Exhibit.(h)(1)
TRANSFER AGENCY AND SERVICE AGREEMENT
THIS AGREEMENT is made as of the 5th day of November, 2024, by and between STATE STREET BANK AND TRUST COMPANY, Massachusetts trust company having its principal office and place of business at One Congress Street, Boston, Massachusetts 02114 (“State Street” or the “Transfer Agent”), and Harris Oakmark ETF Trust, a Delaware business trust having its principal office and place of business at 111 S. Wacker Drive, Ste. 4600, Chicago, Illinois 60606 (the “Trust”).
WHEREAS, the Trust is authorized to issue shares of beneficial interest (“Shares”) in separate series, with each such series representing interests in a separate portfolio of securities and other assets;
WHEREAS, the Trust intends to initially offer Shares in one or more series, each as named in the attached Schedule A, which may be amended by the parties from time to time (such series, together with all other series subsequently established by the Trust and made subject to this Agreement in accordance with Section 11 of this Agreement, being herein referred to as a “Portfolio,” and collectively as the “Portfolios”);
WHEREAS, each Portfolio will issue and redeem Shares only in aggregations of Shares known as “Creation Units” as described in the currently effective prospectus and statement of additional information of the Trust (collectively, the “Prospectus”);
WHEREAS, only those entities (“Authorized Participants”) that have entered into an Authorized Participant Agreement with the distributor of the Trust, currently Foreside Fund Services, LLC, a subsidiary of ACA Group (the “Distributor”), are eligible to place orders for Creation Units with the Distributor;
WHEREAS, the Depository Trust Company, a limited purpose trust company organized under the laws of the State of New York (“DTC”) or its nominee will be the record or registered owner of all outstanding Shares;
WHEREAS, Trust desires to appoint Transfer Agent to act as its transfer agent, dividend disbursing agent and agent in connection with certain other activities; and Transfer Agent is willing to accept such appointment.
NOW, THEREFORE, in consideration of the mutual covenants herein contained, the parties hereto, agree as follows:
|1.
|TERMS OF APPOINTMENT
|1.1
|Subject to the terms and conditions set forth in this Agreement, the Trust and each Portfolio hereby employs and appoints the Transfer Agent to act as, and the Transfer Agent agrees to act as, transfer agent for the Creation Units and dividend disbursing agent of the Trust and each Portfolio.
1
|1.2
|Transfer Agency Services. In accordance with procedures established from time to time by agreement between the Trust and each Portfolio, as applicable, and the Transfer Agent (the “Procedures”), the Transfer Agent shall:
|(i)
|establish each Authorized Participant’s account in the applicable Portfolio on the Transfer Agent’s recordkeeping system and maintain such account for the benefit of such Authorized Participant;
|(ii)
|receive and process orders for the purchase of Creation Units from the Distributor or the Trust, and promptly deliver payment and appropriate documentation thereof to the custodian of the applicable Portfolio as identified by the Trust (the “Custodian”);
|(iii)
|generate or cause to be generated and transmitted confirmation of receipt of such purchase orders to the Authorized Participants and, if applicable, transmit appropriate trade instruction to the National Securities Clearance Corporation (“NSCC”) and/or DTC;
|(iv)
|receive and process redemption requests and redemption directions from the Distributor or the Trust with respect to Shares of each Portfolio and deliver the appropriate documentation thereof to the Custodian;
|(v)
|with respect to items (i) through (iv) above, the Transfer Agent may execute transactions directly with Authorized Participants;
|(vi)
|at the appropriate time as and when it receives monies paid to it by the Custodian with respect to any redemption, pay over or cause to be paid over in the appropriate manner such monies, if any, to the redeeming Authorized Participant as instructed by the Distributor or the Trust;
|(vii)
|prepare and transmit by means of DTC’s book-entry system payments for any dividends and distributions declared by the Trust on behalf of the applicable Portfolio;
|(viii)
|record the issuance of Shares of the applicable Portfolio and maintain a record of the total number of Shares of each Portfolio which are issued and outstanding; and provide the Trust on a regular basis with the total number of Shares of each Portfolio which are issued and outstanding but Transfer Agent shall have no obligation, when recording the issuance of Shares, to monitor the issuance of such Shares to determine if there are authorized Shares available for issuance or to take cognizance of any laws relating to, or corporate actions required for, the issue or sale of such Shares, which functions shall be the sole responsibility of the Trust and each Portfolio; and, excluding DTC or its nominee as the record or registered owner, the Transfer Agent shall have no obligations or responsibilities to account for, keep records of, or otherwise related to, the beneficial owners of the Shares;
2
|(ix)
|maintain and manage, as agent for the Trust and each Portfolio, such bank accounts as the Transfer Agent shall deem necessary for the performance of its duties under this Agreement, including but not limited to, the processing of Creation Unit purchases and redemptions and the payment of a Portfolio’s dividends and distributions. The Transfer Agent may maintain such accounts at the bank or banks deemed appropriate by the Transfer Agent in accordance with applicable law;
|(x)
|process any request from an Authorized Participant to change its account registration; and
|(xi)
|except as otherwise instructed by the Trust, the Transfer Agent shall process all transactions in each Portfolio in accordance with the procedures mutually agreed upon by the Trust and the Transfer Agent with respect to the proper net asset value to be applied to purchase orders received in good order by the Transfer Agent or by the Trust or any other person or firm on behalf of such Portfolio or from an Authorized Participant before cut-offs established by the Trust. The Transfer Agent shall report to the Trust any known exceptions to the foregoing.
|1.3
|Additional Services. In addition to, and neither in lieu of nor in contravention of the services set forth in Section 1.2 above, the Transfer Agent shall perform the following services:
|(i)
|The Transfer Agent shall perform such other services for the Trust that are mutually agreed to by the parties from time to time, for which the Trust will pay such fees as may be mutually agreed upon, including the Transfer Agent’s reasonable out-of-pocket expenses. The provision of such services shall be subject to the terms and conditions of this Agreement.
|(ii)
|DTC and NSCC. The Transfer Agent shall: (a) accept and effectuate the registration and maintenance of accounts, and the purchase and redemption of Creation Units in such accounts, in accordance with instructions transmitted to and received by the Transfer Agent by transmission from DTC or NSCC on behalf of Authorized Participants; and (b) issue instructions to a Portfolio’s banks for the settlement of transactions between the Portfolio and DTC or NSCC (acting on behalf of the applicable Authorized Participant).
|1.4
|Authorized Persons. The Trust and each Portfolio, hereby agrees and acknowledges that the Transfer Agent may rely on the current list of authorized persons, including authorized persons of the Trust or the Distributor, as provided or agreed to by the Trust and as may be amended from time to time, in receiving instructions to issue or redeem Creation Units. The Trust and each Portfolio, agrees and covenants for itself and each such authorized person that any order or sale of or transaction in Creation Units received by it after the order cut-off time as set forth in the Prospectus or such earlier time as designated by such Portfolio (the “Order Cut-Off Time”), shall be effectuated at the net asset value determined on the next business day or as otherwise required pursuant to the applicable Portfolio’s then-effective Prospectus, and the Trust or such authorized person shall so instruct the Transfer Agent of the proper effective date of the transaction.
