36 KiB
Section 3.1 - Mandatory Service Provider Framework
Section 3.1.1 - Designated Internal Service Providers
-
Exclusive Service Designation: The Company hereby designates the following series as exclusive internal shared service providers for all TSYS Group entities:
a. Information Technology Services Provider: Known Element Enterprises (series) LLC shall serve as the Company's exclusive provider of all IT Services as defined in Article 2 and further detailed in Schedule A to this Agreement.
b. Financial Services Provider: The Campus Trading Company (series) LLC shall serve as the Company's exclusive provider of all Transaction and Treasury Services as defined in Article 2 and further detailed in Schedule B to this Agreement.
-
Service Provider Independence: Each designated service provider shall maintain:
a. Operational independence regarding service delivery methodologies
b. Technology selection autonomy within Board-approved parameters
c. Resource allocation flexibility to meet established service levels
d. Staffing and personnel management authority
e. Implementation discretion for approved service initiatives
-
Term of Designation: These service provider designations shall:
a. Remain in effect for the duration of this Agreement
b. Be reviewed by the Board at least every three (3) years
c. Be subject to revocation only under the extreme failure provisions of Section 3.1.3(2)(d)
d. Be transferable to successor entities only with Board approval
-
Regulatory Compliance Obligations: Each designated service provider shall:
a. Maintain all licenses, certifications, and registrations required by applicable law for their services
b. Implement and maintain compliance programs appropriate to their service offerings
c. Conduct annual compliance risk assessments
d. Provide quarterly compliance reports to the Technology Oversight Committee
e. Promptly notify the Company Committee of any regulatory inquiries, investigations, or compliance issues
f. Maintain documentation of compliance with industry standards and regulations
g. Conduct annual compliance training for all service provider personnel
Section 3.1.2 - Mandatory Use Requirement
-
Primary Provider Obligation: All series shall utilize the designated internal service providers as their exclusive service solution providers for the services described in Section 3.1.1, subject to the following conditions:
a. Performance Standards: Internal service providers must meet or exceed the service level agreements (SLAs) established by the Technology Oversight Committee, which shall:
i. Be documented in writing and incorporated by reference into this Agreement
ii. Include specific, measurable performance metrics for each service category
iii. Establish response time requirements for various service priorities
iv. Define availability requirements for critical systems
v. Include remediation timelines for service disruptions
vi. Specify reporting requirements and cadence
vii. Be reviewed and updated at least annually
viii. Include security standards and compliance requirements
ix. Establish escalation procedures for service issues
x. Define problem severity classification and associated response times
xi. Include customer satisfaction measurement requirements
xii. Establish change management procedures and notice requirements
xiii. Include data protection and privacy requirements
xiv. Specify disaster recovery and business continuity standards
xv. Define incident response protocols and timeframes
b. Competitive Pricing: Internal service providers must offer services at pricing comparable to market rates for equivalent services, as verified by:
i. Annual independent third-party audit
ii. Benchmark comparison against at least three comparable external providers
iii. Transparent cost-accounting as described in Section 4.6.5
iv. Quarterly pricing reviews by the Audit and Finance Committee
v. Documentation of all cost allocation methodologies
vi. Publication of rate cards to all series members
vii. Advance notice of at least sixty (60) days for any rate increases
viii. Cap on annual price increases tied to relevant industry indexes
ix. Volume discounting mechanisms for large series
x. Regular market comparison reporting to all series
-
Enforcement Mechanism: The Company Committee shall be responsible for enforcing the mandatory use requirement and shall:
a. Conduct quarterly compliance reviews
b. Promptly investigate any reported violations
c. Issue formal findings within 30 days of any compliance investigation
d. Recommend appropriate remedial actions to the Board
e. Maintain a centralized compliance tracking system
f. Publish anonymized compliance reports to all series
g. Establish escalating penalties for repeated non-compliance
h. Implement a confidential reporting system for compliance concerns
i. Provide compliance training resources to all series
j. Conduct annual compliance audits of all series and service providers
-
Service Provider Dispute Resolution: Disputes between service providers and series regarding service delivery shall be resolved through:
a. Initial attempt at resolution between operational leaders of the service provider and series
b. If unresolved within 15 days, escalation to the Technology Oversight Committee
