Digital Banking Acceptable Use Policy

General Provisions

1. Client agrees not to utilize any digital banking interface or software to encourage, promote, facilitate or instruct others to use, Lumin Digital’s services for any illegal, harmful, fraudulent, infringing or offensive use, or to transmit, store, display, distribute or otherwise make available content that is illegal, harmful, fraudulent, infringing, or offensive. Prohibited activities or content include:
   1. Activities that are illegal, violate the rights of others, may be harmful to others, including to Lumin Digital’s or its hosting providers’ operations, including disseminating, promoting, or facilitating the transfer of obscene materials, offering or disseminating fraudulent goods, services, schemes, or promotions, make-money-fast schemes, ponzi and pyramid schemes, phishing, or pharming.
   2. Content that infringes upon or misappropriates the intellectual property or proprietary rights of others.
   3. Content that disparages Lumin Digital or any of its client financial institutions.
   4. Content that is defamatory, obscene, abusive, invasive of privacy, or otherwise objectionable.
   5. Content or other computer technology that may damage, interfere with, surreptitiously intercept, or expropriate any system, program, or data, including viruses, Trojan horses, worms, time bombs, or cancelbots.
2. Client shall not use Lumin Digital’s services or the services of any hosting provider it utilizes and makes available to the client, to violate the security or integrity of any network, computer or communications system, software application, or network or computing device. Prohibited activities include accessing or using any system without permission, including attempting to probe, scan, or test the vulnerability of a system or to breach any security or authentication measures used by a system.
   1. Client shall not perform any vulnerability scans or penetration tests of any Lumin Digital site or system without the explicit written approval of Lumin DIgital for each instance of each scan or test.
   2. Client’s users shall not perform probes, scans, or tests of the system outside the normal usage of digital banking websites and software. Lumin Digital reserves the right to throttle or block access from digital banking services without prior notice to any member or consumer end-users, who attempt or perform probes, vulnerability scans, penetration tests, denial-of-service floods or traffic, spoofing, or reverse engineering of Lumin Digital websites, services, or software.
3. Client shall not distribute, publish, send, or facilitate the sending of unsolicited mass email, SMS text, mobile push, or other messages, promotions, advertising, or solicitations (like “spam”), including commercial advertising and informational announcements without securing the consent of the recipient user. Clients shall use the system in compliance with applicable laws and regulations related to such features, including the Telephone Consumer Protection Act (TCPA) of 1991 and the Controlling the Assault of Non-Solicited Pornography And Marketing (CAN-SPAM) Act of 2003.
4. Lumin Digital shall provide reports of user authentications to the Administrative Website as well as activity of reports of actions administrative and end-users take.
   1. Client shall establish procedures for and accept responsibility for reviewing reports to ensure user authentication activity and actions made through the Administrative Website is authorized by Client in accordance with Client’s policies.
   2. Client shall authorize administrators it designates with the responsibility and access to respond to threats to the security or confidentiality of information, such as providing for client administrators to set account lockout policies or manually disable the accounts of users who may be attempting to fraudulently access the digital banking site of the institution.
5. Lumin Digital reserves the right to restrict, disable, or block access to one or more user credentials, network addresses, or sites to respond to suspected or observed imminent jeopardy to the security and confidentiality of sensitive data. Such actions may be automated, such as to respond to denial-of-service or botnet threats or may be made manually, such as to lock a login that appears to be attempting or engaging in fraudulent behavior.
6. Lumin Digital does not promise to make digital banking services or software available to users who source from insecure networks, such as Tor or other proxy or anonymizing networks (including consumer VPN’s) or public networks from which fraudulent or threat activity has been observed. Client shall not promise or market Lumin Digital’s services or software as being compatible with such networks nor encourage its users to use them to access Lumin Digital’s services or software.
7. Lumin Digital does not promise to make digital banking services or software available to insecure or unsupported environments, platforms, or operating systems. As such, Lumin Digital shall publish and maintain a minimum approved operating environment that consists of required equipment or software (such as browser software names and versions and mobile operating system devices and operating system versions) to access services or software. Client shall not promise or market Lumin Digital’s services or software as being compatible with equipment or software that is not on its latest minimum approved operating environment publication nor encourage its users to use unapproved devices or software to access Lumin Digital’s services or software.
8. Lumin Digital and its technology service providers reserve the right, but do not assume the obligation, to investigate any violation of this policy or misuse of its services, websites, or software. Lumin Digital may investigate violations of this policy or misuse of its services by administrators or users. We may remove, disable access to, or modify any content or resource that violates this policy or any other agreement we have with you or that we have with a service provider for acceptable use policies of their sites, services, or software. Lumin Digital, or its technology service providers, may report any activity that we or they suspect violates any law or regulation to appropriate law enforcement officials, regulators, or other appropriate third parties. Our reporting may include disclosing appropriate customer information, where required by law. We also may cooperate with appropriate law enforcement agencies, regulators, or other appropriate third parties to help with the investigation and prosecution of illegal conduct by providing network and systems information related to alleged violations of this policy.
9. Client agrees to immediately notify Lumin Digital if it becomes aware of any violation of this Policy and to provide us with assistance, as requested, to stop or remedy the violation.