3
|1.5
|Anti-Money Laundering and Client Screening. With respect to the Trust’s or any Portfolio’s offering and sale of Creation Units at any time, and for all subsequent transfers of such interests, the Trust or its delegate shall, to the extent applicable, directly or indirectly and to the extent required by law: (i) conduct know your customer/client identity due diligence with respect to potential investors and transferees in the Shares and Creation Units and shall obtain and retain due diligence records for each investor and transferee; (ii) use its best efforts to ensure that each investor’s and any transferee’s funds used to purchase Creation Units or Shares shall not be derived from, nor the product of, any criminal activity; (iii) if requested, provide periodic written verifications that such investors/transferees have been checked against the United States Department of the Treasury Office of Foreign Assets Control database for any non-compliance or exceptions; and (iv) perform its obligations under this Section in accordance with all applicable anti-money laundering laws and regulations. In the event that the Transfer Agent has received advice from counsel that access to underlying due diligence records pertaining to the investors/transferees is necessary to ensure compliance by the Transfer Agent with relevant anti-money laundering (or other applicable) laws or regulations, the Trust shall, upon receipt of written request from the Transfer Agent, provide the Transfer Agent copies of such due diligence records.
|1.6
|State Transaction (“Blue Sky”) Reporting. If applicable, the Trust shall be solely responsible for its “blue sky” compliance and state registration requirements.
|1.7
|Tax Law. The Transfer Agent shall have no responsibility or liability for any obligations now or hereafter imposed on the Trust, a Portfolio, any Creation Units, any Shares, a beneficial owner thereof, an Authorized Participant or the Transfer Agent in connection with the services provided by the Transfer Agent hereunder by the tax laws of any country or of any state or political subdivision thereof. It shall be the responsibility of the Trust to notify the Transfer Agent of the obligations imposed on the Trust, a Portfolio, the Creation Units, the Shares, or the Transfer Agent in connection with the services provided by the Transfer Agent hereunder by the tax law of countries, states and political subdivisions thereof, including responsibility for withholding and other taxes, assessments or other governmental charges, certifications and governmental reporting, but excluding income, excise, franchise or other similar taxes ordinarily imposed on the Transfer Agent’s income, assets or business generally.
|1.8
|The Transfer Agent shall provide the office facilities and the personnel determined by it to perform the services contemplated herein.
4
2. FEES AND EXPENSES
|2.1
|Fee Schedule. For the performance by the Transfer Agent of services provided pursuant to this Agreement, the Transfer Agent shall be entitled to receive the fees and expenses set forth in a written fee schedule agreed to by the parties.
3. REPRESENTATIONS AND WARRANTIES OF THE TRANSFER AGENT
The Transfer Agent represents and warrants to the Trust that:
|3.1
|It is a trust company duly organized and existing under the laws of the Commonwealth of Massachusetts.
|3.2
|It is duly registered as a transfer agent under Section 17A(c)(2) of the Securities Exchange Act of 1934, as amended (the “1934 Act”), it will remain so registered for the duration of this Agreement, and it will promptly notify the Trust in the event of any material change in its status as a registered transfer agent.
|3.3
|It is duly qualified to carry on its business in the Commonwealth of Massachusetts.
|3.4
|It is empowered under applicable laws and by its organizational documents to enter into and perform the services contemplated in this Agreement.
|3.5
|All requisite organizational proceedings have been taken to authorize it to enter into and perform this Agreement.
4. REPRESENTATIONS AND WARRANTIES OF THE TRUST AND
THE PORTFOLIOS
The Trust and each Portfolio represents and warrants to the Transfer Agent that:
|4.1
|The Trust is a business trust duly organized, existing and in good standing under the laws of the state of its formation.
|4.2
|The Trust is empowered under applicable laws and by its organizational documents to enter into and perform this Agreement.
|4.3
|All requisite proceedings have been taken to authorize the Trust to enter into, perform and receive services pursuant to this Agreement and to appoint the Transfer Agent as transfer agent of the Trust and the Portfolios.
|4.4
|The Trust is registered under the Investment Company Act of 1940, as amended (the “1940 Act”), as an open-end management investment company.
|4.5
|A registration statement under the Securities Act of 1933, as amended (the “Securities Act”), with respect to the Portfolio will be effective and will remain effective, and all appropriate state securities law filings have been made and will continue to be made, with respect to all Shares of the Trust being offered for sale.
5
|4.6
|Where information provided by the Trust or the Authorized Participants includes information about an identifiable individual (“Personal Information”), the Trust represents and warrants that it has obtained all consents and approvals, as required by all applicable laws, regulations, by-laws and ordinances that regulate the collection, processing, use or disclosure of Personal Information, necessary to disclose such Personal Information to the Transfer Agent, and as required for the Transfer Agent to use and disclose such Personal Information in connection with the performance of the services hereunder. The Trust acknowledges that the Transfer Agent may perform any of the services, and may use and disclose Personal Information in connection with the performance of the services hereunder outside of the jurisdiction in which it was initially collected by the Trust, including the United States and that information relating to the Trust, including Personal Information of investors may be accessed by national security authorities, law enforcement and courts. The Transfer Agent shall be kept indemnified by and be without liability to the Trust for any action taken or omitted by it in reliance upon this representation and warranty, including without limitation, any liability or costs in connection with claims or complaints for failure to comply with any applicable law that regulates the collection, processing, use or disclosure of Personal Information.
5. DATA ACCESS AND PROPRIETARY INFORMATION
|5.1
|The Trust acknowledges that the databases, computer programs, screen formats, report formats, interactive design techniques, and documentation manuals furnished to the Trust by the Transfer Agent as part of the Trust’s ability to access certain Trust-related data maintained by the Transfer Agent or another third party on databases under the control and ownership of the Transfer Agent (“Data Access Services”) constitute copyrighted, trade secret, or other proprietary information (collectively, “Proprietary Information”) of substantial value to the Transfer Agent or another third party. In no event shall Proprietary Information be deemed Authorized Participant information or the confidential information of the Trust. The Trust and each Portfolio agrees to treat all Proprietary Information as proprietary to the Transfer Agent and further agrees that it shall not divulge any Proprietary Information to any person or organization except as may be provided hereunder. Without limiting the foregoing, the Trust agrees for itself and its officers and trustees and their agents, to:
|(i)
|use such programs and databases solely on the Trust’s, or such agents’ computers, or solely from equipment at the location(s) agreed to between the Trust and the Transfer Agent, and solely in accordance with the Transfer Agent’s applicable user documentation;
|(ii)
|except in connection with routine computer backups, refrain from copying or duplicating in any way the Proprietary Information;
|(iii)
|refrain from obtaining unauthorized access to any portion of the Proprietary Information, and if such access is inadvertently obtained, to inform the Transfer Agent in a timely manner of such fact and dispose of such information in accordance with the Transfer Agent’s instructions;
6
|(iv)
|refrain from causing or allowing Proprietary Information transmitted from the Transfer Agent’s computers to the Trust’s, or such agents’ computer to be retransmitted to any other computer facility or other location, except with the prior written consent of the Transfer Agent;
|(v)
|allow the Trust or such agents to have access only to those authorized transactions agreed upon by the Trust and the Transfer Agent;
|(vi)
|honor all reasonable written requests made by the Transfer Agent to protect at the Transfer Agent’s expense the rights of the Transfer Agent in Proprietary Information at common law, under federal copyright law and under other federal or state law (such consent not to be unreasonably withheld).
|5.2
|Proprietary Information shall not include all or any portion of any of the foregoing items that (1) are or become publicly available without breach of this Agreement; (ii) that are released for general disclosure by a written release by the Transfer Agent; or (iii) that are already in the possession of the receiving party at the time of receipt without obligation of confidentiality or breach of this Agreement.