c. Formal mediation process as outlined in Schedule H if not resolved within 30 days
d. Final binding decision by the Company Committee if mediation is unsuccessful
e. Documentation of all disputes and resolutions in the electronic records system
f. Quarterly dispute trends analysis and reporting to the Board
g. Implementation of dispute reduction strategies based on trend analysis
h. Establishment of proactive relationship management protocols
i. Joint service improvement planning between service providers and series
j. Emergency escalation pathway for critical service disputes
-
Service Level Agreement Governance:
a. SLAs shall be:
i. Developed with input from all series
ii. Reviewed and approved by the Technology Oversight Committee
iii. Published in the electronic records system
iv. Monitored through automated performance measurement systems
v. Subject to quarterly performance reviews
b. SLA modifications shall:
i. Require Technology Oversight Committee approval
ii. Include a comment period for series feedback
iii. Provide at least 60 days' notice before implementation
iv. Include transition support for material changes
Section 3.1.3 - Service Provider Failure Remedies
-
Failure Determination: An internal service provider shall be deemed to have failed if it:
a. Fails to meet established performance standards for two consecutive quarters as documented by the Technology Oversight Committee
b. Experiences a catastrophic service disruption lasting more than:
i. 48 hours for non-critical services
ii. 24 hours for important services
iii. 4 hours for mission-critical services as designated in the applicable SLA
c. Commits a material breach of its SLA obligations that remains uncured for 30 days after written notice
d. Receives substantiated service quality complaints from more than 50% of its series customers within any six-month period
e. Experiences a material security or data breach that compromises sensitive information or critical infrastructure
f. Fails to implement required security patches or updates within timeframes specified in the SLA
g. Demonstrates a pattern of repeated service deficiencies that, while individually not constituting failures, collectively indicate systemic issues
h. Violates applicable regulatory requirements resulting in material penalties or compliance issues
i. Fails to maintain required certifications or qualifications
j. Loses key personnel without adequate succession planning and replacement
-
Remedies for Service Provider Failure: Upon determination of a service provider failure, the following remedies shall be available:
a. Initial Remediation Period: The service provider shall be granted a 60-day remediation period to:
i. Correct performance deficiencies
ii. Restore service levels to required standards
iii. Submit a detailed improvement plan to the Technology Oversight Committee
iv. Implement enhanced monitoring and reporting
v. Engage third-party expertise if necessary
vi. Conduct root cause analysis of failures
vii. Implement preventative measures
viii. Establish interim service arrangements if necessary
ix. Provide regular progress reports
x. Compensate affected series according to SLA terms
b. Enhanced Oversight: During the remediation period, the service provider shall be subject to:
i. Weekly performance reviews by the Technology Oversight Committee
ii. Implementation of additional controls and monitoring
iii. Potential leadership changes as recommended by the Board
iv. Requirement to provide daily status reports to affected series
v. Temporary management augmentation with qualified personnel
vi. Independent third-party oversight of remediation efforts
vii. Additional resource allocation requirements
viii. Temporary suspension of new service initiatives
ix. Mandatory executive briefings to the Board
x. Implementation of emergency escalation procedures
c. Failure to Remediate: If the service provider fails to remediate within the 60-day period, the Technology Oversight Committee may:
i. Grant a single 30-day extension if substantial progress is evident
ii. Implement a service provider replacement plan
iii. Authorize temporary external service providers for affected services
iv. Recommend restructuring of the service provider to the Board
v. Appoint temporary executive leadership
vi. Accelerate training of backup personnel
vii. Implement contingency service arrangements
viii. Adjust pricing to reflect reduced service levels
ix. Impose financial penalties as specified in the SLA
x. Develop long-term service provider transition plan
d. Extreme Failure: In cases of extreme failure involving critical systems, the Board may:
i. Immediately authorize use of external service providers
ii. Remove and replace service provider leadership
iii. Implement emergency continuity plans
iv. Take any other actions necessary to protect the TSYS Group
v. Establish an emergency governance committee
vi. Suspend normal approval processes for emergency actions
vii. Allocate emergency funding for service restoration
viii. Engage specialized crisis management expertise
ix. Implement rapid knowledge transfer protocols
x. Authorize extraordinary measures to protect data and assets
-
Service Continuity Protection: To ensure continuity of critical services:
a. Each service provider shall maintain:
i. Comprehensive business continuity and disaster recovery plans
ii. Documented systems and operational procedures
iii. Knowledge transfer protocols for critical functions
iv. Cross-training programs for essential personnel
v. Backup systems and redundancies for critical infrastructure
vi. Geographically distributed infrastructure to mitigate regional disruptions
vii. Regularly tested incident response procedures
viii. Alternative service delivery methods for emergency situations
ix. Secure offline backups of critical data and configurations
x. Emergency communication protocols and systems
b. The Technology Oversight Committee shall:
i. Conduct annual disaster recovery testing
ii. Maintain relationships with qualified backup service providers
iii. Regularly review and update continuity plans
iv. Ensure proper escrow of critical system information
v. Validate recovery time and point objectives
vi. Coordinate cross-series business continuity planning
vii. Establish emergency decision-making protocols
viii. Maintain emergency contact information for all key personnel
ix. Implement crisis management training for leadership
x. Develop communications templates for various disruption scenarios
-
Security Incident Response Protocol:
a. Upon detection of any security incident, service providers shall:
i. Immediately activate the incident response team
ii. Contain and mitigate the incident according to established procedures
iii. Notify the Technology Oversight Committee within timeframes specified in the SLA
iv. Document all aspects of the incident and response
v. Conduct forensic analysis to determine scope and impact
vi. Implement required remediation measures
vii. Provide detailed post-incident reports
viii. Update security controls based on lessons learned
ix. Conduct additional security testing as needed
x. Comply with all regulatory notification requirements
b. The Technology Oversight Committee shall:
i. Review all security incidents and response activities
ii. Ensure appropriate remediation measures are implemented
iii. Determine if the incident constitutes a service provider failure
iv. Coordinate communications regarding the incident
v. Oversee regulatory compliance related to the incident
Section 3.1.4 - Innovation Exception Process
-
Exception Basis: A series may request an exception to the mandatory use requirement only on the grounds of:
a. Specialized technical requirements that cannot be met by the internal service provider
b. Demonstrable competitive advantage requiring specialized external solutions
c. Regulatory or compliance requirements that necessitate specialized external providers
d. Client or customer contractual requirements that mandate specific external solutions
e. Significant cost savings (exceeding 30%) that can be achieved through an external provider while maintaining equivalent security and quality standards
f. Emerging technology that provides substantial business advantage not available through internal providers
g. Temporary capacity limitations of internal providers during high-growth periods
h. Specialized expertise requirements for limited duration projects
i. Unique geographical requirements not efficiently served by internal providers
j. Legacy systems integration requirements that internal providers cannot efficiently support
-
Exception Request Process:
a. Requests must be submitted in writing to the Technology Oversight Committee
b. Requests must include:
i. Detailed description of the required service
ii. Documentation of business necessity
iii. Analysis of competitive advantage
iv. Proposed external provider information including due diligence materials
v. Security and compliance assessment
vi. Data integration and protection plan
vii. Implementation timeline
viii. Cost-benefit analysis comparing the external solution to internal alternatives
ix. Risk assessment for the proposed exception
x. Transition plan to internal providers if applicable
xi. Metrics for measuring success of the exception
xii. Governance controls for the external provider relationship
xiii. Detailed vendor security assessment including SOC 2 reports or equivalent
xiv. Data processing requirements and compliance documentation
xv. Exit strategy and data retrieval procedures
c. The Technology Oversight Committee must respond within 45 days for standard requests and within 15 days for requests designated as time-sensitive with appropriate justification
d. The Technology Oversight Committee must provide written justification for any denial
e. Appeals of denied exception requests may be made to the Company Committee within 15 days of denial
f. The Company Committee shall render a final decision within 30 days of appeal receipt
g. Denials that substantially impact business operations may be further appealed to the Board in extreme circumstances
h. The Board shall establish an expedited review process for critical exception appeals
i. All decisions shall be documented in the electronic records system
j. Precedential decisions shall be published as guidance for future requests
-
Exception Implementation:
a. If approved, the exception shall:
i. Be documented in the electronic records system
