Payment Initiation

AFTERBANKS PAYMENT INITIATION TERMS AND CONDITIONS

ONE – DEFINITIONS

For the purposes of these General Terms and Conditions, the following definitions shall apply:

Active User or Client or End Client: With regards to payment initiation services, a natural or legal person accessing the e-commerce web page with the intention of buying goods or contracting a service and who intends to pay by means of a bank transfer which shall be executed on the online banking through Morpheus Aiolos, as payment initiation services provider.

Multi-Contract: Those cases when financial institutions allow users to connect different profiles which, at the same time, group accounts from different clients.

E-Commerce: The entity that (i) sells goods or offers services to users through its webpage or has a platform where e-commerce businesses can offer their goods or services and users can acquire them, and intends to make available to their clients or users the possibility of paying by means of a bank transfer ordered by the end client and initiated through Morpheus Aiolos.

Payment Initiation Service: a service that allows to initiate a payment order at the request of the payment service user with regards to a payment account held at another payment service provider, as long as the corresponding payment account can be accessed online.

Account servicing payment service provider: means a payment service provider providing and maintaining a payment account for a payer.

Remote Payment Transaction: means a payment transaction initiated via internet or through a device that can be used for distance communication.

Personalised security credentials/passwords: personalised elements that the account servicing payment service provider offers the payment service user for authentication purposes to initiate an online banking payment transaction in the official website of the account servicing payment service provider.

Authentication: means a procedure which allows the payment service provider to verify the identity of a payment service user or the validity of the use of a specific payment instrument, including the use of the U ser’s personalised security credentials.

Consumer: means a natural person who, in payment service contracts is acting for purposes other than his or her trade, business or profession.

Microenterprise: means an enterprise – including both natural persons conducting professional or business activities and legal persons–, which at the time of conclusion of the payment service contract employs fewer than ten employees and whose annual turnover and/or annual general balance sheet total does not exceed two million euros pursuant to Article 1 and Article 2(1) and (3) of the Annex to Commission Recommendation of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises.

TWO. – DETAILS OF THE SERVICE PROVIDER

MORPHEUS AIOLOS, S.L. (hereinafter “Morpheus Aiolos”), holding tax ID (CIF) B-86556420, incorporated in Madrid, on 27 September 2012, registered with the Business Registry of Madrid in volume 30408, folio 12, sheet number M-547305, entry 1. It is authorised by the Bank of Spain as a Payment initiation service provider and account information service provider and is subject to supervision by the Bank of Spain and the Executive Service of the Commission for the Prevention of Money Laundering and Monetary Offences. It is duly registered by the Special Registry of Payment Initiation Services Providers, Payment Institutions and Account Information Service Providers of the Bank of Spain under number 6901. Its registered address is located at calle San Andrés, número 8, 28004 Madrid.

THREE. – SCOPE OF ACTION OF THE USER

When the user is not considered a consumer or a microenterprise for the purposes foreseen in the payment service regulations, Title II of Royal Decree-Law 19/2018 of 23 November on Payment Services and Other Urgent Financial Measures, as well as the provisions implementing these measures, pursuant to art. 28.2 of the said Decree-Law shall not apply.

Likewise, pursuant to article 34.1 of Royal Decree-Law 19/2018 of 23 November, the application of articles 35.1, 36.3, 44, 46, 48, 49, 52, 60 and 61 thereof is expressly excluded.

FOUR. – PURPOSE

These general terms and conditions include the information that Morpheus Aiolos, as payment initiation services provider must submit to payment service users. Likewise, this document regulates the fundamental rights and liabilities of these payment services users . All of the above pursuant to Royal Decree-Law 19/2018 of 23 November on Payment Services and Other Urgent Financial Measures, and the provisions implementing the measures therein.

FIVE. – AUTHENTICATION

Payment initiation transactions are deemed authorised when the payer user has approved their execution through Morpheus Aiolos, pursuant to the authentication procedures provided to the user by the account servicing payment service provider. In the absence of said approval, the payment transaction shall be deemed not authorised.

The payer shall not revoke the payment order once their consent has been given to Morpheus Aiolos to initiate the payment transaction.

Access to payment accounts of the users shall be deemed authorised when the user has provided their consent through Morpheus Aiolos, pursuant to the authentication procedures provided to the user by the account servicing payment service provider. In the absence of said approval, access to the payment account shall be deemed not authorised.

In the events when Morpheus Aiolos stores in its platform data from the financial information obtained from accesses to the payment accounts of the User, a reinforced authentication process shall be applied, combining two independent authentication measures:
– A piece of knowledge: the password.
– A piece of possession: the mobile phone.

During the registration process the payment service user shall be requested to introduce their e-mail address, a password and a mobile number.
These data shall be verified as follows:
– In the e-mail inbox: the payment service user shall receive a one-time link to verify that the address is correct.
– The payment service user shall receive a SMS text on their mobile phone with a one-time code which must be entered in the registration form.