|5.3
|The Trust may, with reasonable notice to the Transfer Agent, disclose Proprietary Information in the event that it is required to be disclosed: (i) by law or in a judicial or administrative proceeding; or (ii) by an appropriate regulatory authority having jurisdiction over the Trust; provided that all reasonable legal remedies for maintaining such information in confidence have been exhausted, including, but not limited to, giving the Transfer Agent as much advance notice of the possibility of such disclosure as practical so the Transfer Agent may attempt to prevent such disclosure or obtain a protective order concerning such disclosure.
|5.4
|If the Trust notifies the Transfer Agent that any of the Data Access Services do not operate in material compliance with the most recently issued user documentation for such services, the Transfer Agent shall use commercially reasonable efforts to correct such failure. Organizations from which the Transfer Agent may obtain certain data included in the Data Access Services are solely responsible for the contents of such data, and the Trust agrees to make no claim against the Transfer Agent arising out of the contents of such third-party data, including, but not limited to, the accuracy thereof. DATA ACCESS SERVICES AND ALL COMPUTER PROGRAMS AND SOFTWARE SPECIFICATIONS USED IN CONNECTION THEREWITH ARE PROVIDED ON AN “AS IS, AS AVAILABLE” BASIS. THE TRANSFER AGENT EXPRESSLY DISCLAIMS ALL WARRANTIES EXCEPT THOSE EXPRESSLY STATED HEREIN INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
7
|5.5
|If the transactions available to the Trust include the ability to originate electronic instructions to the Transfer Agent in order to (i) effect the transfer or movement of cash or Creation Units, or (ii) transmit Authorized Participant information or other information, then in such event the Transfer Agent shall be entitled to rely on the validity and authenticity of such instruction without undertaking any further inquiry as long as such instruction is undertaken in conformity with security procedures established by the Transfer Agent from time to time.
|5.6
|Each party shall take reasonable efforts to advise its employees of their obligations pursuant to this Section. The obligations of this Section shall survive any earlier termination of this Agreement.
|6.
|STANDARD OF CARE / LIMITATION OF LIABILITY
|6.1
|The Transfer Agent shall at all times act in good faith and with the reasonable care expected of a professional provider of transfer agency services to institutional investors in its performance of all services performed under this Agreement, but assumes no responsibility and shall not be liable for loss or damage due to errors, including encoding and payment processing errors, unless said errors are caused by its negligence, bad faith, fraud or willful misconduct or that of its employees or agents. The parties agree that any encoding or payment processing errors shall be governed by this standard of care, and that Section 4-209 of the Uniform Commercial Code is superseded by this Section.
|6.2
|In any event, the Transfer Agent’s cumulative liability for the term of the Agreement for all liability or losses, regardless of the form of action or legal theory, shall be limited to the fees (excluding expenses) received by the Transfer Agent under this Agreement during the preceding 12-month period.
|6.3
|In no event shall either party be liable for any special, incidental, indirect, punitive or consequential damages, including lost profits, of any kind whatsoever under any provision of this Agreement or for any such damages arising out of any act or failure to act hereunder, each of which is hereby excluded by agreement of the parties regardless of whether such damages were foreseeable or whether either party or any entity had been advised of the possibility of such damages..
|7
|INDEMNIFICATION
|7.1
|The Transfer Agent and its affiliates, including their respective officers, directors, employees and agents (the “Indemnitees”), shall not be responsible for, and the Trust and each Portfolio, severally and not jointly, shall indemnify and hold the Indemnitees harmless from and against, any and all losses, damages, costs, charges, reasonable counsel fees (including the defense of any lawsuit in which one of the Indemnitees is a named party), payments, expenses and liability arising out of or attributable to:
8
|(i)
|all actions of the Transfer Agent or its agents or subcontractors required to be taken pursuant to this Agreement, provided that such actions are taken in good faith and without negligence, fraud, or willful misconduct;
|(ii)
|the Trust’s breach of any material representation, warranty or covenant of the Trust hereunder;
|(iii)
|the Trust’s lack of good faith, negligence or willful misconduct;
|(iv)
|reliance upon, and any subsequent use of or action taken or omitted, by the Transfer Agent, or its agents or subcontractors on: (a) any information, records, documents, data, stock certificates or services, which are received by the Transfer Agent or its agents or subcontractors in physical form, or by machine readable input, facsimile, electronic data entry, electronic instructions or other similar means authorized by the Trust, and which have been prepared, maintained or performed by the Trust or any other person or firm on behalf of the Trust, including but not limited to any broker-dealer, third party administrator or previous transfer agent; (b) any instructions or requests of the Trust or its officers or the Trust’s agents or subcontractors or their officers or employees, in each case who have been designated by the Trust as Authorized Persons; (c) any written instructions or opinions of legal counsel to the Trust or any Portfolio with respect to any matter arising in connection with the services to be performed by the Transfer Agent under this Agreement which are provided to the Transfer Agent by the Trust or Portfolio after consultation by the Trust with such legal counsel; or (d) any paper or document, reasonably believed to be genuine, authentic, or signed by the proper person or persons with the authority to provide instructions to the Transfer Agent hereunder;
|(v)
|the offer or sale of Creation Units in violation of any requirement under federal or state securities laws or regulations requiring that such Creation Units be registered, or in violation of any stop order or other determination or ruling by any federal or state agency with respect to the offer or sale of such Creation Units;
|(vi)
|the negotiation and processing of any checks, wires and ACH transmissions, including without limitation, for deposit into, or credit to, the Trust’s demand deposit accounts maintained by the Transfer Agent;
|(vii)
|all actions relating to the transmission of Trust, Creation Unit or Authorized Participant data through the NSCC clearing systems, if applicable; and
|(viii)
|any tax obligations under the tax laws of any country or of any state or political subdivision thereof, including taxes, withholding and reporting requirements, claims for exemption and refund, additions for late payment, interest, penalties and other expenses (including legal expenses) that may be assessed, imposed or charged against the Transfer Agent as transfer agent hereunder, but excluding income, excise, franchise and other similar taxes ordinarily imposed on the Transfer Agent’s income, property or business generally.
9
|7.2
|Subject to this Section 7 and the exclusions and limitations of liability elsewhere in this Agreement, the Transfer Agent will indemnify the Trust and each Portfolio from any direct Losses incurred by the Trust or a Portfolio, in each case, to the extent such Losses result from the negligence, willful default, bad faith or fraud of the Transfer Agent (or that of its Delegates) in the performance of its obligations under this Agreement.
|7.3
|Each party will use reasonable efforts to mitigate any Losses in respect of which it claims indemnification under this Agreement.
|7.4
|A party seeking indemnification (the “Indemnified Party”) against a third-party claim (“Indemnified Claim”) will promptly provide written notice of such claim to the party obligated to indemnify (the “Indemnifying Party”), provided, however, that any failure to so notify the Indemnifying Party will not relieve the Indemnifying Party from any liability under this Section, except to the extent that such omission materially prejudices the investigation and/or defense of the Indemnified Claim. The Indemnifying Party will, at its own expense, be entitled, but not obligated to control and direct the investigation and defense of any Indemnified Claim; except where the Transfer Agent is the Indemnified Party and Transfer Agent is seeking indemnification from one or more other customers of the Transfer Agent for claims based on common facts or otherwise related to the Indemnified Claim, in which case the Transfer Agent will have the right to control and direct the investigation and defense of the Indemnified Claim, at the expense of all of the customers from which indemnification is sought, including the Indemnifying Party, pro rata, as appropriate. In the event the Indemnifying Party is controlling and directing the investigation and defense of the Indemnified Claim, the Indemnified Party may retain separate counsel at its own expense. If a conflict of interest exists between the Indemnified Party and the Indemnifying Party with respect to the defense of such claim, the reasonable cost of separate counsel with respect to the conflicting issue will be an indemnified expense.
