Common use of Effectiveness of Controls Clause in Contracts

Effectiveness of Controls. (a) The parties acknowledge that: (i) each party’s management and independent auditors are now and/or in the future may be required under the ▇▇▇▇▇▇▇▇-▇▇▇▇▇ Act of 2002 and related regulations and the Federal Deposit Insurance Corporation Improvement Act of 1991 and related regulations (collectively, the “Relevant Laws”) to, among other things, assess the effectiveness of its internal controls over financial reporting and state in its report whether such internal controls are effective; and (ii) because each party has entered into a significant transaction with the other as described in this Agreement, the controls used by the parties (including controls that restrict unauthorized access to systems, data and programs) are relevant to each party’s evaluation of its internal controls. Having acknowledged the foregoing, and subject to the terms of this Section 4.17, each party hereby agrees to cooperate with the other party and its independent auditor as reasonably necessary to facilitate such party’s ability to comply with its obligations under the Relevant Laws. (b) Company will: (i) maintain an internal controls structure pertaining to the Program in such manner and at such times as is consistent with the practices of well-managed operations performing services substantially similar to Company’s obligations set forth in this Agreement, and (ii) cause to be conducted by a nationally recognized external auditor, as requested by Bank but no more frequently than annually in the case of each item referred to in clauses (A) and (B), (A) SSAE 16 (Type II) SOC 1 audits covering financial controls over not less than a twelve (12) month period ending not earlier than August 1 and not later than August 31 (or another mutually agreed upon timeline), and (B) Agreed Upon Procedures in respect of each of its data centers and facilities from which Program services (including back-up or disaster recovery services) are provided, covering IT application and data security controls, including controls related to Payment Card Industry Data Security Standards applicable to the Program. Prior to conducting audits pursuant to subsection (ii), Company will provide to Bank a description of the controls to be assessed, the in-scope business and technical processes, and the reports to be produced, which, in any event, will include the description and results of such assessments. Bank may request Company to add to or modify the scope of such assessments and reports if required to fulfill Bank’s control obligations, and Company will comply with such requests. If a report is anticipated to contain any material deficiency, Company will give Bank notice of such deficiency as soon as reasonably practicable. Company will deliver the report of each such audit to Bank not later than September 30 of each year (or pursuant to a mutually agreed-upon timeline). At Bank’s request, any reports, tests or other summaries prepared by such independent audit or testing firm shall be addressed to Bank (in addition to the Company). Company shall bear its own costs in connection with the foregoing audits and testing; provided that 50% of the costs of such independent audit or testing firm in connection with the foregoing audits and tests shall be reimbursed to Company by Bank. If a report pursuant to this Section contains a deficiency, Company will no later than thirty (30) days following the report date, deliver to Bank for review and approval a corrective action plan that, if followed, will correct the error, deficiency or other failure to perform. Company will execute the plan at Company’s expense in accordance with its terms, and conduct such additional follow-up audits at Company’s expense as may be requested by Bank, acting reasonably. If a deficiency is deemed significant by Bank in its reasonable judgment, then at Bank’s request additional audit procedures will be conducted at Company’s expense. Company will notify Bank in writing promptly upon completion of the remediation. (c) Company will deliver to Bank, not later than November 15 of each year during the term of the Agreement, a certificate (or discussion with management of Company, Bank and Bank’s independent auditors) of the designated officer of Company dated as of November 1 certifying that Company is not aware of any event or condition which evidences a control, security or other deficiency relating to the subject matter addressed in the latest audit report delivered to Bank pursuant to this Section 4.17. If a report pursuant to this Section contains such a control, security or other deficiency, Company will promptly deliver to Bank a corrective action plan and will immediately and at its cost execute the plan in accordance with its terms, and will conduct at its cost such additional follow-up audits as may be requested by Bank, acting reasonably, to confirm that the deficiency has been corrected.

