pursuant to this Agreement.
NON-CIRCUMVENTION
You hereby agree not to in any way or through any affiliate, partner, employee or agent directly or indirectly circumvent FINCRA in relation to the services contemplated under this Agreement. You further agree that You shall not enter into any Agreement with any third party introduced by Fincra or used by Fincra for the provision of any services under this Agreement. This obligation shall survive the termination of this Agreement for a period of 2 years. Breach of this clause shall entitle Fincra to 100% of all the profit derived by You from the business with interest.
ERRONEOUS DEPOSIT/PAYMENT
FINCRA shall have no duty or responsibility to enforce the collection or return or demand payment of any funds deposited into any customer account or wallet pursuant to the services herein.
DATA PRIVACY AND INFORMATION SECURITY
FINCRA is ISO 27001:2022, ISO 22301: 2019, NDPC, and PCIDSS certified. In addition to the certifications, FINCRA has implemented data loss prevention measures, access control, security audits, secure data transfer to certification partners and organisational policies to ensure protection of its information and other related assets as well as yours. You shall also protect FINCRA data and information assets with relevant technical and organisational measures as well as compliance with applicable regulatory standards.
The information security requirements below apply to You and FINCRA:
-
Compliance with 27001:2022, ISO 22301
-
Establishment of controls for possible risks via Risk Assessment process
-
Notification of any incident/data breach without any undue delay
-
Commitment to information security and data privacy and protection.
-
Establishment of acceptable use of information systems assets
ABUSE OF API
You acknowledge that your API credentials are confidential and intended solely for your use in accordance with the Agreement. You shall protect the API credentials and shall not share, sell, transfer, or disclose the API credentials to any third party without the prior written consent of FINCRA. You agree not to interfere with the API operations (reverse engineer, decompile, disassemble, or attempt to derive the source code of the API) and shall prevent unauthorised access or misuse of the API credentials. You further agree that any unauthorised use of the API credentials by You or your customers will be a material breach of this Agreement. In the event of such material breach, FINCRA may immediately suspend or terminate your access to the API/Service or/and unilaterally terminate the Agreement without notice. You agree to indemnify and hold FINCRA harmless from any claims, damages, losses, or expenses (including attorney’s fees) arising out of or related to You or Your customer’s breach of this clause.
SERVICES SCHEDULE
a. Collections and Payouts
The Collection service enables You to receive payments from your customers and third parties. The Payout service enables You to make payments to your customers and third parties.
-
YOUR OBLIGATIONS
You shall:
-
Not use the VBAs to facilitate prohibited or illegal transactions.
-
Ensure that sending accounts do not belong to sanctioned entities, or individuals or domiciled in sanctioned countries.
-
Ensure that You have adequate controls, safeguards and information technology security for the operation of your platform against malware, viruses and other threats.
-
Update Your records with FINCRA as often as changes occur.
-
Advice FINCRA of your nominated settlement account or settlement wallet details.
-
Be responsible for maintaining adequate security and control of all IDs, passwords, or any other codes that You use to access the Solution or services.
-
Comply with all acceptable use policies communicated by FINCRA.
-
Not infringe FINCRA's or any third party's intellectual property or privacy rights.
-
Not use FINCRA’s Solution or services for any illegal or suspicious activity and/or transactions.
-
Not use an anonymizing proxy or other automated devices or manual processes not authorised by FINCRA to access, monitor or alter FINCRA’s Solution or services.
-
Be fully responsible for correct integration to the FINCRA Solution. FINCRA will however provide implementation support.
-
Be solely responsible for the authentication and approval of all transactions initiated via the Solution.
-
Be liable for any use of the passwords or other identification used to access the Solution or services.
-
Notify FINCRA of any security breach, misuse, irregularity, suspected fraudulent transaction or suspicious activities that may be connected with attempts to commit fraud or other illegal activity during the term of this Agreement.
-
Be solely responsible to your customers.
-
Provide all relevant information on the transactions covered under this Agreement to enable the processing of the transactions via the FINCRA network.
-
Comply with all applicable laws and any relevant Card Scheme Rules.
-
Not act in contravention of or cause FINCRA to act in contravention of any Card Scheme Rules to which FINCRA is subject.