|7.5
|Neither party may settle an Indemnified Claim without the consent of the other party, which consent will not be unreasonably withheld, conditioned or delayed, provided that the Indemnifying Party will have the right to settle an Indemnified Claim without the consent of the Indemnified Party if such settlement (A) involves only the payment of money, (B) fully and unconditionally releases the Indemnified Party from any liability in exchange for the amount paid in settlement and (C) does not include any admission of fault or liability in relation to the Indemnified Party.
|7.6
|At any time the Transfer Agent may apply to any officer of the Trust for instructions, and may consult with legal counsel (which may be Trust counsel) with respect to any matter arising in connection with the services to be performed by the Transfer Agent under this Agreement, and the Transfer Agent and its agents or subcontractors shall not be liable and shall be indemnified by the Trust and the applicable Portfolio for any action taken or omitted by it in reliance upon such instructions or upon the opinion of such counsel. The Transfer Agent, its agents and subcontractors shall be protected and indemnified in acting upon any paper or document furnished by or on behalf of the Trust or the applicable Portfolio, reasonably believed to be genuine and to have been signed by the proper person or persons, or upon any instruction, information, data, records or documents provided the Transfer Agent or its agents or subcontractors by machine readable input, electronic data entry or other similar means authorized by the Trust and the Portfolios, and shall not be held to have notice of any change of authority of any person, until receipt of written notice thereof from the Trust.
10
8. ADDITIONAL COVENANTS OF THE TRUST AND THE TRANSFER AGENT
|8.1
|Delivery of Documents. The Trust shall promptly furnish to the Transfer Agent the following:
|(i)
|A copy of the resolution of the Board of Trustees of the Trust certified by the Trust’s Secretary authorizing the appointment of the Transfer Agent and the execution and delivery of this Agreement.
|(ii)
|A copy of the Declaration of Trust and By-Laws of the Trust and all amendments thereto.
|8.2
|Certificates, Checks, Facsimile Signature Devices. The Transfer Agent hereby agrees to establish and maintain facilities and procedures for safekeeping of any stock certificates, check forms and facsimile signature imprinting devices; and for the preparation or use, and for keeping account of, such certificates, forms and devices.
|8.3
|Records. The Transfer Agent shall keep records relating to the services to be performed hereunder, in the form and manner as required by law or as it may deem advisable. In furtherance of the Trust’s compliance with the requirements of Section 31 of the 1940 Act and the Rules thereunder, the Transfer Agent agrees that any records relating to the services provided to the Trust and Portfolios hereunder and for which it maintains for the Trust shall be and at all times remain the property of the Trust and will be made available upon reasonable request and preserved for the periods prescribed by the applicable Rules unless such records are earlier surrendered to the Trust or Portfolios. Records may be surrendered in either written or machine-readable form, at the option of the Transfer Agent. In the event that the Transfer Agent is requested or authorized by the Trust, or required by subpoena, administrative order, court order or other legal process, applicable law or regulation, or required in connection with any investigation, examination or inspection of the Trust by state or federal regulatory agencies, to produce the records of the Trust or the Transfer Agent’s personnel as witnesses or deponents, the Trust agrees to pay the Transfer Agent for the Transfer Agent’s time and expenses, as well as the fees and expenses of the Transfer Agent’s counsel, incurred in such production.
11
9. CONFIDENTIALITY AND USE OF DATA
|9.1
|All information provided under this Agreement by a party (the “Disclosing Party”) to the other party (the “Receiving Party”) regarding the Disclosing Party’s business and operations shall be treated as confidential. Subject to Section 9.2 below, all confidential information provided under this Agreement by Disclosing Party shall be used, including disclosure to third parties, by the Receiving Party, or its agents or service providers, solely for the purpose of performing or receiving the services and discharging the Receiving Party’s other obligations under the Agreement or managing the business of the Receiving Party and its Affiliates (as defined in Section 9.2 below), including financial and operational management and reporting, risk management, legal and regulatory compliance and client service management. The foregoing shall not be applicable to any information (a) that is publicly available when provided or thereafter becomes publicly available, other than through a breach of this Agreement, (b) that is independently derived by the Receiving Party without the use of any information provided by the Disclosing Party in connection with this Agreement, (c) that is disclosed to comply with any legal or regulatory proceeding, investigation, audit, examination, subpoena, civil investigative demand or other similar process, (d) that is disclosed as required by operation of law or regulation or as required to comply with the requirements of any market infrastructure that the Disclosing Party or its agents direct the Transfer Agent or its Affiliates to employ (or which is required in connection with the holding or settlement of instruments included in the assets subject to this Agreement), or (e) where the party seeking to disclose has received the prior written consent of the party providing the information, which consent shall not be unreasonably withheld.
|9.2
|(a) In connection with the provision of the services and the discharge of its other obligations under this Agreement, the Transfer Agent (which term for purposes of this Section 9.2 includes each of its parent company, branches and affiliates (“Affiliates”)) may collect and store information regarding the Trust or Fund and share such information with its Affiliates, agents and service providers in order and to the extent reasonably necessary (i) to carry out the provision of services contemplated under this Agreement and other agreements between the Trust and the Transfer Agent or any of its Affiliates and (ii) to carry out management of its businesses, including, but not limited to, financial and operational management and reporting, risk management, legal and regulatory compliance and client service management.
(b) Subject to paragraph (d) below, the Transfer Agent and/or its Affiliates may use any Confidential Information of the Trust or Portfolios (“Data”) obtained by such entities in the performance of their services under this Agreement or any other agreement between the Trust and the Transfer Agent or one of its Affiliates, including Data regarding transactions and portfolio holdings relating to the Trust to develop, publish or otherwise distribute to third parties certain investor behavior “indicators” or “indices” that represent broad trends in the flow of investment funds into various markets, sectors or investment instruments (collectively, the “Indicators”), but only so long as (i) the Data is combined or aggregated with (A) information of other customers of the Transfer Agent and/or (B) information derived from other sources, in each case such that the Indicators do not allow for attribution or identification of such Data with the Trust, (ii) the Data represents less than a statistically meaningful portion of all of the data used to create the Indicators and (iii) the Transfer Agent publishes or otherwise distributes to third parties only the Indicators and under no circumstance publishes, makes available, distributes or otherwise discloses any of the Data to any third party, whether aggregated, anonymized or otherwise, except as expressly permitted under this Agreement.
12
(c) The Trust acknowledges that the Transfer Agent may seek to realize economic benefit from the publication or distribution of the Indicators.
(d) Except as expressly contemplated by this Agreement, nothing in this Section 9.2 shall limit the confidentiality and data-protection obligations of the Transfer Agent and its Affiliates under this Agreement and applicable law. The Transfer Agent shall cause any Affiliate, agent or service provider to which it has disclosed Data pursuant to this Section 9.2 to comply at all times with confidentiality and data-protection obligations as if it were a party to this Agreement.
|9.3
|The Transfer Agent affirms that it has, and will continue to have throughout the term of this Agreement, procedures in place that are reasonably designed to protect the privacy of non-public personal consumer/customer financial information to the extent required by applicable laws, rules and regulations.
|9.4
|The Trust acknowledges that the Transfer Agent may seek and realize economic benefit from the publication or distribution of the Indicators. The Trust further acknowledges that the Transfer Agent does not charge a fee for the use of Indicators.