Effectiveness of Controls. (a) The parties acknowledge that: (i) each party’s management and independent auditors are now and/or in the future may be required under the ▇▇▇▇▇▇▇▇-▇▇▇▇▇ Act of 2002 and related regulations and the Federal Deposit Insurance Corporation Improvement Act of 1991 and related regulations (collectively, the “Relevant Laws”) to, among other things, assess the effectiveness of its internal controls over financial reporting and state in its report whether such internal controls are effective; and (ii) because each party has entered into a significant transaction with the other as described in this Agreement, the controls used by the parties (including controls that restrict unauthorized access to systems, data and programs) are relevant to each party’s evaluation of its internal controls. Having acknowledged the foregoing, and subject to the terms of this Section 4.17, each party hereby agrees to cooperate with the other party and its independent auditor as reasonably necessary to facilitate such party’s ability to comply with its obligations under the Relevant Laws. (b) Company will: (i) maintain an internal controls structure pertaining to the Program in such manner and at such times as is consistent with the practices of well-managed operations performing services substantially similar to Company’s obligations set forth in this Agreement, and (ii) cause to be conducted by a nationally recognized external auditor, as requested by Bank but no more frequently than annually in the case of each item referred to in clauses (A) and (B), (A) SSAE 16 (Type II) SOC 1 audits covering financial controls over not less than a twelve (12) month period ending not earlier than August 1 and not later than August 31 (or another mutually agreed upon timeline), and (B) Agreed Upon Procedures in respect of each of its data centers and facilities from which Program services (including back-up or disaster recovery services) are provided, covering IT application and data security controls, including controls related to Payment Card Industry Data Security Standards applicable to the Program. Prior to conducting audits pursuant to subsection (ii), Company will provide to Bank a description of the controls to be assessed, the in-scope business and technical processes, and the reports to be produced, which, in any event, will include the description and results of such assessments. Bank may request Company to add to or modify the scope of such assessments and reports if required to fulfill Bank’s control obligations, and Company will comply with such requests. If a report is anticipated to contain any material deficiency, Company will give Bank notice of such deficiency as soon as reasonably practicable. Company will deliver the report of each such audit to Bank not later than September 30 of each year (or pursuant to a mutually agreed-upon timeline). At Bank’s request, any reports, tests or other summaries prepared by such independent audit or testing firm shall be addressed to Bank (in addition to the Company). Company shall bear its own costs in connection with the foregoing audits and testing; provided that 50% of the costs of such independent audit or testing firm in connection with the foregoing audits and tests shall be reimbursed to Company by Bank. If a report pursuant to this Section contains a deficiency, Company will no later than thirty (30) days following the report date, deliver to Bank for review and approval a corrective action plan that, if followed, will correct the error, deficiency or other failure to perform. Company will execute the plan at Company’s expense in accordance with its terms, and conduct such additional follow-up audits at Company’s expense as may be requested by Bank, acting reasonably. If a deficiency is deemed significant by Bank in its reasonable judgment, then at Bank’s request additional audit procedures will be conducted at Company’s expense. Company will notify Bank in writing promptly upon completion of the remediation. (c) Company will deliver to Bank, not later than November 15 of each year during the term of the Agreement, a certificate (or discussion with management of Company, Bank and Bank’s independent auditors) of the designated officer of Company dated as of November 1 certifying that Company is not aware of any event or condition which evidences a control, security or other deficiency relating to the subject matter addressed in the latest audit report delivered to Bank pursuant to this Section 4.17. If a report pursuant to this Section contains such 49 a control, security or other deficiency, Company will promptly deliver to Bank a corrective action plan and will immediately and at its cost execute the plan in accordance with its terms, and will conduct at its cost such additional follow-up audits as may be requested by Bank, acting reasonably, to confirm that the deficiency has been corrected.

