Introduction

The Sonar Fraud Data Sharing Consortium (referred throughout this document as the "Consortium") is an alliance of “Participant” institutions to share fraud and risk insights. SonarAI LLC.. (referred throughout this document as "Sonar") uses the foundational data from SardineAI through a data sharing agreement. SardineAI is also one of the participants of the consortium.

The Consortium operates as a distinct entity and is composed of an independent  Management Team, a Management Committee, an Advisory Committee, the Governance Rules, the Data Rules and the individually executed agreements with Consortium Participants. 

This document outlines governance rules and data rules that constitute the backbone of the Consortium's operations. The rules included in this document are shaped by the collective decision-making of its Participants.

Structure of the Consortium Operating Rules

This document is structured the following way: 

General Rules 

Contains definitions, the eligibility criteria, general requirements and other overarching rules that apply to all Consortium Participants.

Document Notes

This document is updated periodically. This version of the Rules dated August 3, 2023 replaces all previously published versions. 

Capitalized words are typically included in the definition section of this document.

General Rules

R.1 Definitions

R 1.1 Account

Refers to accounts from which the owner can make financial asset transfers or withdrawals using various methods, like negotiable or transferable instruments, withdrawal orders, telephone transfers, electronic payments, or other similar means. Ref.: Federal Reserve Board Regulation CO, 12 C.F.R § 229.2(a).

R 1.2 Account Abuse

Closure or placement of an Account in pre-closure Status by a Consortium Participant due to a financial loss in which the Consortium Participant conducted no investigation, or conducted an investigation, but was unable to conclude that the activity causing the loss involved Fraud.

R 1.3 Account Abuse Data

Data about an Account that was closed or placed in pre closure Status by a Consortium Participant due to the detection of an Account Abuse. This could also include data related to the identity of the parties associated with such Account.

R 1.4 Account Information Data

Data linked to an account such as account balance, transaction history, account status, and any other information obtained from a customer to form a reasonable belief that a Consortium Participant knows their true identity.​ 

R 1.5 Account Status Information

Data relating to the status of an Account with a Consortium Participant as defined in the Data Rules section of this document.

R 1.6 ACH 

Automated clearinghouse or ACH is a facility that processes debit and credit transfers under rules established by a Federal Reserve Bank operating circular on automated clearinghouse items or under rules of an automated clearinghouse association. 

R 1.7 ACH Data

ACH data contains electronic data utilized by the ACH facility and includes details such as account numbers, routing numbers, transaction amounts, and transaction dates. It is used for processing payments, direct deposits, bill payments, and other financial transactions.

R 1.8 Advisory Committee

A group of individuals who have been chosen by the Consortium Management Committee to provide expert advice.  

R 1.9 Affiliate

Any business that is controlled by, or is under common control of Sonar or under control of Consortium Participants. Control can be established by ownership or contractual agreements.

R 1.10 Agreement

A legally binding exchange of promises, contract or agreement between Consortium Participants and Sonar that the law will enforce. 

R 1.11 Application Programming Interface (API)

A set of rules and protocols for building and interacting with software applications. APIs define the methods and data formats that a program should use to communicate with other software, operating systems, or hardware.  A Participant in the Consortium can request information about an entity from a shared database maintained by Sardine, by sending various identifiable information (personal or account details) via an API call. 

R 1.12 Authorized Push Payments (APP)

Refers to a type of payment where the account holder instructs their bank to send (push) money directly to another bank account. These payments are "authorized" because the account holder themselves initiate the transaction. This can be contrasted with "pull" payments, such as direct debits, where the recipient (or a third party) is authorized to take money out of another's bank account. 

R 1.13 Business Day

Means a calendar day other than a Saturday or a Sunday, January 1, the third Monday in January, the third Monday in February, the last Monday in May, July 4, the first Monday in September, the second Monday in October, November 11, the fourth Thursday in November, or December 25. If January 1, July 4, November 11, or December 25 fall on a Sunday, the next Monday is not a business day. 