9.5 Disclosure of Confidential Information and Data
|9.5.1
|Disclosure of Confidential Information to Representatives. The Receiving Party may disclose the Disclosing Party’s Confidential Information without the Disclosing Party’s consent to its Delegates attorneys, accountants, auditors, consultants and other similar advisors that have a reasonable need to know such Confidential Information (“Representatives”), provided such Confidential Information is disclosed under obligations of confidentiality that (i) prohibit the disclosure or use of such Confidential Information by the Representatives for any purpose other than the specific engagement with the Receiving Party for which the Representative has been retained and (ii) are otherwise no less restrictive than the confidentiality obligations contained in this Agreement. The parties acknowledge that use of Confidential Information by a Representative to represent its other clients in dealing with the Disclosing Party would constitute a breach of this Section 9.5 by the Receiving Party. Where the Transfer Agent is the Receiving Party, “Representatives” will include its Affiliates and Service Providers (as defined below).
13
|9.5.2
|Disclosure and Use of Confidential Information by Transfer Agent. The Transfer Agent may disclose and permit use (as applicable) of Confidential Information of the Trust without the Trust’s consent:
|9.5.2.1
|to its Affiliates and any of their third-party agents and service providers (“Service Providers”) in connection with the provision of services, the discharge of its obligations under this Agreement or the carrying out of any instruction, including in accordance with the standard practices or requirements of any Financial Market Utility or in connection with the settlement, holding or administration of cash, securities or other instruments. “Financial Market Utility” means any multilateral system for transferring, clearing, and settling payments, securities, and other financial transactions among or between financial institutions, including payment systems, central securities depositories, securities settlement systems, central counterparties and trade repositories;
|9.5.2.2
|to its Affiliates in connection with the management of the businesses of the Transfer Agent and its Affiliates, including, but not limited to, financial and operational management and reporting, risk management, legal and regulatory compliance and client service management and marketing;
provided that, in each case, such Confidential Information is disclosed under obligations of confidentiality, or in a manner consistent with industry practice, or to the extent applicable, as set forth in the State Street Client Information Security Schedule attached as Schedule B hereto.
All Confidential Information provided by a Disclosing Party shall remain the property of such Disclosing Party and, together with any copies thereof, shall upon the Disclosing Party’s written request, be returned to the Disclosing Party or destroyed; provided, that the Receiving Party shall be permitted to retain (but no longer disclose other than to satisfy a legal requirement as provided under 9.5.4 hereof) all or any portion of the Confidential Information subject to this Section 9.
|9.5.3
|Confidential Information and Cloud Computing and Storage. Each party may store Confidential Information with third-party providers of information technology services, and permit access to Confidential Information by such providers as reasonably necessary for the receipt of cloud computing and storage services and related hardware and software maintenance and support. Such Confidential Information must be disclosed under obligations of confidentiality.
|9.5.4
|Disclosure of Confidential Information to Comply with Law. The Receiving Party may disclose the Disclosing Party’s Confidential Information to the extent such disclosure is required to satisfy any legal requirement (including in response to court-issued orders, investigative demands, subpoenas or similar processes or to satisfy the requirements of any applicable regulatory authority), provided that reasonably practicable notice is given to the Disclosing Party, to the extent permitted by applicable law.
14
|9.5.5
|Harm of Unauthorized Disclosure of Confidential Information. Each party acknowledges that the disclosure of Confidential Information or the use of Confidential Information in breach of this Agreement, may immediately give rise to continuing irreparable injury inadequately compensable in damages at law, and in such cases the Receiving Party agrees to waive any defense that an adequate remedy at law is available if the Disclosing Party seeks to obtain injunctive relief against any such breach or any threatened breach.
|9.5.6
|Responsibility for Representatives. Each party will be responsible for any use or disclosure of Confidential Information of the Disclosing Party in breach of this Agreement by its Representatives as though such party had used or disclosed such Confidential Information itself.
|10.
|Effective Period and Termination
This Agreement shall remain in full force and effect for an initial term ending November 5, 2027 (the “Initial Term”). After the expiration of the Initial Term, this Agreement shall automatically renew for successive 1-year terms (each, a “Renewal Term”) unless a written notice of non-renewal is delivered by the non-renewing party no later than ninety (90) days prior to the expiration of the Initial Term or any Renewal Term, as the case may be. During the Initial Term and thereafter, either party may terminate this Agreement: (i) in the event of the other party’s material breach of a material provision of this Agreement that the other party has either (a) failed to cure or (b) failed to establish a remedial plan to cure that is reasonably acceptable, within 60 days’ written notice of such breach, or (ii) in the event of the appointment of a conservator or receiver for the other party or upon the happening of a like event to the other party at the direction of an appropriate agency or court of competent jurisdiction. Upon termination of this Agreement pursuant to this paragraph with respect to the Trust or any Portfolio, the Trust or applicable Portfolio shall pay Transfer Agent its compensation due and shall reimburse Transfer Agent for its costs, expenses and disbursements.
In the event of: (i) the Trust’s termination of this Agreement with respect to the Trust or its Portfolio(s) for any reason other than as set forth in the immediately preceding paragraph, or (ii) a transaction not in the ordinary course of business pursuant to which the Transfer Agent is not retained to continue providing services hereunder to the Trust or a Portfolio (or its respective successor), the Trust or applicable Portfolio shall pay the Transfer Agent its compensation due through the end of the then-current term (based upon the average monthly compensation previously earned by Transfer Agent with respect to the Trust or such Portfolio) and shall reimburse the Transfer Agent for its costs, expenses and disbursements. Upon receipt of such payment and reimbursement, the Transfer Agent will deliver the Trust’s or such Portfolio’s records as set forth herein. For the avoidance of doubt, no payment will be required pursuant to clause (ii) of this paragraph in the event of any transaction such as (a) the liquidation or dissolution of the Trust or a Portfolio and distribution of the Trust’s or Portfolio’s assets as a result of the Board’s determination in its reasonable business judgment that the Trust or such Portfolio is no longer viable, (b) a merger of the Trust or a Portfolio into, or the consolidation of the Trust of a Portfolio with, another entity, or (c) the sale by the Trust or a Portfolio of all, or substantially all, of its assets to another entity, in each of (b) and (c) where the Transfer Agent is retained to continue providing services to the Trust or such Portfolio (or its respective successor) on substantially the same terms as this Agreement.
15
Termination of this Agreement with respect to any one particular Portfolio shall in no way affect the rights and duties under this Agreement with respect to the Trust or any other Portfolio.
11. Additional portfolios
In the event that the Trust establishes one or more series of Shares in addition to the Portfolios listed on the attached Schedule A, with respect to which the Trust desires to have the Transfer Agent render services as transfer agent under the terms hereof, it shall so notify the Transfer Agent in writing, and if the Transfer Agent agrees in writing to provide such services, such series of Shares shall become a Portfolio hereunder.