Effectiveness of Controls. (a) The parties acknowledge that: (i) each party’s management and independent auditors are now and/or in the future may be required under the ▇▇▇▇▇▇▇▇-▇▇▇▇▇ Act of 2002 and related regulations and the Federal Deposit Insurance Corporation Improvement Act of 1991 and related regulations (collectively, the “Relevant Laws”) to, among other things, assess the effectiveness of its internal controls over financial reporting and state in its report whether such internal controls are effective; and (ii) because each party has entered into a significant transaction with the other as described in this Agreement, the controls used by the parties (including controls that restrict unauthorized access to systemsSystems, data and programs) are relevant to each party’s evaluation of its internal controls. Having acknowledged the foregoing, and subject to the terms of this Section 4.174.14 and Section 4.16, each party hereby agrees to cooperate with the other party and its independent auditor as reasonably necessary to facilitate such party’s ability to comply with its obligations under the Relevant Laws. (b) Company will: (i) maintain an internal controls structure pertaining to the Program in such manner and at such times as is consistent with the practices of well-managed operations performing services substantially similar to Company’s obligations set forth in this Agreement, and (ii) cause to be conducted by a nationally recognized external auditor, as * 41 requested by Bank but no more frequently than annually in the case of each item referred to in clauses (A) and (B), (A) SSAE 16 (Type II) SOC 1 audits covering financial controls over not less than a twelve (12) month period ending not earlier than August 1 and not later than August 31 (or another mutually agreed upon timeline), and (B) Agreed Upon Procedures SOC 2 (Type II) audits covering trust service principles over not less than a twelve (12) month period ending not earlier than August 1 and not later than August 31 in respect of each of its data centers and facilities from which Program services (including back-up or disaster recovery services) are provided, covering IT application and data security controls, including controls related to Payment Card Industry Data Security Standards applicable to the Program. Prior to conducting audits pursuant to subsection (ii), Company the parties will provide to Bank a description of mutually agree on the Person that will perform such audits and the controls to be assessed, the in-scope business and technical processes, and the reports to be produced, which, in any event, will include the description and results of such assessments. Bank may request Company to add to or modify the scope of such any assessments and reports if required to fulfill Bank’s control obligationsobligations in connection with its annual audit or as required to comply with Applicable Law, and Company will comply with not unreasonably withhold consent to such requests. If a report is anticipated to contain any material deficiency, Company will give Bank notice of such deficiency as soon as reasonably practicable. Company will deliver the report of each such audit to Bank not later than September 30 of each year (or pursuant to a mutually agreed-upon timeline). At Bank’s request, any reports, tests or other summaries prepared by such independent audit or testing firm shall be addressed to Bank (in addition to and Company. The parties’ agreement regarding the Company). Company shall bear its own costs cost allocation in connection with the foregoing audits and testing; provided that 50% of the costs of such independent audit or testing firm and certain other matters is set forth in Schedule 4.16. (c) [RESERVED] (d) If Bank assumes any servicing obligations in connection with the foregoing audits Program, the parties shall mutually agree, each acting in good faith, regarding internal controls auditing and tests testing requirements may become applicable to Bank in light of Bank’s activities under this Agreement. In addition, Bank shall agree to undergo and share with Company such internal controls auditing and testing procedures that are required to comply with Applicable Law. (e) The parties agree that following the Effective Date an assessment of Company’s Systems related to the issuing and servicing of the Credit Cards of the Program shall be reimbursed performed and completed prior to the Closing Date. Bank and Company by Bankshall mutually agree, each acting reasonably, on (i) the controls to be assessed, the in-scope Systems, and the report to be produced, which will include the description and results of the assessment, and (ii) the independent third party who will perform the assessment. If a Company shall provide Bank with the executive summary of the report pursuant to this Section and, if the report contains a deficiency, then prior to the Closing Date, Company will no later than thirty (30) days following the report date, shall deliver to Bank for review and approval a corrective action remediation plan that, if followed, will correct the that addresses any error, deficiency or other failure to performgap identified in the assessment. Company will execute the plan at Company’s expense in accordance with its terms, and conduct such additional follow-up audits at Company’s expense as may be requested by Bank, acting reasonably. If a deficiency is deemed significant by Bank in its reasonable judgment, then at Bank’s request additional audit procedures will be conducted at Company’s expense. Company will notify Bank in writing promptly upon completion of the remediation. (c) Company will deliver to Bank, not later than November 15 of each year during the term of the Agreement, a certificate (or discussion with management of Company, Bank and Bank’s independent auditors) of the designated officer of Company dated as of November 1 certifying that Company is not aware of any event or condition which evidences a control, security or other deficiency relating to the subject matter addressed in the latest audit report delivered to Bank pursuant to this Section 4.17. If a report pursuant to this Section contains such a control, security or other deficiency, Company will promptly deliver to Bank a corrective action plan and will immediately and at its cost execute the remediation plan in accordance with its terms, terms and will conduct at its cost such additional follow-up audits as may be requested by Bank, acting reasonably, to confirm that own expense. Bank shall pay all costs of the deficiency has been correctedthird party in completing the assessment and producing the report.