ii. Include specific scope and duration limitations
iii. Require quarterly reviews and renewal evaluation
iv. Include a transition plan for eventual migration to internal services if feasible
v. Include compliance monitoring to ensure continued adherence to security and integration requirements
vi. Specify data security and access controls
vii. Establish service level requirements for the external provider
viii. Define clear exit criteria and termination procedures
ix. Establish integration requirements with existing systems
x. Include knowledge transfer provisions to internal providers
xi. Specify contract provisions required for external providers
xii. Include mandatory security provisions for vendor contracts
xiii. Require right-to-audit clauses for all external provider agreements
xiv. Include business continuity requirements for external providers
xv. Specify data ownership and return provisions upon termination
-
Exception Renewal and Termination:
a. All exceptions shall have a defined term, not to exceed one (1) year unless specifically approved by the Board
b. Renewal requests must be submitted at least 60 days prior to exception expiration
c. Renewal requests shall include:
i. Performance assessment of the external provider
ii. Continued justification for the exception
iii. Analysis of any changes in internal provider capabilities
iv. Updated security and compliance assessment
v. Documentation of ongoing business necessity
vi. Evaluation of transition feasibility to internal providers
vii. Updated cost-benefit analysis
viii. Review of security and compliance incidents
d. Exceptions may be terminated prior to expiration if:
i. The external provider fails to meet service requirements
ii. Internal provider capabilities evolve to meet the requirement
iii. The business need for the exception no longer exists
iv. Security or compliance concerns arise
v. The series fails to comply with exception conditions
vi. The Board or Company Committee determines termination is in the best interest of the Company
vii. The external provider experiences a material security breach
viii. Regulatory requirements necessitate termination
-
Exception Registry and Oversight:
a. The Technology Oversight Committee shall maintain a registry of all exceptions that includes:
i. Exception scope and justification
ii. Approval date and expiration
iii. External provider details
iv. Performance metrics
v. Review history
vi. Renewal status
vii. Documented exceptions to standard requirements
viii. Security assessment status
ix. Integration documentation
x. Compliance verification
b. The Company Committee shall:
i. Receive quarterly reports on all exceptions
ii. Review any exceptions with security or compliance concerns
iii. Provide oversight for exception volume and patterns
iv. Identify trends that may indicate internal service provider gaps
v. Review strategic implications of exceptions
Section 3.1.5 - Service Division Operations
-
Operational Requirements: Each service division shall:
a. Operate as a cost center pursuant to Section 4.6.5
b. Maintain transparent cost accounting with quarterly reporting to all series
c. Be subject to Board oversight through appropriate committees
d. Select and manage external vendors as needed following procurement guidelines established by the Board
e. Develop and maintain appropriate service standards and SLAs
f. Conduct annual customer satisfaction surveys among series
g. Implement continuous improvement processes with measurable objectives
h. Maintain appropriate cybersecurity and compliance certifications
i. Establish disaster recovery and business continuity plans
j. Conduct quarterly technology and service reviews
k. Provide monthly service performance metrics to all series
l. Undergo annual security audits by qualified third-party firms
m. Maintain compliance with all relevant industry standards and regulations
n. Provide regular training to personnel on security and operational best practices
o. Establish and maintain risk management frameworks appropriate to service offerings
p. Implement formal change management processes for service modifications
q. Document all service procedures and maintain operational manuals
r. Establish quality control procedures with measurable outcomes
s. Participate in industry benchmarking and best practice forums
t. Maintain appropriate insurance coverage for service operations
u. Implement privacy and data protection measures aligned with global best practices
v. Maintain environmental sustainability practices for services and infrastructure
w. Develop and implement service accessibility standards
x. Engage in technology forecasting and future-proofing strategies
y. Maintain service knowledge bases for user self-service
-
Board Oversight Responsibilities: The Board of Directors, through its committees, shall establish and oversee:
a. Performance metrics and reporting requirements
b. Service level frameworks
c. Cost allocation methodologies
d. Technology and service strategies
e. Vendor selection criteria
f. Quality control measures
g. Dispute resolution procedures for service conflicts
h. Compliance standards and monitoring
i. Cybersecurity requirements and testing
j. Other operational parameters as needed
k. Capital investment approval thresholds and procedures