Notwithstanding any other provision of this Agreement, the parties agree that the assets and liabilities of each Portfolio are separate and distinct from the assets and liabilities of each other Portfolio and that no Portfolio shall be liable or shall be charged for any debt, obligation or liability of any other Portfolio, whether arising under this Agreement or otherwise.
|12.
|assignment
|12.1
|Except as provided in Section 13 below, neither this Agreement nor any rights or obligations hereunder may be delegated or assigned by either party without the written consent of the other party.
|12.2
|Except as explicitly stated elsewhere in this Agreement, nothing under this Agreement shall be construed to give any rights or benefits in this Agreement to anyone other than the Transfer Agent and the Trust and the Portfolios, and the duties and responsibilities undertaken pursuant to this Agreement shall be for the sole and exclusive benefit of the Transfer Agent and the Trust and the Portfolios. This Agreement shall inure to the benefit of, and be binding upon, the parties and their respective permitted successors and assigns.
|12.3
|This Agreement does not constitute an agreement for a partnership or joint venture between the Transfer Agent and the Trust. Neither party shall make any commitments with third parties that are binding on the other party without the other party’s prior written consent.
16
13. DELEGATION; SUBCONTRACTORS
|13.1
|The Transfer Agent shall have the right, without the consent or approval of the Trust, to employ agents, subcontractors, consultants and other third parties, whether affiliated or unaffiliated, to provide or assist it in the provision of any part of the services stated herein (each, a “Delegate” and collectively, the “Delegates”), without the consent or approval of the Trust. The Transfer Agent shall be responsible for the services delivered by, and the acts and omissions of, any such Delegate as if the Transfer Agent had provided such services and committed such acts and omissions itself. Unless otherwise agreed in a fee schedule, approved in writing by the Trust, the Transfer Agent shall be responsible for the compensation of its Delegates. Where required, such Delegate shall be a duly registered transfer agent pursuant to Section 17A(c)(2) of the 1934 Act.
|13.2
|The Transfer Agent will provide the Trust with information regarding its global operating model for the delivery of the services on a quarterly or other periodic basis, which information shall include the identities of Delegates affiliated with the Transfer Agent that perform or may perform parts of the services, and the locations from which such Delegates perform services, as well as such other information about its Delegates as the Trust may reasonably request from time to time. Nothing in this Section 13 shall limit or restrict the Transfer Agent’s right to use affiliates or third parties to perform or discharge, or assist it in the performance or discharge, of any obligations or duties under this Agreement other than the provision of the services.
14. miscellaneous
|14.1
|Amendment. This Agreement may be amended by a written agreement executed by both parties.
|14.2
|Business Continuity, Internal Controls, and Information Security.
|14.2.1
|Business Continuity Plans. The Transfer Agent will at all times maintain a business contingency plan and a disaster recovery plan and will take commercially reasonable measures to maintain and periodically test such plans. The Transfer Agent will implement such plans following the occurrence of an event which results in an interruption or suspension of the services to be provided by the Transfer Agent hereunder.
|14.2.2
|Internal Controls Review and Report. The Transfer Agent will retain a firm of independent auditors to perform an annual review of certain internal controls and procedures employed by the Transfer Agent in the provision of the services hereunder and issue a standard System and Organization Controls 1 or equivalent report based on such review. The Transfer Agent will provide a copy of the report to the Trust upon request.
|14.2.3
|Information Security Systems and Controls. The Transfer Agent has implemented and will maintain commercially reasonable information security systems and controls, which include administrative, technical, and physical safeguards that are designed to: (i) maintain the security and confidentiality of the Trust’s data; (ii) protect against any anticipated or known threats or hazards to the security or integrity of the Trust’s data, including appropriate measures designed to meet legal and regulatory requirements applying to the Transfer Agent; and (iii) protect against unauthorized access to or use of the Trust’s data.
17
|14.2.4
|Virus Detection. The Transfer Agent will at all times employ a current version of one of the leading commercially available virus detection software programs to test the hardware and software applications used by it to deliver the services hereunder for the presence of any computer code designed to disrupt, disable, harm, or otherwise impede operation.
|14.3
|Massachusetts Law to Apply. This Agreement shall be construed and the provisions thereof interpreted under and in accordance with the laws of The Commonwealth of Massachusetts without giving effect to any conflicts of law rules thereof.
|14.4
|Force Majeure. The Transfer Agent shall not be responsible or liable for any failure or delay in performance of its obligations under this Agreement arising out of or caused, directly or indirectly, by circumstances beyond its control, including without limitation, work stoppage, power or other mechanical failure, computer virus, natural disaster, acts of war or terrorism, pandemics, governmental actions or communication disruption.
|14.5
|Data Protection. The Transfer Agent will implement and maintain a comprehensive written information security program that contains appropriate security measures to safeguard the personal information of the Trust’s shareholders, employees, directors and/or officers that the Transfer Agent receives, stores, maintains, processes or otherwise accesses in connection with the provision of services hereunder. For these purposes, “personal information” shall mean (i) an individual’s name (first initial and last name or first name and last name), address or telephone number plus (a) social security number, (b) driver’s license number, (c) state identification card number, (d) debit or credit card number, (e) financial account number or (f) personal identification number or password that would permit access to a person’s account or (ii) any combination of the foregoing that would allow a person to log onto or access an individual’s account or (iii) any other non-public personal information within the meaning of applicable law or regulation. Notwithstanding the foregoing “personal information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.
|14.6
|Survival. All provisions regarding indemnification, warranty, liability, and limits thereon, and confidentiality and/or protections of proprietary rights and trade secrets shall survive the termination of this Agreement.
|14.7
|Severability. If any provision or provisions of this Agreement shall be held invalid, unlawful, or unenforceable, the validity, legality, and enforceability of the remaining provisions shall not in any way be affected or impaired.
|14.8
|Priorities Clause. In the event of any conflict, discrepancy or ambiguity between the terms and conditions contained in this Agreement and any schedules or attachments hereto, the terms and conditions contained in this Agreement shall take precedence.
18
|14.9
|Waiver. The failure of a party to insist upon strict adherence to any term of this Agreement on any occasion shall not be considered a waiver nor shall it deprive such party of the right thereafter to insist upon strict adherence to that term or any term of this Agreement. The failure of a party hereto to exercise or any delay in exercising any right or remedy under this Agreement shall not constitute a waiver of any such term, right or remedy or a waiver of any other rights or remedies. No single or partial exercise of any right or remedy under this Agreement shall prevent any further exercise of the right or remedy or the exercise of any other right or remedy. Any waiver must be in writing signed by the waiving party.
|14.10
|Entire Agreement. This Agreement and any schedules, exhibits, attachments or amendments hereto constitute the entire agreement between the parties hereto and supersedes any prior agreement with respect to the subject matter hereof whether oral or written.
|14.11
|Counterparts. This Agreement may be executed in several counterparts, each of which shall be deemed to be an original, and all such counterparts taken together shall constitute one and the same Agreement. Counterparts may be executed in either original or electronically transmitted form (e.g., faxes or emailed portable document format (PDF) form), and the parties hereby adopt as original any signatures received via electronically transmitted form.
|14.12
|Reproduction of Documents. This Agreement and all schedules, exhibits, attachments and amendments hereto may be reproduced by any photographic, photostatic, digital or other similar process. The parties hereto all/each agree that any such reproduction shall be admissible in evidence as the original itself in any judicial or administrative proceeding, whether or not the original is in existence and whether or not such reproduction was made by a party in the regular course of business, and that any enlargement, facsimile or further reproduction of such reproduction shall likewise be admissible in evidence.
|14.13
|Notices. Any notice instruction or other instrument required to be given hereunder will be in writing and may be sent by hand, or by facsimile transmission, or overnight delivery by any recognized delivery service, to the parties at the following address or such other address as may be notified by any party from time to time:
(a) If to Transfer Agent, to:
State Street Bank and Trust Company
Transfer Agency
Attention: Compliance
John Adams Building
1776 Heritage Drive
Mail Stop JAB/3
North Quincy MA 02171
19
With a copy to:
STATE STREET BANK AND TRUST COMPANY
Legal Division – Global Services Americas
One Congress Street
Boston, MA 02114
(b) If to the Trust, to:
Harris Oakmark ETF Trust
c/o Harris Associates L.P.