When accessing afterwards, the user shall be requested these two factors: password and one-time code that verifies that the mobile phone is in his/her possession.

SIX. – RESPONSIBILITIES OF MORPHEUS AIOLOS

Responsibilities as payment initiation services provider
Morpheus Aiolos, as payment initiation services provider, shall comply with the following responsibilities:

(a) It shall not hold at any time the payer’s funds in connection with the provision of the payment initiation service;

(b) It shall ensure that the personalised security credentials of the payment service user are not, with the exception of the user and the issuer of the personalised security credentials, accessible to other parties and that they are transmitted by the payment initiation service provider through safe and efficient channels;

(c) It shall ensure that any other information about the payment service user, obtained when providing payment initiation services, is only provided to the payee and only with the payment service user’s explicit consent;

(d) Every time a payment is initiated, it shall identify itself to the account servicing payment service provider of the account holder and shall communicate in a safe manner with the account servicing payment service provider, the payer, and the payee, pursuant to Delegated Regulation 2018/389 and the applicable criteria of the provisions of the European Banking Authority determined by the Bank of Spain.

(e) It shall not store sensitive payment data of the payment service user;

(f) It shall not request from the payment service user any data other than those necessary to provide the payment initiation service;

(g) It shall not use, access or store any data for purposes other than for the provision of the payment initiation service as explicitly requested by the payer;

(h) It shall not modify the amount, the payee or any other feature of the transaction.

SEVEN. – INFORMATION

Transmission of information or notifications:

As applicable, if the information or notifications are transmitted to the user through telematic means, they shall be previously informed of the technical requirements applicable to the device and software. Likewise, they shall be provided with the secure procedure for notification in the event of suspected or actual fraud or security threats below:

Morpheus Aiolos shall notify by e-mail when the system detects suspected or actual fraud or security threats.

The user has the right to receive information and terms and conditions of the payment service provision in advance in order to provide their consent thereto.

EIGHT. – AMENDMENT TO THE TERMS AND CONDITIONS

Morpheus Aiolos reserves the right to request the amendment to these terms and conditions. In the event that the user is considered a microenterprise or consumer, Morpheus Aiolos shall communicate any amendment to the terms and conditions at least two months before the entry into force of the proposed amendment.

Once said term has elapsed and the user has not objected, the amendment shall apply. In the event that the user opposes to the amendment, it can be terminated free of charge before the entry into force of the amendments. If the amendment agreed is clearly beneficial for the user, it can be immediately applied.

In the event that the user is considered a microenterprise or consumer, Morpheus Aiolos shall propose any amendment to the terms and conditions in a clear, individualised manner without including it in any other information or advertising, on paper or on another durable medium at least two months before the entry into force of the proposed amendment. The user may accept or reject the amendments to the terms and conditions before the date proposed for their entry into force through the same mean by which they are notified.

However, Morpheus Aiolos may immediately apply all the amendments which are unequivocally more beneficial for the user.

The parties agree that it shall be understood that the user has accepted the amendment to the corresponding terms and conditions if approval thereon is not communicated before the proposed date for its entry into force. In such event, the user shall have the right to terminate this terms and conditions free of charge with effects from any moment before the date when the amendment would have been applied.

NINE. – VALIDITY AND TERMINATION OF THE TERMS AND CONDITIONS

These terms and conditions shall be valid for one calendar year following their signature and shall be automatically renewed year by year in the absence of opposing written communication by any of the intervening parties addressed to the counterparty at least two (2) months before the initial maturity or any of its extensions.

In the event that the user is considered a microenterprise or consumer, these terms and conditions may be terminated at any time, without prior notice. Morpheus Aiolos must comply with the request for termination of these terms and conditions in the 24 hours following reception of the request for termination.

The termination of these terms and conditions for time elapsing shall not give rise to indemnity to any of the parties.

TEN. – RECTIFICATION OF UNAUTHORISED REMOTE PAYMENT TRANSACTIONS

When the payment service user is aware that an unauthorised remote payment transaction has been made or a payment transaction has been incorrectly executed, rectification by the account servicing payment service provider must be sought. For this purpose this situation must be immediately notified to the account servicing payment service provider as soon as the payment service user becomes aware of the unauthorised transaction subject of complaint.

When the payment service user denies having authorised a payment transaction already executed, the burden shall be on Morpheus Aiolos to prove that, within its sphere of competence, the payment transaction was authenticated, accurately recorded and not affected by a technical breakdown or other deficiency linked to the payment service of which it is in charge.

In the event that the payment initiation service is provided, the user must obtain rectification from the account servicing payment service provider.