Ref.: Section 229.2(g) of Regulation CC of the Board of Governors of the Federal Reserve System, 12 C.F.R § 229.2(f). 

R 1.14 Card Authorizations Data

Data that is transmitted during a card transaction (like a credit or debit card transaction) to request approval from the card issuer (usually a bank or credit card company). Cardholder information: This can include the card number, cardholder name, card expiration date, and sometimes the cardholder's address. It also typically includes the amount of the transaction, date and time of the transaction, and the merchant's identification information, the card's CVV or CVV2 number (a security code on the card), and in the case of a chip card, a unique transaction code.

R 1.15 Common Points of Purchase (CPP)

Typically refers to a single location or point where multiple frauds have occurred. When numerous fraudulent transactions are traced back to the same merchant or specific location over a certain period, it's referred to as the common point of purchase.

R 1.16 Consumer

Refers to an individual who seeks to obtain or has obtained a financial product or service from a Consortium Participant that is to be used primarily for personal, family, or household purposes, or that individual's legal representative.

R 1.17 Consortium

An alliance of Participant institutions sharing information to create Risk Insights data sharing Services. This collaborative effort is designed to augment the Participant’s detection and decisioning capabilities for credit risk, fraud risk and financial crimes risk.

R 1.18 Consortium Data

The specific data elements, as defined in the Data Rules section of this document  that are provided in an Inquiry by a Consortium Participant or the response data provided by Sonar as the result of an inquiry event.

R 1.19 Consortium Participant

A company who participates in the Consortium. 

R 1.20 Consortium Services

An API platform to allow Participants to obtain Risk Insights from the data shared amongst Participants. 

R 1.21 Cryptocurrency

A digital or virtual form of currency that utilizes cryptography for security. Cryptocurrencies operate on decentralized platforms known as blockchain technology, which is a distributed ledger enforced by a disparate network of computers. Cryptocurrencies are characterized by their decentralized control as opposed to centralized digital currency and central banking systems. 

R 1.22 Data Center

A facility operated by, or on behalf of, Sonar housing the IT infrastructure. It stores, manages, and disseminates data and applications. It includes servers, storage systems, and networking hardware, maintained in controlled environments for protection. 

R 1.23 Digital Asset

Any data or content owned by an individual or organization that exists in digital form. It can include files like documents, photos, videos, as well as intangible assets like software, digital currencies, and intellectual property rights in the digital space.

R 1.24 Data Pack

Data returned by the Consortium Services response API resulting from a Participant API Inquiry. There are 3 types of Data Packs further defined in the Data Rules section of this document that can be sent back to the Participant based on the contractual agreement upon activation: 

1. "fraud" - Fraud insights data pack provided under GLBA legal framework.
2. "credit" - Credit insights data pack provided under FCRA legal framework.

IMPORTANT NOTE: At this time the “credit” data pack is NOT allowed. All use cases under FCRA use are prohibited in the first phase of the consortium implementation.. 

3. "aml" - AML / Terrorist Financing data pack provided under 314b legal framework.

R 1.25 Demand Deposit Account (DDA)

Often referred to as a checking account, is a type of bank account from which deposited funds can be withdrawn at any time without any notice to the bank. DDAs typically allow for unlimited withdrawals and deposits, offering high liquidity to the account holder.

R 1.26 Digital Identity Data

Refers to the collection of electronically stored information about an individual or entity that is used to represent them in digital transactions. This can include usernames, passwords, biometric data, and other identifying information that verifies an individual's or entity's identity in the digital environment.

R 1.27 Digital Identity Response Data

In the context of an API call made to the Consortium databases, it refers to the data returned from a request regarding a user's digital identity. It can include verification status, personal details, and any discrepancies found. 

R 1.28 Digital Wallet

An electronic , software-based or an on-line system that securely stores digital assets.  A digital wallet is a tool that is able to interact with various blockchains to allow users to send and receive digital currency and monitor their balance. 