111 S. Wacker Drive, Suite 4600
Chicago, IL 60606
Attn: General Counsel
CC: Compliance Department
Telephone: 312 646 3600
Facsimile: 312 268 5295
|14.14
|Interpretive and Other Provisions. In connection with the operation of this Agreement, the Transfer Agent and the Trust on behalf of each of the Funds, may from time to time agree on such provisions interpretive of or in addition to the provisions of this Agreement as may in their joint opinion be consistent with the general tenor of this Agreement. Any such interpretive or additional provisions shall be in a writing signed by all parties, provided that no such interpretive or additional provisions shall contravene any applicable laws or regulations or any provision of the Trust’s governing documents. No interpretive or additional provisions made as provided in the preceding sentence shall be deemed to be an amendment of this Agreement.
|14.15
|Limitation of Liability of the Directors and Shareholders. This Agreement is executed by the Trust with respect to each of its Portfolios and the obligations hereunder are not binding upon any of the trustees, officers or shareholders of the Trust in their individual capacity. Notwithstanding any other provision in this Agreement to the contrary, each and every obligation, liability or undertaking of a particular Portfolio under this Agreement shall constitute solely an obligation, liability or undertaking of, and be binding upon, such particular Portfolio and shall be payable solely from the available assets of such particular Portfolio and shall not be binding upon or affect any assets of any other Portfolio.
|14.16
|Insurance. The Transfer Agent will maintain, at all times during the term of this Agreement, insurance coverage regarding its business in such amount and scope as it deems adequate in connection with the services provided by the Transfer Agent under this Agreement. Upon reasonable request, which in no event shall be more than once annually, the Transfer Agent shall furnish to the Trust a summary of the Transfer Agent’s applicable insurance coverage.
20
|14.17.
|Audits. The Transfer Agent will allow the Trust and the Trust’s regulators or supervisory authorities to perform periodic on-site audits as may be reasonably required to examine the Transfer Agent’s performance of the services under this Agreement. For inspections requested by the Trust (such request will include reasonable advanced notice) and agreed to by the Transfer Agent, the Transfer Agent reserves the right to impose reasonable limitation on the number, frequency, timing and scope of such audits. Nothing contained in this Section 14.17 will obligate the Transfer Agent to provide access to or otherwise disclose: (i) any information that is unrelated to the Trust and the provision of the services to the Trust; (ii) absent a confidentiality agreement, (A) any information that is treated as confidential under the Transfer Agent’s corporate policies, including, without limitation, internal audit reports, compliance or risk management plans or reports, work papers and other reports, and information relating to management functions; or (B) any other documents, reports, or information that the Transfer Agent is obligated or entitled to maintain in confidence as a matter of law or regulation. In addition, any access provided to technology will be limited to a demonstration by the Transfer Agent of the functionality thereof and a reasonable opportunity to communicate with the Transfer Agent’s personnel regarding such technology.
[Remainder of Page Intentionally Left Blank]
21
IN WITNESS WHEREOF, the parties hereto have caused this Agreement to be executed in their names and on their behalf by and through their duly authorized officers, as of the day and year first above written.
|State Street Bank and Trust Company
|By:
|/s/ Patrick Waldron
|Name:
|Patrick Waldron
|Title:
|Managing Director
|Harris Oakmark ETF trust
|By:
|/s/ Rana J. Wright
|Name:
|Rana J. Wright
|Title:
|President
22
Schedule A
LIST OF PORTFOLIOS
Oakmark U.S. Large Cap ETF
23
Schedule B
Corporate Information Security Schedule
State Street Client Information Security Schedule
All capitalized terms not defined in this State Street Client Information Security Schedule (this “Security Schedule”) will have the meanings given to them in each Agreement, as applicable.
State Street implements data security measures consistent in all material respects with applicable prevailing industry practices and standards as well as laws, rules and regulations applicable to State Street. As of the Effective Date, State Street aligns with the National Institute for Standards and Technology (NIST) cybersecurity framework. However, as information security is a highly dynamic space where threats are constantly changing, State Street reserves the right to make changes to its information security controls and/or to align with one or more recognized industry standards, other than NIST, at any time in a manner that does not materially reduce its protection of Client Data.
State Street will use commercially reasonable efforts to cause any delegates and other third parties to whom State Street provides Client Data to implement and maintain security measures that State Street reasonably believes are at least as protective as those described in this Security Schedule. For delegates or other third parties who collect, transmit, share, store, control, process or manage Client Data, State Street is responsible for assessing their control environments. Notwithstanding the foregoing, State Street shall be responsible for any such delegate’s or other third party’s protection of Client Data, which if done by State Street, would be a breach of its commitment under this Security Schedule.
|1.
|Security Objectives. State Street uses commercially reasonable efforts to:
|a.
|protect the privacy, confidentiality, integrity, and availability of Client Data;
|b.
|protect against accidental, unauthorized, unauthenticated or unlawful access, copying, use, processing, disclosure, alteration, corruption, transfer, loss or destruction of Client Data;
|c.
|comply with applicable governmental laws, rules and regulations that are relevant to the handling, processing and use of Client Data by State Street in accordance with each Agreement; and
|d.
|implement customary administrative, physical, technical, procedural and organizational safeguards.
|2.
|Risk Assessments. The results of State Street’s risk assessments are internal to State Street and will not be provided to Client.
|a.
|Risk Assessment - State Street will perform risk assessments annually that are designed to identify material threats (both internal and external), the likelihood of those threats occurring and the impact of those threats upon the State Street organization to evaluate and analyze the appropriate level of information security safeguards (“Risk Assessments”).
|b.
|Risk Mitigation - State Street will use commercially reasonable efforts to manage, control and remediate any threats identified in the Risk Assessments that are likely to result in material unauthorized access, copying, use, processing, disclosure, alteration, transfer, loss or destruction of Client Data, consistent with the Objective, and commensurate with the sensitivity of the Client Data and the complexity and scope of the activities of State Street pursuant to the Agreement.