-
Only accept payments and/or process Refunds:
-
from customers in connection with goods and/or services supplied by You;
-
in respect of goods and services which:
-
commonly fall within your business as identified in your request to FINCRA for the services;
-
in respect of goods or services the customer would reasonably expect to receive; and
-
in respect of goods or services the provision of which is in accordance with applicable law.
-
-
Solely be responsible for ensuring the correct implementation, installation, integration, security, and operation of all systems, equipment, software, and telecommunications and use of the Services on your own platform.
-
Provide immediate notice of (i) any unauthorized third-party use of the Services; and/or (ii) any event which might lead to such unauthorized use.
-
Take all reasonable steps to assist FINCRA in handling any claim or query raised by any third party or regulator in connection with the Services.
-
Immediately notify FINCRA of any act, omission or error which does or may adversely affect your ability to perform your obligations under this Agreement or cause loss or damage to FINCRA (including but not limited to any material change in the nature or extent of your business).
-
You acknowledge and agree to abide by and ensure that all equipment and software You use in connection with the transactions and the storage and/or processing of Data complies with, any payment application data security standards of any relevant Card Scheme as updated from time to time. You shall ensure that
any of your agents, sub-contractors or any third parties are aware of and shall comply with the terms of this Agreement. -
Immediately notify FINCRA on becoming aware of any actual or suspected security breach relating to any Data. As soon as reasonably practicable, You shall identify and remediate the source of such a security breach and take any additional steps required by FINCRA. This clause shall not prejudice any other remedies available to FINCRA under this Agreement.
-
Comply with any additional security, authentication, risk control, or other requirements imposed by a regulator, FINCRA or a Card Scheme, including but not limited to where you are, in the opinion of FINCRA and/or the Card Scheme, engaged in high-risk activities.
-
Not engage in any practice prohibited by any of the Card Scheme Rules unless permitted by applicable law.
-
Not make any warranty or representation whatsoever in relation to FINCRA’s Solution which may bind FINCRA or make it liable in any way whatsoever.
-
Implement or sign up to a fraud monitoring solution as may be required by FINCRA.
-
Make connections to such other systems as FINCRA may require from time to time.
-
Not disclose any system access credentials provided by FINCRA pursuant to this Agreement.
-
Perform the necessary KYC (Know Your Customer) & due diligence of all your customers and provide the same to FINCRA on request.
-
Be and remain Payment Card Industry Data Security Standard (PCIDSS) compliance during the term of this Agreement, if requested by Fincra;
-
Implement a fraud protection and monitoring tool and provide evidence of same to FINCRA, if requested by FINCRA;
-
Not use any cardholder payment card details including but not limited to Primary Account Number (PAN) or Card Number, Personal Identification Number (PIN), Card Verification Value (CVV) for any purpose other than for the facilitation of the payment authorized by the cardholder;
-
Implement a two-factor authentication system as required by law, guidelines or directives;
-
Take full responsibility for the integration process using the API furnished by FINCRA. All integration however, shall be subject to passing FINCRA’s Integration acceptance tests before go live;
-
Be responsible for data stored or transmitted on or through You or any use of the Systems passwords or identification codes assigned by FINCRA.
-
Keep records of all transactions carried by all your customers through the Solution and provide such records to FINCRA on request.
-
Take out and maintain insurance policies required by applicable laws and regulations in connection with your business operations.
-
Comply with applicable data protection regulations or laws.
-
-
FINCRA’S OBLIGATIONS
FINCRA shall:
Provide You access to the Solution and services.
Provide implementation support to You.
Provide the services with reasonable care.
b. Currency Conversion
This service enables You to exchange one currency for another at a predetermined rate.
-
YOUR OBLIGATIONS
You shall:
-
Initiate an exchange order for FINCRA’s processing.
-
Transfer the quantity of currency agreed in the exchange order into FINCRA’s account or e-wallet. FINCRA may automatically debit You for such exchange.
-
Provide the requisite KYC documents.
-
Submit to any compliance checks required by FINCRA.
-
Provide any supporting documents required by FINCRA.
-
Comply with applicable AML/CFT regulations.
-
Ensure that the proceeds of this Agreement are not used to fund illegal or prohibited transactions.
-
Abide by and continue to observe all guidelines and conditions related to each transaction as may be made from time to time and communicated by FINCRA.