Effectiveness of Controls. (a) The parties acknowledge that: (i) each party’s management and independent auditors are now and/or in the future may be required under the ▇▇▇▇▇▇▇▇-▇▇▇▇▇ Act of 2002 and related regulations and the Federal Deposit Insurance Corporation Improvement Act of 1991 and related regulations (collectively, the “Relevant Laws”) to, among other things, assess the effectiveness of its internal controls over financial reporting and state in its report whether such internal controls are effective; and (ii) because each party has entered into a significant transaction with the other as described in this Agreement, the controls used by the parties (including controls that restrict unauthorized access to systems, data and programs) are relevant to each party’s evaluation of its internal controls. Having acknowledged the foregoing, and subject to the terms of this Section 4.17, each party hereby agrees to cooperate with the other party and its independent auditor as reasonably necessary to facilitate such party’s ability to comply with its obligations under the Relevant Laws. (b) Company will: (i) maintain an internal controls structure pertaining to the Program in such manner and at such times as is consistent with the practices of well-managed operations performing services substantially similar to Company’s obligations set forth in this Agreement, and (ii) cause to be conducted by a nationally recognized external auditor, as requested by Bank but no more frequently than annually in the case of each item referred to in clauses (A) and (B), (A) SSAE 16 (Type II) SOC 1 audits covering financial controls over not less than a twelve (12) month period ending not earlier than August 1 and not later than August 31 (or another mutually agreed upon timeline), and (B) Agreed Upon Procedures in respect of each of its data centers and facilities from which Program services (including back-up or disaster recovery services) are provided, covering IT application and data security controls, including controls related to Payment Card Industry Data Security Standards applicable to the Program. Prior to conducting audits pursuant to subsection (ii), Company will provide to Bank a description of the controls to be assessed, the in-scope business and technical processes, and the reports to be produced, which, in any event, will include the description and results of such assessments. Bank may request Company to add to or modify the scope of such assessments and reports if required to fulfill Bank’s control obligations, and Company will comply with such requests. If a report is anticipated to contain any material deficiency, Company will give Bank notice of such deficiency as soon as reasonably practicable. Company will deliver the report of each such audit to Bank not later than September 30 of each year (or pursuant to a mutually agreed-upon timeline). At Bank’s request, any reports, tests or other summaries prepared by such independent audit or testing firm shall be addressed to Bank (in addition to the Company). Company shall bear its own costs in connection with the foregoing audits and testing; provided that 50% of the costs of such independent audit or testing firm in connection with the foregoing audits and tests shall be reimbursed to Company by Bank. If a report pursuant to this Section contains a deficiency, Company will no later than thirty (30) days following the report date, deliver to Bank for review and approval a corrective action plan that, if followed, will correct the error, deficiency or other failure to perform. Company will execute the plan at Company’s expense in accordance with its terms, and conduct such additional follow-up audits at Company’s expense as may be requested by Bank, acting reasonably. If a deficiency is deemed significant by Bank in its reasonable judgment, then at Bank’s request additional audit procedures will be conducted at Company’s expense. Company will notify Bank in writing promptly upon completion of the remediation. (c) Company will deliver to Bank, not later than November 15 of each year during the term of the Agreement, a certificate (or discussion with management of Company, Bank and Bank’s independent auditors) of the designated officer of Company dated as of November 1 certifying that Company is not aware of any event or condition which evidences a control, security or other deficiency relating to the subject matter addressed in the latest audit report delivered to Bank pursuant to this Section 4.17. If a report pursuant to this Section contains such a control, security or other deficiency, Company will promptly deliver to Bank a corrective action plan and will immediately and at its cost execute the plan in accordance with its terms, and will conduct at its cost such additional follow-up audits as may be requested by Bank, acting reasonably, to confirm that the deficiency has been corrected.and