24
|c.
|Vulnerability Management Program – State Street maintains a vulnerability management program that includes processes for: being made aware of newly announced vulnerabilities; discovering vulnerabilities within the infrastructure and applications; risk rating vulnerabilities consistent with industry standards; and defining timeframes for remediating vulnerabilities (other than medium or low risk vulnerabilities) consistent with industry standards and taking into account any mitigation efforts taken by State Street with respect to such vulnerabilities.
|3.
|Security Controls. Upon Client’s reasonable request, no more frequently than annually, State Street will provide Client’s Chief Information Security Officer or his or her designee with a copy of its Corporate Information Security Controls manual, a completed Standardized Information Gathering (SIG) questionnaire, State Street’s Global Information Security (GIS) SOC 2 (Type II) report, and an opportunity to discuss State Street’s Information Security measures with a qualified member of State Street’s Information Technology management team. In no event will any such discussions require State Street to reveal any details or information that could reasonably be expected to jeopardize the security or integrity of any State Street system or the confidentiality or security of any other client’s data. State Street reviews its Information Security Policy approximately annually and reserves the right to change the frequency to meet regulatory requirements (which in no event will be less frequent than every eighteen (18) months).
|4.
|Organizational Security.
|a.
|Responsibility - State Street will assign responsibility for information security management to senior personnel only.
|b.
|Access - State Street will have controls designed to permit only those personnel performing roles supporting the provision of services under this Agreement to access Client Data.
|c.
|Confidentiality - State Street personnel who have accessed or otherwise been made known of Client Data will maintain the confidentiality of such information in accordance with the terms of this Agreement.
|d.
|Training - State Street will provide information security training to its personnel on approximately an annual basis
|e.
|Screening –State Street employees, and personnel of delegates or other third parties who access State Street’s facilities, networks or systems, are subject to certain credit and criminal checks conducted by State Street or its agents applicable to banks pursuant to applicable laws, rules and/or regulations. If any person does not meet the requirements of such State Street checks, such person may not be permitted to be employed by State Street or, in the event of a delegate or other third party, State Street requires that such person be removed from any assignment for State Street. In addition to the foregoing, State Street requires its delegates and other third parties to conduct, as part of its standard hiring and vendor due diligence practices, pre-employment background investigations consistent with industry standards with respect to any personnel that are assigned to perform services for State Street or otherwise have access to confidential information of State Street or its clients.
25
|5.
|Physical Security.
|a.
|Securing Physical Facilities - State Street will maintain systems located in State Street facilities that host Client Data or provide services under this Agreement in environments that are designed to be physically secure and to allow access only to authorized individuals. A secure environment includes the availability of onsite security personnel on a 24 x 7 basis or equivalent means of monitoring locations supporting the delivery of services under this Agreement.
|b.
|Physical Security of Media - State Street will implement controls, consistent with applicable prevailing industry practices and standards, that are designed to deter the unauthorized viewing, copying, alteration or removal of any media containing Client Data. Removable media on which Client Data is stored (including thumb drives, CDs, and DVDs, and PDAS) by State Street must be encrypted using at least 256-bit AES (or equivalent).
|c.
|Media Destruction - State Street will destroy removable media and any mobile device (such as discs, USB drives, DVDs, back-up tapes, laptops and PDAs) containing Client Data or use commercially reasonable efforts to render Client Data on such physical media unintelligible if such media or mobile device is no longer intended to be used. All backup tapes that are not destroyed must meet the level of protection described in this Security Schedule until destroyed.
|d.
|Paper Destruction - State Street will cross shred all paper waste containing Client Data and dispose in a secure and confidential manner.
|6.
|Communications and Operations Management.
|a.
|Network Penetration Testing - State Street will, on approximately an annual basis but in no event less frequently than every eighteen (18) months, contract with an independent third party to conduct a network penetration test on its network having access to or holding or containing Client Data. If penetration testing reveals material deficiencies or vulnerabilities, the findings will be risk rated consistent with industry standards and timeframes will be defined for remediating vulnerabilities (other than medium or low risk vulnerabilities) consistent with industry standards and taking into account any mitigation efforts taken by State Street with respect to such vulnerabilities
|b.
|Data Protection During Transmission - State Street will encrypt, using an industry recognized encryption algorithm, personally identifiable Client Data when in transit across public networks.
|c.
|Data Loss Prevention - State Street will maintain a data leakage program that is designed to identify, detect, monitor and document data leaving State Street’s control without authorization in place.
|7.
|Access Controls.
|a.
|Authorized Access - State Street will have controls that are designed to maintain the logical separation such that access to systems hosting Client Data and/or being used to provide services to Client will uniquely identify each individual requiring access, grant access only to authorized personnel based on the principle of least privileges, and prevent unauthorized access to Client Data. State Street reviews user access rights to systems and applications storing or allowing access to Client Data on a periodic basis.
26
|b.
|User Access - State Street will have a process to promptly disable access to Client Data by any State Street personnel who no longer requires such access. State Street will also promptly remove access of Client personnel upon receipt of notification from Client
|c.
|Authentication Credential Management - State Street will communicate authentication credentials to users in a secure manner, with a proof of identity check of the intended users. State Street requires its personnel and any personnel of its delegates or other third parties that have access to State Street’s networks or systems to maintain the confidentiality of system passwords, keys, and passcodes. State Street has a secure and documented process to reset passwords that requires verification of user identity prior to password reset.
|d.
|Multi-Factor Authentication for Remote Access - State Street will use multi factor authentication and a secure tunnel, or another strong authentication mechanism, when remotely accessing State Street’s internal network.
|8.
|Use of Laptop and Mobile Devices in connection with this Agreement.
|a.
|Encryption Requirements - State Street will encrypt any laptops or mobile devices (e.g., tablets and smartphones) containing Client Data used by State Street’s personnel using an industry recognized encryption algorithm with at least 256 bit encryption AES (or equivalent). .
|b.
|Secure Storage - State Street will require that all laptops and mobile devices be securely stored whenever out of the personnel’s immediate possession.
|c.
|Inactivity Timeout - State Street will employ access and password controls as well as inactivity timeouts of no longer than thirty (30) minutes on laptops, desktops and mobile devices managed by State Street and used by State Street’s personnel.
|d.
|Remote Management – State Street will maintain the ability to remotely remove Client Data promptly from mobile devices managed by State Street. State Street has policies requiring personnel to maintain the security of devices managed by State Street.
|9.
|Information Systems Acquisition Development and Maintenance.
|a.
|Client Data – Client Data will only be used by State Street for the purposes specified in this Agreement.
|b.
|Virus Management - State Street will maintain a malware protection program designed to identify, detect, protect, respond and recover from malware infections, malicious code and unauthorized execution of code within the State Street environment.
|c.
|Change Control – State Street implements and maintains change control procedures to manage changes to information systems, supporting infrastructure, and facilities. Certain State Street’s system and application changes undergo testing prior to implementation, which may include relevant security controls, as determined by State Street on a risk basis and taking into account the type and/or impact of the change and the infrastructure and/or network components in place with respect to such change,.
27
|10.
|Incident Event and Communications Management.
|a.
|Incident Management/Notification of Breach - State Street will maintain an incident response plan that specifies actions to be taken when State Street or one of its subcontractors suspects or detects that a party has gained unauthorized access to Client Data or systems or applications containing any Client Data (the “Response Plan”). Such Response Plan will include an escalation procedure that includes notification to senior managers and reporting to regulatory and law enforcement agencies, when and if applicable. State Street will use commercially reasonable efforts to investigate, remediate and mitigate such unauthorized access.
|b.
|State Street will notify Client within seventy-two (72) hours after it has determined that unauthorized access to Client Data has occurred, unless otherwise prohibited by Applicable Law. In such an event, and unless prohibited by Applicable Law, State Street will provide information, to the extent available to State Street, sufficient to provide a reasonable description of the general circumstances and extent of such unauthorized access, and will provide reasonable cooperation to Client:
|i.
|in the investigation of any such unauthorized access;
|ii.
|in Client’s efforts to comply with statutory notice or other Applicable Laws applicable to Client or its customers; and
|iii.
|in litigation and investigations brought by Client against third parties, including injunctive or other equitable relief reasonably necessary to protect Client’s proprietary rights.
For the avoidance of doubt, State Street will not be required to disclose information that State Street reasonably determines would compromise the security of State Street's technology or premises or that would impact other State Street clients.
28