-
-
FINCRA’S OBLIGATIONS
FINCRA shall:
-
Confirm acceptance of exchange orders initiated by You
-
Transfer the equivalent of the amount received from You into your bank account or e-wallet in the agreed currency.
-
Settle transactions within the agreed timelines.
-
c. Bank Verification Number (BVN) Verification
The service allows You to verify a customer BVN
-
YOUR OBLIGATIONS
You shall:
-
Seek and obtain full and informed consent of the individual whose personal information is being validated prior to calling the verification API.
-
By no means create an alternate database using the data received via API.
-
Escalate technical issues encountered to FINCRA for quick resolution.
-
Comply with applicable data protection laws and regulations.
-
Comply with CBN regulations on BVN.
-
-
FINCRA’S OBLIGATIONS
FINCRA shall:
-
Provide You access to the verification API.
-
Provide implementation support to You.
-
GENERAL SCHEDULES
PROHIBITED TRANSACTIONS
The following are prohibited transactions and cannot be consummated using the Solution or FINCRA’s services either directly or indirectly:
-
Any illegal items or for any illegal purpose.
-
Any munitions or firearms.
-
Pirated software, DVD or videos or item(s) otherwise infringing copyrighted works.
-
Illegal drugs, drug paraphernalia, prescription drugs or controlled substances or items that may represent these uses.
-
Viaticals.
-
Reselling prepaid cards or gift cards/certificates; Personal use such as gifts, loans or payments from friends and family.
-
Cigarettes, tobacco or e-cigarettes.
-
Internet, mail or telephone order pharmaceutical or pharmacy referral services.
-
Items that promote hate, violence, racial intolerance, or the financial exploitation of a crime.
-
Goods or services that infringe on the intellectual property rights of a third party.
-
Products or services that process pop-ups or contain, promote, reference or link to any spyware, malware, virus, back door, drop dead device or other program installation.
-
Live animals.
-
Weapons (including without limitation, knives, guns, firearms or ammunition);
-
Transactions directly or indirectly involving persons (individuals or entities) with whom U.S. persons are prohibited from engaging pursuant to sanctions and export controls administered by the Departments of Treasury, Commerce and State; or UKHMT, EU, UNSC etc
-
Marijuana and related businesses.
-
Any other category or payor that FINCRA or the payment partner decides to prohibit, in its sole discretion.
SETTLEMENT
SERVICE SETTLEMENT SLA
The following are prohibited transactions and cannot be consummated using the Solution or FINCRA’s services either directly or indirectly:
Product
Currency
Settlements SLA
Product
Currency
Destination Currency
Settlement SLA
Conversions done before 5pm will be settled the same day, conversions done after 5pm will be settled at 9am the next day.
Product
Currency
Destination Currency
Settlement SLA
FINCRA ALLOWED SETTLEMENT COUNTRIES
Nigeria, Ghana, Kenya, South Africa, Uganda, Tanzania, the United Kingdom, USA, Turkey, Israel, Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, and Europe.
FINCRA PROHIBITED SETTLEMENT COUNTRIES
Afghanistan, The Bahamas, Botswana, Bosnia and Herzegovina, Ethiopia, Guyana, Iraq, Lao, PDR, Sri Lanka, Syria, Trinidad and Tobago, Tunisia, Yemen, Vanuatu, Democratic People's Republic of Korea (DPRK), Iran, Central African Republic, Congo, Lebanon, Libya, Mali, Jordan, Nicaragua, North Korea, Russia, Somalia, Sudan, Syria, Ukraine, Venezuela.
FINCRA reserves the right to amend these lists at any time.
CHARGEBACK AND REFUNDS
-
In certain circumstances, Card Issuers, Card Schemes and/or Other Financial Institutions may require repayment in respect of a transaction previously settled and/or remitted to You or your customers, notwithstanding that authorisation may have been obtained from the Card Issuer and/or Other Financial Institution (such circumstances being a "Chargeback").
-
You acknowledge and agree that under all applicable rules, regulations and operating guidelines issued by Card Schemes, financial institutions, regulators and FINCRA relating to cards, transactions, other payment methods and processing of data, You may be required to reimburse acquirers for Chargebacks in circumstances where You have accepted payment in respect of the relevant transaction.