l. Strategic technology alignment with Company objectives
m. Innovation funding and initiatives
n. Risk management standards and assessment methodologies
o. Succession planning for critical service leadership positions
p. Information security governance framework
q. User experience standards and accessibility requirements
r. Ethical technology use policies
s. Data governance and management policies
t. Technology procurement standards
-
Service Roadmap Requirements: Each service provider shall:
a. Maintain a three-year service development roadmap
b. Conduct quarterly roadmap reviews with all series
c. Incorporate series feedback into roadmap updates
d. Align roadmap priorities with overall TSYS Group strategic objectives
e. Include specific technology innovation initiatives
f. Establish clear timelines for major service enhancements
g. Document resource allocation for strategic initiatives
h. Include contingency planning for emerging technologies and market shifts
i. Identify potential security and regulatory challenges
j. Document required competency development for service evolution
k. Establish metrics for measuring roadmap progress
l. Identify capacity planning requirements for future growth
m. Include technology retirement planning for legacy systems
n. Document integration strategies with complementary technologies
o. Align with industry standards and best practices
p. Address environmental sustainability considerations
q. Include accessibility enhancement initiatives
r. Document risk mitigation strategies for roadmap elements
s. Identify strategic partnerships required for implementation
t. Include total cost of ownership projections
-
User Experience and Feedback System: Each service provider shall:
a. Implement a structured feedback system accessible to all series
b. Conduct quarterly user experience reviews
c. Maintain a transparent issue tracking system
d. Report on issue resolution metrics monthly
e. Incorporate user feedback into service improvements
f. Establish a user advisory group with representation from different series
g. Maintain a knowledge base of common issues and solutions
h. Publish service disruption post-mortems and remediation plans
i. Implement a suggestion system for service improvements
j. Develop service usage analytics to identify improvement opportunities
k. Establish formal user acceptance testing for major changes
l. Conduct annual service satisfaction benchmarking
m. Implement training programs to optimize user adoption
n. Create user communities for knowledge sharing and collaboration
o. Recognize and reward user contributions to service improvement
p. Develop user experience standards and guidelines
q. Implement accessibility testing for all services
r. Establish service personalization capabilities where appropriate
s. Conduct regular usability testing
t. Implement user journey mapping for key service interactions
Section 3.1.6 - Service Quality Management
-
Quality Assurance Framework: Each service provider shall implement:
a. Formal quality management systems with defined processes
b. Regular internal audits of service quality
c. Root cause analysis for service incidents
d. Preventative action plans for recurring issues
e. Service performance trend analysis and reporting
f. Continuous service monitoring and alerting systems
g. Regular process improvement reviews
h. Customer impact assessment for all service changes
i. Post-implementation reviews of major service changes
j. Quality metrics aligned with business outcomes
k. Quality control gates throughout service delivery processes
l. Independent quality assurance function within the organization
m. Regular assessment against industry frameworks such as ITIL, COBIT, and ISO standards
n. Automated quality control mechanisms where applicable
o. Defect tracking and remediation processes
-
Continuous Improvement Requirements:
a. Each service provider shall establish annual improvement goals for:
i. Service availability and reliability
ii. Response and resolution times
iii. Customer satisfaction ratings
iv. Cost efficiency metrics
v. Security posture and compliance
vi. Operational efficiency
vii. Technical debt reduction
viii. Environmental sustainability
ix. Accessibility compliance
x. Innovation implementation
b. Progress toward improvement goals shall be:
i. Measured and reported quarterly
ii. Reviewed by the Technology Oversight Committee
iii. Incorporated into service provider performance evaluations
iv. Tied to leadership compensation where applicable
v. Communicated transparently to all series
vi. Analyzed for patterns and trends
vii. Used to inform subsequent improvement objectives
viii. Benchmarked against industry standards
ix. Documented with clear methodologies
x. Subject to independent verification
-
Service Provider Collaboration: Service providers shall:
a. Establish formal coordination mechanisms between providers
b. Conduct joint planning for interdependent services
c. Implement integrated incident management for cross-service issues
d. Share expertise and resources for mutual improvement
e. Develop and maintain integrated service catalogs
f. Establish clear handoff procedures for cross-service processes
g. Conduct joint disaster recovery exercises