Effectiveness of Controls. (a) The parties acknowledge that: (i) each party’s management and independent auditors are now and/or in the future may be required under the ▇▇▇▇▇▇▇▇-▇▇▇▇▇ Act of 2002 and related regulations and the Federal Deposit Insurance Corporation Improvement Act of 1991 and related regulations (collectively, the “Relevant Laws”) to, among other things, assess the effectiveness of its internal controls over financial reporting and state in its report whether such internal controls are effective; and (ii) because each party has entered into a significant transaction with the other as described in this Agreement, the controls used by the parties (including controls that restrict unauthorized access to systems, data and programs) are relevant to each party’s evaluation of its internal controls. Having acknowledged the foregoing, and subject to the terms of this Section 4.17, each party hereby agrees to cooperate with the other party and its independent auditor as reasonably necessary to facilitate such party’s ability to comply with its obligations under the Relevant Laws. (b) Company will: (i) maintain an internal controls structure pertaining to the Program in such manner and at such times as is consistent with the practices of well-managed operations performing services substantially similar to Company’s obligations set forth in this Agreement, and (ii) cause to be conducted by a nationally recognized external auditor, as requested by Bank but no more frequently than annually in the case of each item referred to in clauses (A) and (B), (A) SSAE 16 (Type II) SOC 1 audits covering financial controls over not less than a twelve (12) month [*] period ending not earlier than August 1 and not later than August 31 (or another mutually agreed upon timeline), and (B) Agreed Upon Procedures in respect of each of its data centers and facilities from which Program services (including back-up or disaster recovery services) are provided, covering IT application and data security controls, including controls related to Payment Card Industry Data Security Standards applicable to the Program. Prior to conducting audits pursuant to subsection (ii), Company will provide to Bank a description of the controls to be assessed, the in-scope business and technical processes, and the reports to be produced, which, in any event, will include the description and results of such assessments. Bank may request Company to add to or modify the scope of such assessments and reports if required to fulfill Bank’s control obligations, and Company will comply with such requests. If a report is anticipated to contain any material deficiency, Company will give Bank notice of such deficiency as soon as reasonably practicable. Company will deliver the report of each such audit to Bank not later than September 30 of each year (or pursuant to a mutually agreed-upon timeline). At Bank’s request, any reports, tests or other summaries prepared by such independent audit or testing firm shall be addressed to Bank (in addition to the Company). Company shall bear its own costs in connection with the foregoing audits and testing; provided that 50% of the costs of such independent audit or testing firm in connection with the foregoing audits and tests shall be reimbursed to Company by Bank. [*] If a report pursuant to this Section contains a deficiency, Company will no later than thirty (30) days [*] following the report date, deliver to Bank for review and approval a corrective action plan that, if followed, will correct the error, deficiency or other failure to perform. Company will execute the plan at Company’s expense [*] in accordance with its terms, and conduct such additional follow-up audits at Company’s expense as may be requested by Bank, acting reasonably[*]. If a deficiency is deemed significant by Bank in its reasonable judgment, then at Bank’s request additional audit procedures will be conducted at Company’s expense[*]. Company will notify Bank in writing promptly upon completion of the remediation. (c) Company will deliver to Bank, not later than November 15 of each year during the term of the Agreement, a certificate (or discussion with management of Company, Bank and Bank’s independent auditors) of the designated officer of Company dated as of November 1 certifying that Company is not aware of any event or condition which evidences a control, security or other deficiency relating to the subject matter addressed in the latest audit report delivered to Bank pursuant to this Section 4.17. If a report pursuant to this Section contains such a control, security or other deficiency, Company will promptly deliver to Bank a corrective action plan and will immediately and at its cost [*] execute the plan in accordance with its terms, and will conduct at its cost [*] such additional follow-up audits as may be requested by Bank, acting reasonably, to confirm that the deficiency has been corrected.