-
All Chargebacks shall correspond to the whole or part of the settlement value of the original transaction or, at an amount equivalent to the original settlement currency at the rate of exchange quoted for settlement purposes on the day the Chargeback is processed.
-
Where a Chargeback occurs or where You fail to address a Chargeback claim within 16 hours, FINCRA shall immediately be entitled to debit your position to make a reversal from your settlement account or e-wallet and/or make a deduction from any remittance, reserve and/or
invoice to You to recover:-
the full amount of the relevant Chargeback; and
-
any other costs, expenses, liabilities or Fines which may be incurred as a result of or in connection with such Chargeback (“Chargeback Costs”).
-
-
A Chargeback represents an immediate liability from You to FINCRA. Where the full amount of any Chargeback and/or any Chargeback Costs is not debited by FINCRA from your bank account or e-wallet or deducted from any remittance or invoice as referred to in the previous clause, then FINCRA shall be entitled to otherwise recover from You by any means the full amount of such Chargeback and Chargeback Costs (or the balance thereof, as the case may be).
-
FINCRA shall not be obliged to investigate the validity of any Chargeback by any Card Issuer Card Scheme, payment partner or Other Financial Institution, whose decision shall be final and binding in respect of any Chargeback.
-
As Chargebacks may arise a considerable period after the date of the relevant transaction, You acknowledge and agree that, notwithstanding any termination of this relationship for any reason, FINCRA shall remain entitled to recover Chargebacks and Chargeback Costs (and, where relevant, from any entity who has provided FINCRA with a guarantee or security relating to your obligations under this relationship) in respect of all Chargebacks that occur in connection to transactions effected during the term thereof.
-
FINCRA reserves the right to immediately pass on to and recover from You any fines incurred and/or impose further charges on You and/or terminate the relationship forthwith if we consider that the total value of refunds and/or Chargebacks is unreasonable. FINCRA can recover fines from You in the same way as Chargebacks and in any event they represent an immediate liability from You to FINCRA.
-
You agree that You bear the responsibility to prove to FINCRA’s satisfaction (or that of the relevant Card Issuer or Other Financial Institution) that the debit of a customer’s or cardholder’s account was authorised by such customer or cardholder.
SERVICE LEVEL AGREEMENT
FINCRA INCIDENT MANAGEMENT FRAMEWORK
Definition
An Incident is an event or circumstance that affects or could affect the way a FINCRA Merchant does business negatively and is attributed to IT systems and/or the network. These incidents will most often include, but are not limited to:
-
Infrastructure Downtime
-
Fraud
-
Application Malfunction
MANAGEMENT OF INCIDENTS
Classifying the risk
The person involved in or witness to the incident must immediately make an initial assessment of the actual impact that the incident has had. This will be one of five levels: insignificant, minor, moderate, severe or catastrophic. The initial impact of the incident will inform the immediate reporting requirements.
Investigation of Incidents
Where incidents are sufficiently serious or complex, or part of an ongoing pattern, a formal investigation may need to take place to establish the root cause of the incident.
The level of investigation, guided by the level of risk presented by the reported incident, should be determined as part of the reporting procedure by both the reporter and the Incident Investigating Manager. However, it should be noted that as individual incidents can vary, so too can the level of investigation required.
The standard approach to the investigation of any incident occurring within the organization is to apply the principles of a Root Cause Analysis (RCA) to establish the true reasons for the incident so they may be prevented in the future. Refer to the RCA guidance.
Communication of Incidents
-
E-Mail Communication
-
One-one via slack
Duties & Responsibilities in Incident Management
Role
Responsibility
Contact
Role
Responsibility
Contact
EXTERNAL INCIDENT MANAGEMENT & SLAs
Incident Logging
An incident can be logged through phone calls, emails, web forms published on the self-service portal or via live chat messages.
Channel
Contact Details
Response Time
Incident Categorization
Incidents can be categorized and sub-categorized based on the area of IT or business that the incident causes a disruption in like network, hardware etc.