Administrative Website

Lumin Digital provides access to an Administrative Website which allows its clients to monitor and manage the digital banking experience for their members and consumers. Acceptable use policies that govern the use of this Administrative Website are as follows:

1. Lumin Digital shall initially provide full access to the Administrative Website to a limited number of client employees, not less than two and not more than five, who shall have full access to administer the functions of the digital banking solution, including adding, modifying, and deleting users, granting privileges, establishing and modifying security policies that may affect the security and confidentiality of sensitive data, and establishing and modifying risk controls related to the transfer of funds within and outside of the institution. Therefore:
   1. Client shall develop and maintain its own Acceptable Use Policy for any individuals to whom it provides a login to the Administrative Website that is congruent with this Acceptable Use Policy.
   2. Client shall enumerate and positively identify the individuals to whom Lumin Digital shall grant a full-access login that it trusts with the responsibility and access a full login to the Administrative Website provides.
   3. Lumin Digital shall provide training on the use and capabilities to the Administrative Website to the individuals for which it is instructed to create logins. Client shall develop and deliver tailored training for any additional users as it sees fit to ensure each operates under this Acceptable Use Policy and institution-specific policies and procedures.
   4. Client shall perform and maintain a risk analysis of digital banking and shall establish and modify configurable security policies in accordance with the institution’s risk tolerance. Lumin Digital shall not modify any configurable security policies after it provides training to Client to transfer administrative ownership for digital banking to the Client’s designated full administrators, except in cases where such configuration changes are required to restore or protect the security and confidentiality of digital banking services in response to a security incident and Client full administrators are unavailable or unreachable.
   5. Client shall establish any roles, assign permissions to roles, and create all subsequent credentials for the Administrative Website. Lumin Digital shall not modify any roles, permissions, or credentials for Client except if no client full-access administrator is available and able to login to administer their Administrative Website.
   6. Client shall create credentials for the Administrative Website with strong, unique passwords it keeps confidential. Lumin Digital does not need and shall not request any Client credential.
   7. Client shall provide each individual whom it deems needs access to the Administrative Website with their own personal credential which is not known to or for shared use by any other users.
   8. Client shall limit access to the Administrative Website to the minimum number of individuals possible and using a least-privilege approach to granting access to functions with role-based security features. Client shall not provide access directly to any credential or via a screen sharing or remote access session to individuals outside the Client’s entity without Lumin Digital’s explicit written approval.
   9. Client shall modify, disable, or remove credentials for the Administrative Websites when its administrators or users no longer need access, such as when they are reassigned or terminated. Lumin Digital shall not modify, disable, or remove credentials for Client except if no client full-access administrator is available and able to login to administer their Administrative Website and the security or confidentiality of sensitive data is in immediate jeopardy.
2. Client shall provide a list of public IP addresses it controls and approves as a source for login attempts.
   1. Lumin Digital shall configure a layered authentication control for the Administrative Website that only permits logins from client-approved IP address sources.
   2. Client is responsible for ensuring the security of devices and networks sourcing from the public IP addresses it provides to Lumin Digital to authorize for access to the Administrative Website authentication process.
   3. Client is responsible for ensuring the list includes IP addresses necessary to support their own business continuity and disaster recovery plans and to provide updates to the approved list of IP address to Lumin Digital so it may make site available to Client.
   4. Client agrees it shall only provide static public IP addresses to Lumin Digital, and if it needs to support logins from non-commercial ISP networks that it shall deploy any VPN technology or acquire static IP addresses for its users coming from such networks such that it does not provide dynamic IP addresses that are subject to unplanned or unannounced reassignment or change.
3. Client shall not produce or utilize scripted or automated processes or tool that attempt to automatically authenticate users into the Administrative Website or to circumvent idle logout controls that extend their sessions without the explicit written approval of Lumin Digital for each such process or tool.
4. Lumin Digital may provide websites and software that allow authorized users of the Administrative Website to shadow or “login as” a user for the purposes of diagnosing issues with the User Website. Client agrees to restrict and monitor the use of such features by limiting the granting of this privileged feature to the minimum number of administrators possible and reviewing administrative user activity reporting to ensure such usage is appropriate in accordance with Client’s policies and procedures.