h. Develop integrated security frameworks
i. Implement compatible technology standards
j. Coordinate service maintenance windows
k. Establish joint innovation initiatives
l. Harmonize user experience across service boundaries
m. Implement compatible data governance frameworks
n. Coordinate capacity planning activities
o. Share customer feedback and improvement opportunities
-
Performance Measurement System:
a. Each service provider shall implement a comprehensive performance measurement system that:
i. Collects and analyzes quantitative and qualitative performance data
ii. Includes automated performance dashboards accessible to all series
iii. Tracks performance against SLA commitments
iv. Identifies trends and patterns in service performance
v. Provides early warning of potential service issues
vi. Includes customer satisfaction measurement
vii. Monitors key technical and operational metrics
viii. Compares performance against industry benchmarks
ix. Supports continuous improvement initiatives
x. Informs strategic planning decisions
b. Performance metrics shall include:
i. System availability and reliability
ii. Response and resolution times
iii. Transaction processing performance
iv. Security metrics
v. Cost efficiency
vi. Customer satisfaction
vii. Process efficiency
viii. Innovation implementation
ix. Technical debt reduction
x. Environmental sustainability
Section 3.1.7 - Technology Evolution and Innovation
-
Innovation Requirements: To maintain competitive service offerings, service providers shall:
a. Allocate a minimum of 10% of their resources to innovation and new technology evaluation
b. Establish formal mechanisms for evaluating emerging technologies
c. Develop proof-of-concept processes for promising innovations
d. Create safe experimental environments for testing new technologies
e. Partner with series to pilot innovative solutions
f. Report quarterly on innovation initiatives and outcomes
g. Participate in industry forums and research communities
h. Establish relationships with technology research organizations
i. Develop internal innovation incentive programs
j. Create processes for scaling successful innovations
k. Maintain an innovation pipeline with short, medium, and long-term initiatives
l. Establish innovation governance processes
m. Implement formal ideation and evaluation methodologies
n. Develop metrics for measuring innovation effectiveness
o. Establish intellectual property protection for innovations
-
Technology Currency: Service providers shall:
a. Maintain all technologies within manufacturer-supported versions
b. Establish and follow formal technology lifecycle policies
c. Provide 12-month advance notice for significant technology transitions
d. Maintain compatibility with industry-standard technologies
e. Ensure backward compatibility when feasible
f. Provide migration support for technology transitions
g. Document technology roadmaps with sunset dates
h. Assess and mitigate risks associated with aging technologies
i. Balance innovation with stability and security requirements
j. Provide training for series personnel on new technologies
k. Establish formal technology debt tracking and remediation processes
l. Implement architectural review processes for technology decisions
m. Document technology standards and compliance requirements
n. Maintain compatibility testing environments
o. Develop clear upgrade paths for all major systems
-
Market Alignment: The Technology Oversight Committee shall:
a. Conduct annual assessments of market-competitive technologies
b. Benchmark internal services against industry leaders
c. Identify service gaps and deficiencies
d. Recommend strategic technology investments
e. Monitor industry trends and disruptions
f. Assess competitive threats from new technologies
g. Evaluate acquisition opportunities for technology advancement
h. Define technology standards aligned with industry direction
i. Forecast future technology requirements
j. Report significant findings to the Board
k. Develop strategies to address identified gaps
l. Coordinate market research across service providers
m. Identify cross-service technology opportunities
n. Assess regulatory and compliance technology requirements
o. Evaluate technology sustainability and environmental impact
-
Emerging Technology Adoption Framework:
a. The Technology Oversight Committee shall establish a framework for evaluating and adopting emerging technologies that includes:
i. Formal evaluation criteria
ii. Risk assessment methodology
iii. Return on investment analysis
iv. Pilot program guidelines
v. Success metrics
vi. Security assessment requirements
vii. Compliance review process
viii. Integration evaluation
ix. Scalability assessment
x. User impact analysis
xi. Total cost of ownership projection
xii. Support and maintenance requirements
xiii. Skill development needs
xiv. Competitive advantage assessment
xv. Implementation planning requirements
b. Emerging technology adoption shall follow a staged approach:
i. Initial assessment and research
ii. Proof of concept in isolated environment
iii. Limited pilot with selected users
iv. Controlled production implementation
v. Full deployment with appropriate controls
vi. Continuous evaluation and optimization