Category
Incident Types
Owner
Incident Prioritization
The priority of an incident can be determined as a function of its impact and urgency using a priority matrix. The impact of an incident denotes the degree of damage the issue will cause to the user or business. The urgency of an incident indicates the time within which the incident should be resolved. Based on priority, incidents are categorized as
Prioritization
Nature of Incident
Fixer
Incident routing and assignment: Merchant Success Associate
Once the incident is categorized and prioritized, it gets routed to a support engineer with the relevant expertise. This case will originate from Freshdesk and will be transferred to Jira.
Creating and managing tasks: Technical Support Engineer
Based on the complexity of the incident, it can be broken down into sub-activities or tasks. Tasks are typically created when an incident resolution requires the contribution of multiple 2nd level support people from either the same or different departments.
SLA Management
While the incident is being processed, the support engineer needs to ensure the SLA isn’t breached. An SLA is the acceptable time within which an incident needs a response (response SLA) or resolution (resolution SLA). SLAs can be assigned to incidents based on their parameters like category, requester, impact, urgency etc. In cases where an SLA is about to be breached or has already been breached, the incident can be escalated functionally or hierarchically to ensure that it is resolved at the earliest.
Priority
Response Time
Resolution Time
DATA PROCESSING AGREEMENT
1. RESPONSIBILITIES
-
Each Party shall implement and maintain effective Security Measures (pseudonymisation and encryption etc) that are designed to preserve the security and confidentiality of each Party’s Data and protect its Data from Security Incidents. Such security measures shall be regularly tested and evaluated for effectiveness.
-
The Parties understand that Sensitive Data merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms of the Data Subject. The Controller will therefore not provide (or cause to be provided) any Sensitive Data to Processor for processing under the Agreement without the express consent of the Data Subject.
-
The Processor shall adopt such measures to ensure a level of security appropriate to the sensitivity of the Data transferred to the Processor. These measures include the pseudonymisation and encryption of personal data.
-
Processor shall notify Controller in writing within 48 (forty-eight) hours, unless prohibited from doing so under Data Protection Laws, if it becomes aware or believes that any data processing instruction from Controller violates any Data Protection Law.
-
Processor shall ensure it can restore the availability and access to Personal Data promptly in the event of a Security Incident.
-
Processor shall ensure that any person who is authorised by Processor to process Personal Data (including its staff, agents and subcontractors) shall be under a contractual or statutory obligation of confidentiality.
-
Processor shall in updating or modifying its Security Measures, ensure that such updates and modifications do not result in the degradation of the Processor’s Security Measures.
-
Upon becoming aware of a Security Incident, Processor shall:
-
notify Controller without undue delay, and where feasible, in any event no later than 48 hours from becoming aware of the Security Incident;
-
provide timely information relating to the Security Incident as it becomes known
or as is reasonably requested by Controller; and
-
promptly take reasonable steps to contain and investigate any Security Incident.
-
-
Processor’s notification of or response to a Security Incident shall not be construed as an acknowledgement by Processor of any fault or liability concerning the Security Incident.
-
Notwithstanding the above, Controller agrees that except as provided in this Agreement, Controller is responsible for protecting the security of Personal Data when in transit to the Processor while the Processor is responsible for protecting the security of Personal Data it receives and transfers to any party including any Sub-Processor.
-
The Controller represents and warrants that:
-
it has complied, and will continue to comply, with all applicable laws, including Data Protection Laws, in respect of its processing of Personal Data and any processing instructions it issues to Processor; and
-
it has obtained and will continue to obtain, all consents and rights necessary under Data Protection Laws for Processor to process Personal Data for the purposes described in the Agreement.
-
-
Controller shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Controller acquired Personal Data.
-
Controller will ensure that Processor’s processing of the Controller’s Data following Controller’s instructions will not cause Processor to violate any applicable law, regulation, or rule, including, without limitation, Data Protection Laws.
2. SUB-PROCESSING
-
Controller agrees that the Processor may engage Sub-processors to process Personal Data on Controller’s behalf.
-
Processor shall notify Controller of any engagement or disengagement of a Sub-processor and shall enter into a written agreement with each Sub-processor containing data protection obligations that provide at least the same level of protection for Controller’s Data as those in this Agreement;
-
The Processor shall remain responsible for the Sub-processor’s compliance with the obligations of this Agreement and for the acts or omissions of such Sub-processor that cause Processor to breach any of its obligations under this Agreement.