Effectiveness of Controls. (a) The parties acknowledge that: (i) each party’s management and independent auditors are now and/or in the future may be required under the ▇▇▇▇▇▇▇▇-▇▇▇▇▇ Act of 2002 and related regulations and the Federal Deposit Insurance Corporation Improvement Act of 1991 and related regulations (collectively, the “Relevant Laws”) to, among other things, assess the effectiveness of its internal controls over financial reporting and state in its report whether such internal controls are effective; and (ii) because each party has entered into a significant transaction with the other as described in this Agreement, the controls used by the parties (including controls that restrict unauthorized access to systemsSystems, data and programs) are relevant to each party’s evaluation of its internal controls. Having acknowledged the foregoing, and subject to the terms of this Section 4.174.14 and Section 4.16, each party hereby agrees to cooperate with the other party and its independent auditor as reasonably necessary to facilitate such party’s ability to comply with its obligations under the Relevant Laws. (b) Company will: (i) maintain an internal controls structure pertaining to the Program in such manner and at such times as is consistent with the practices of well-managed operations performing services substantially similar to Company’s obligations set forth in this Agreement, and (ii) cause to be conducted by a nationally recognized external auditor, as requested by Bank but no more frequently than annually in the case of each item referred to in clauses (A) and (B), (A) SSAE 16 (Type II) SOC 1 audits covering financial controls over not less than a twelve (12) month period ending not earlier than August 1 and not later than August 31 (or another mutually agreed upon timeline), and (B) Agreed Upon Procedures SOC 2 (Type II) audits covering trust service principles over not less than a twelve (12) month period ending not earlier than August 1 and not later than August 31 in respect of each of its data centers and facilities from which Program services (including back-up or disaster recovery services) are provided, covering IT application and data security controls, including controls related to Payment Card Industry Data Security Standards applicable to the Program. Prior to conducting audits pursuant to subsection (ii), Company the parties will provide to Bank a description of mutually agree on the Person that will perform such audits and the controls to be assessed, the in-scope business and technical processes, and the reports to be produced, which, in any event, will include the description and results of such assessments. Bank may request Company to add to or modify the scope of such any assessments and reports if required to fulfill Bank’s control obligationsobligations in connection with its annual audit or as required to comply with Applicable Law, and Company will comply with not unreasonably withhold consent to such requests. If a report is anticipated to contain any material deficiency, Company will give Bank notice of such deficiency as soon as reasonably practicable. Company will deliver the report of each such audit to Bank not later than September 30 of each year (or pursuant to a mutually agreed-upon timeline). At Bank’s request, any reports, tests or other summaries prepared by such independent audit or testing firm shall be addressed to Bank (in addition to and Company. The parties’ agreement regarding the Company). Company shall bear its own costs cost allocation in connection with the foregoing audits and testing; provided that 50% of the costs of such independent audit or testing firm and certain other matters is set forth in Schedule 4.16. (c) [RESERVED] (d) If Bank assumes any servicing obligations in connection with the foregoing audits Program, the parties shall mutually agree, each acting in good faith, regarding internal controls auditing and tests testing requirements may become applicable to Bank in light of Bank’s activities under this Agreement. In addition, Bank shall agree to undergo and share with Company such internal controls auditing and testing procedures that are required to comply with Applicable Law. (e) The parties agree that following the Effective Date an assessment of Company’s Systems related to the issuing and servicing of the Credit Cards of the Program shall be reimbursed performed and completed prior to the Closing Date. Bank and Company by Bankshall mutually agree, each acting reasonably, on (i) the controls to be assessed, the in-scope Systems, and the report to be produced, which will include the description and results of the assessment, and (ii) the independent third party who will perform the assessment. If a Company shall provide Bank with the executive summary of the report pursuant to this Section and, if the report contains a deficiency, then prior to the Closing Date, Company will no later than thirty (30) days following the report date, shall deliver to Bank for review and approval a corrective action remediation plan that, if followed, will correct the that addresses any error, deficiency or other failure to performgap identified in the assessment. Company will execute the plan at Company’s expense in accordance with its terms, and conduct such additional follow-up audits at Company’s expense as may be requested by Bank, acting reasonably. If a deficiency is deemed significant by Bank in its reasonable judgment, then at Bank’s request additional audit procedures will be conducted at Company’s expense. Company will notify Bank in writing promptly upon completion of the remediation. (c) Company will deliver to Bank, not later than November 15 of each year during the term of the Agreement, a certificate (or discussion with management of Company, Bank and Bank’s independent auditors) of the designated officer of Company dated as of November 1 certifying that Company is not aware of any event or condition which evidences a control, security or other deficiency relating to the subject matter addressed in the latest audit report delivered to Bank pursuant to this Section 4.17. If a report pursuant to this Section contains such a control, security or other deficiency, Company will promptly deliver to Bank a corrective action plan and will immediately and at its cost execute the remediation plan in accordance with its terms, terms and will conduct at its cost such additional follow-up audits as may be requested by Bank, acting reasonably, to confirm that own expense. Bank shall pay all costs of the deficiency has been correctedthird party in completing the assessment and producing the report.