ELEVEN. – RESPONSIBILITY IN THE EVENT OF UNAUTHORISED TRANSACTIONS

In the case of an unauthorised payment transaction, the payer’s payment service provider refunds the payer the amount of the unauthorised payment transaction immediately, and in any event no later than by the end of the following business day. Where applicable, the payer’s payment service provider shall restore the debited payment account to the state in which it would have been had the unauthorised payment transaction not taken place.

If Morpheus Aiolos is responsible for the unauthorised payment transaction, it shall immediately compensate the account servicing payment service provider at its request for the losses incurred or sums paid as a result of the refund to the payer, including the amount of the unauthorised payment transaction. The burden shall be on

Morpheus Aiolos to prove that, within its sphere of competence, the payment transaction was authenticated, accurately recorded and not affected by a technical breakdown or other deficiency linked to the payment service of which it is in charge.

TWELVE. – CLAIM PROCEDURE AVAILABLE FOR THE USER

(i) Customer Service
Morpheus Aiolos has a Customer Service, pursuant to the obligations foreseen in Order ECO/734/2004 of 11 March, on Customer Service Departments and the Financial Ombudsman, which aims at handling and resolving complaints and claims submitted by users. The Customer Service contact details are:

MORPHEUS AIOLOS, S.L.
Servicio de Atención al Cliente
Calle San Andrés, número 8, 28004 Madrid
e-mail: sac@afterbanks.com

The process for handling and resolving complaints and claims is described in the Operations Regulations for the Customer Service, available both in the offices of Morpheus Aiolos, and on the webpage (http://www.morpheusaiolos.com) and of the Bank of Spain (www.bde.es).

(ii) Claims submitted to the Claims Service of the Bank of Spain
In the event that any claim submitted before the Customer Service of the company is dismissed or a-month term has elapsed and the said Customer Service has not answered, the client may submit the claim before the Claim Service of the Bank of Spain.
In person at:

Banco de España
Servicio de Reclamaciones
C/ Alcalá 48, 28014 Madrid
By telematic means at:
https://app.bde.es/psr_www/faces/psr_wwwias/jsp/op/InicioSesion/PantallaAsistenteForm.jsp

THIRTEEN. – PREVENTION OF MONEY LAUNDERING AND TERRORISM FINANCING

The user undertakes to (i) submit the e-commerce entity so it, in turn submits to Morpheus Aiolos the information and documents that, as applicable, may be required by Morpheus Aiolos in the application of due diligence and internal control measures imposed to Morpheus Aiolos by the regulation on the prevention of money laundering and terrorism financing; and (ii) inform Morpheus Aiolos by means of the e-commerce entity of any variation affecting the information and documents previously provided to Morpheus Aiolos in compliance with these general terms and conditions and to submit the up-dated documents.

FOURTEEN. – PRICE

The payment initiation service provided by Morpheus Aiolos shall be free of charge for the user. The e-commerce entity shall bear the costs pursuant to the terms and conditions agreed with Morpheus Aiolos.

FIFTEEN. – WARRANTIES OF MORPHEUS AIOLOS

– Security
Morpheus Aiolos guarantees that the provision of the service shall be made with the security mechanisms that ensure encryption of the passwords provided and guarantees that they cannot be used fraudulently.

– Structured and standardised information
Morpheus Aiolos guarantees that it shall provide the financial and non-financial information to the user in a structured and standardised manner. “Structured” means that the information can be easily processed electronically (JSON or XML). “Standardised” means that the information from different entities is provided exactly in the same format and that, moreover, this format is standardised pursuant to certain standards according to the type of data.

SIXTEEN. – PERSONAL DATA PROTECTION

In the event that the provision of the payment initiation service requires processing of personal data and pursuant to Article 12 of the Spanish Organic Law on Data Protection, Morpheus Aiolos, as Data Processor, expressly declares and undertakes to: (i) use and process data solely to comply with the purposes foreseen in these terms and conditions according to the instructions of the user; (ii) maintain the utmost confidentiality with regards to the personal data provided by the user; (iii) return the user all the documents and files containing data upon termination of the contractual relationship; (iv) limit the access and use of data to those absolutely necessary with previous confirmation by the user in writing for the provision of the payment initiation service; and (v) adopt the corresponding security measures for the protection of data according to the security level needed according to the files accessed.

For the provision of the service described above, Morpheus Aiolos shall subcontract hosting services and Spanish Organic Law on Data Protection auditing services.

SEVENTEEN. APPLICABLE REGULATIONS

The provision of payment initiation services by Morpheus Aiolos to the user shall be governed by the terms set forth in these general terms and conditions and on all matters not covered thereby, by the regulations of Royal Decree-Law 19/2018 of 23 November on Payment Services and Other Urgent Financial Measures, and the provisions implementing the measures therein and any other applicable Spanish regulations and regulations regarding transparency.