3. SECURITY REPORTS AND AUDITS
-
Where the Processor is audited against PCI standards, it shall supply (on a confidential basis) a copy of its annual attestation of compliance and certificate of compliance (“Reports”) to Controller within 5 Business Days of Controller’s written request, to enable Controller verify Processor’s compliance with the audit standards against which it has been assessed and this Agreement.
-
In addition to the Reports, the Processor shall respond to all reasonable requests for information made by the Controller to confirm the Processor’s compliance with this Agreement, including responses to information security, due diligence, and audit questionnaires, by making additional information available regarding its information security program upon Controller’s written request, provided that Controller shall not exercise this right more than once per calendar year.
-
Where the Processor is not audited against PCI standards, the Processor shall allow for audit inspections by Controller or Controller’s nominated consultant in order to assess compliance with this Agreement and Data Protection Laws. Processor shall also make available to Controller all information reasonably necessary to demonstrate compliance with this Agreement and the Data Protection Laws.
-
In addition to the audit inspections, the Processor shall respond to all reasonable requests for information made by the Controller or Controller’s consultant to confirm the Processor’s compliance with this Agreement, including responses to information security, due diligence, and audit questionnaires, by making additional information available regarding its information security program upon Controller’s or Controller’s consultant written request.
4. INTERNATIONAL TRANSFERS
Controller acknowledges that Processor may transfer and process Personal Data outside of the country to where Processor, its Affiliates or its Sub-processors maintain data processing operations. Processor shall at all times ensure that such transfers are made in compliance with the requirements of Data Protection Laws.
5. RETURN OR DELETION OF DATA
Upon termination or expiration of the Agreement, Processor shall (at Controller’s election) and subject to applicable laws, delete or return to Controller all Personal Data (including copies) in its possession or control, except the Personal Data is archived on back-up systems, which Personal Data Processor shall securely isolate, protect from any further processing and eventually delete in accordance with Processor's deletion policies, except to the extent required by applicable laws.
6. RIGHTS OF A SUBJECT RIGHTS AND COOPERATION
-
Processor shall to the extent possible, assist the Controller to comply with its data protection obligations with respect to a Data Subject’s rights under Data Protection Laws.
-
If any request is made by a Data Subject to Processor directly, Processor shall not respond to such communication directly except as appropriate (for example, to direct the Data Subject to contact Controller) without Controller’s prior authorisation except as legally required.
-
If Processor is required to respond to a request made under clause 6.2, Processor shall promptly notify Controller and provide Controller with a copy of the request unless Processor is legally prohibited from doing so. For the avoidance of doubt, nothing in this Agreement shall restrict or prevent Processor from responding to any Data Subject or data protection authority requests concerning Personal Data for which Processor is a controller.
-
If a law enforcement agency sends Processor a demand for Personal Data (for example, through a subpoena or court order), Processor shall attempt to redirect the law enforcement agency to request that Data directly from Controller. As part of this effort, Processor may provide Controller’s contact information to the law enforcement agency. If compelled to disclose Personal Data to a law enforcement agency, then Processor shall give Controller reasonable notice of the demand to allow Controller to seek a protective order or other appropriate remedies, unless Processor is legally prohibited from doing so.
7. INDEMNIFICATION
The Processor agrees to indemnify, keep indemnified and defend at its own expense the Controller against all costs, claims, damages or expenses incurred by the Controller or for which the Controller may become liable due to any failure by the Processor or its employees, subcontractors or agents to comply with any of its obligations under this Agreement or the Data Protection Legislation.
8. GENERAL TERMS
-
Processor shall have a right to collect, use and disclose Data for its legitimate business purposes, such as: (i) for accounting, tax, billing, audit, and compliance purposes; (ii) to provide, develop, optimize and maintain the services; (iii) to investigate fraud, spam, wrongful or unlawful use of the services; and (iv) as required by applicable laws.
-
No one other than a party to this Agreement, its successors and permitted assignees shall have any right to enforce any of its terms.
9. NOTICES
Any notice or other communication given to a Party under or in connection with Data Processing must be in writing and delivered to:
For Fincra Technologies Limited: for the attention of Data Protection Officer.
Email: [email protected]; [email protected]
To You – Privacy notices will be sent to the email address provided by You.