Effectiveness of Controls. (a) The parties acknowledge that: (i) each party’s management and independent auditors are now and/or in the future may be required under the ▇▇▇▇▇▇▇▇-▇▇▇▇▇ Act of 2002 and related regulations and the Federal Deposit Insurance Corporation Improvement Act of 1991 and related regulations (collectively, the “Relevant Laws”) to, among other things, assess the effectiveness of its internal controls over financial reporting and state in its report whether such internal controls are effective; and (ii) because each party has entered into a significant transaction with the other as described in this Agreement, the controls used by the parties (including controls that restrict unauthorized access to systems, data and programs) are relevant to each party’s evaluation of its internal controls. Having acknowledged the foregoing, and subject to the terms of this Section 4.17, each party hereby agrees to cooperate with the other party and its independent auditor as reasonably necessary to facilitate such party’s ability to comply with its obligations under the Relevant Laws. (b) Company will: (i) maintain an internal controls structure pertaining to the Program in such manner and at such times as is consistent with the practices of well-managed operations performing services substantially similar to Company’s obligations set forth in this Agreement, and (ii) cause to be conducted by a nationally recognized external auditor, as requested by Bank but no more frequently than annually in the case of each item referred to in clauses (A) and (B), (A) SSAE 16 (Type II) SOC 1 audits covering financial controls over not less than a twelve (12) month [*] period ending not earlier than August 1 and not later than August 31 (or another mutually agreed upon timeline), and (B) Agreed Upon Procedures in respect of each of its data centers and facilities from which Program services (including back-up or disaster recovery services) are provided, covering IT application and data security controls, including controls related to Payment Card Industry Data Security Standards applicable to the Program. Prior to conducting audits pursuant [*] Indicates confidential portions omitted pursuant to a request for confidential treatment filed separately with the Commission. to subsection (ii), Company will provide to Bank a description of the controls to be assessed, the in-scope business and technical processes, and the reports to be produced, which, in any event, will include the description and results of such assessments. Bank may request Company to add to or modify the scope of such assessments and reports if required to fulfill Bank’s control obligations, and Company will comply with such requests. If a report is anticipated to contain any material deficiency, Company will give Bank notice of such deficiency as soon as reasonably practicable. Company will deliver the report of each such audit to Bank not later than September 30 of each year (or pursuant to a mutually agreed-upon timeline). At Bank’s request, any reports, tests or other summaries prepared by such independent audit or testing firm shall be addressed to Bank (in addition to the Company). Company shall bear its own costs in connection with the foregoing audits and testing; provided that 50% of the costs of such independent audit or testing firm in connection with the foregoing audits and tests shall be reimbursed to Company by Bank. [*] If a report pursuant to this Section contains a deficiency, Company will no later than thirty (30) days [*] following the report date, deliver to Bank for review and approval a corrective action plan that, if followed, will correct the error, deficiency or other failure to perform. Company will execute the plan at Company’s expense [*] in accordance with its terms, and conduct such additional follow-up audits at Company’s expense as may be requested by Bank, acting reasonably[*]. If a deficiency is deemed significant by Bank in its reasonable judgment, then at Bank’s request additional audit procedures will be conducted at Company’s expense[*]. Company will notify Bank in writing promptly upon completion of the remediation. (c) Company will deliver to Bank, not later than November 15 of each year during the term of the Agreement, a certificate (or discussion with management of Company, Bank and Bank’s independent auditors) of the designated officer of Company dated as of November 1 certifying that Company is not aware of any event or condition which evidences a control, security or other deficiency relating to the subject matter addressed in the latest audit report delivered to Bank pursuant to this Section 4.17. If a report pursuant to this Section contains such a control, security or other deficiency, Company will promptly deliver to Bank a corrective action plan and will immediately and at its cost [*] execute the plan in accordance with its terms, and will conduct at its cost [*] such additional follow-up audits as may be requested by Bank, acting reasonably, to confirm that the deficiency has been corrected.