User Website

1. Lumin Digital may provide websites and software that allow its client institutions prospective members or consumers to become a new member consumer with the institution. When such features are made available:
   1. Client shall retain responsibility for identifying and approving users and only market and provide products and services through the digital banking user website which they are permitted to solicit or offer by all applicable laws, rules, and regulations.
   2. Client shall dictate and have final authority to authorize and approve prospective users through Know Your Customer (KYC), Office of Foreign Asset Control (OFAC), and other mandated screening procedures. When Lumin Digital can make mandated screening procedures or risk scoring tools or techniques available through digital banking, Client shall provide and maintain the necessary configuration and ongoing monitoring of such tools or techniques so it is compliant with all applicable laws, rules, and regulations.
2. Lumin Digital may provide websites and software that allow its client institution members or consumers who do not yet have a login to the digital banking user website the ability to register with a new credential to access their accounts and sensitive data through digital banking. When such features are made available:
   1. Client shall provide Lumin Digital and be responsible for the accuracy for the specifications, rules, and processes for positively identifying a current member or consumer on the Client’s system of record.
   2. Client shall provide Lumin Digital with a system of record that can be used to search for a current member or consumer pursuant to the specifications, rules, and processes Client has provided. Client is responsible for maintaining a system of record that is accurate and updated to allow for Lumin Digital’s positive identification of current members and consumers.
   3. Lumin Digital shall only allow members or consumers to complete a registration process if they can validate an out-of-band authentication challenge using information provided in the system of record. Client is responsible for providing and maintaining accurate phone numbers, email addresses, or other out-of-band contact information for users that allow Lumin Digital to contact current members or consumers that are positively identified on the Client’s system of record.
3. Lumin Digital may provide websites and software that allow users who have previously registered for a credential to the user website but cannot login the ability to reset their credentials, including passwords and other factors of authentication. When such features are made available:
   1. Client shall provide Lumin Digital and be responsible for the accuracy for the specifications, rules, and processes for positively identifying a digital banking user who cannot authenticate with a user website credential but is a current member or consumer on the Client’s system of record.
   2. Client shall provide Lumin Digital with a system of record that can be used to search for a digital banking user who is a current member or consumer pursuant to the specifications, rules, and processes Client has provided. Client is responsible for maintaining a system of record that is accurate and updated to allow for Lumin Digital’s positive identification of current members and consumers for the purposes of a credential reset.
   3. Lumin Digital shall only allow registered digital banking users to reset a credential if they can validate an out-of-band authentication challenge using information provided in the system of record. Client is responsible for providing and maintaining accurate phone numbers, email addresses, or other out-of-band contact information for users that allow Lumin Digital to contact current members or consumers to reset their credentials.
4. Client shall develop and maintain its own Acceptable Use and Privacy Policies for its members or consumers it approves for digital banking. Lumin Digital shall provide a facility for users who register or enroll for digital banking to review and positively accept the institutions policies and disclosures before allowing a user to complete the registration or enrollment processes. Client shall be responsible for maintaining policy and disclosure acceptance documentation for users it manually registers, enrolls, or imports.
5. Client shall not produce or utilize scripted or automated processes or tool that attempt to automatically authenticate users into the User Website or to circumvent idle logout controls that extend their sessions without the explicit written approval of Lumin Digital for each such process or tool.
   1. Lumin Digital only supports account aggregation, whereby a member or consumer provides their digital banking credentials to a third-party system when authenticates as them on their behalf to download their account and sensitive data, if and only if Lumin Digital has an agreement for services with the third-party aggregator and there is an agreement between Client and Lumin Digital to provide such access to the third-party provider.
   2. Lumin Digital reserves the right to throttle or block access to scripted or automated processes or tools, including unauthorized third-party account aggregators, with which it has no direct agreement for account aggregation services, to protect the security and confidentiality of Client and member and consumer sensitive data.