R 1.29 FCRA

The Fair Credit Reporting Act (FCRA) is a U.S. federal law that regulates the collection, dissemination, and use of consumer credit information. It promotes accuracy, fairness, and privacy of personal data held by credit reporting agencies, and provides consumers with rights to access and correct inaccuracies in their credit reports.

R 1.30 Financial Services Organization

A business entity that operates in the financial sector, providing services related to money management. These include banks, insurance companies, investment firms, real estate companies, and credit card companies. They facilitate transactions, manage assets, provide financial advice, and offer products for savings and investments.

R 1.31 <left blank>

R 1.32 Fraud

Refers to an event a Consortium Participant has confirmed that there was intentional deception or dishonesty conducted for personal gain or to harm others. It involves deceitful actions, misrepresentation of facts, or the abuse of trust or authority to obtain illicit benefits.

R 1.33 First Party Fraud

The term is used when the fraudsters are the primary parties in the transaction, distinguishing it from third-party fraud, where an innocent party's information is utilized without their knowledge or consent for fraudulent purposes. It encompasses situations where legitimate account holders act fraudulently, such as overextending credit with no intent of repayment, intentionally overdrawing their accounts, or claiming benefits or refunds to which they are not entitled. 

R 1.34 Fraud Data

Refers to the specific information used to identify and detect fraudulent activities or behavior. This data includes various details such as user profiles, transaction history, device information, IP addresses, and other indicators used to analyze and flag potential fraudulent incidents.

R 1.35 <left blank>

R 1.36 Inquiry

Refers to an API call initiated by a Consortium Participant to receive Response data  from the Consortium Services.. 

R 1.37 Inquiry Data

Data contained in an Inquiry request API call to initiate an inquiry as defined in the Data Rules section of this document. The Inquiry will result in an API response containing Data Packs. Data Pack types for Fraud, Credit and AML can be requested, however, only authorized data packs activated for a Participant will be returned by the API response. 

R 1.38 New Account Screening Data

Information transmitted to Sonar that is collected and analyzed to assist the Consortium Participant during the process of evaluating and verifying the eligibility and credibility of individuals or entities seeking to open new accounts. This data can include personal details, financial history, identity verification, and risk assessment factors to detect potential fraud or compliance risks.

R 1.39 Personally Identifiable Information (PII)  

Refers to any private data that can be used to identify or distinguish an individual. This includes information such as names, addresses, social security numbers, email addresses, phone numbers, financial details, and biometric records. Personally Identifiable Information (PII) is sensitive and requires protection to prevent unauthorized access or misuse, as it can be exploited for identity theft, fraud, or privacy violations..

R 1.40 Release

Refers to the distribution and deployment of an updated or new version of a software application, or an API specification typically including bug fixes, new features, and enhancements to the Consortium Services. 

R 1.41 Required Release

Refers to a Release that significantly impacts the functionality of the Consortium Services necessitated by a change in Applicable Law or major bug fixes.  It imposes an obligation on Consortium Participants to incorporate a Release within the specified timeframe outlined in this document.

R 1.42 Scams

Deceptive illicit schemes based on misleading or manipulative tactics to lure individuals into providing money, personal details, or other assets under false pretenses. Scams can take many forms and are often disguised as legitimate opportunities or transactions. Examples include lottery scams, romance scams , investment scams, phishing scams, etc. 

R 1.43 Score

A Score is a derived value or category based on statistical analysis applied to Data in the Consortium databases. It predicts behavior and can be used in the Consortium’s Services' offerings. A Score may be accompanied by data containing relevant attributes and reasons affecting it, and can be used by Consortium Participants according to the Consortium Rules stated in this document.

R 1.44 Third Party Fraud

Fraudulent activities where an individual or entity not directly involved in a transaction or relationship attempts to deceive or exploit another party for personal gain. This type of fraud typically involves a deceptive third party posing as a legitimate entity or using stolen or fake credentials to deceive victims, leading to financial losses, identity theft, or other harmful consequences.

R 2 Consortium Governance

R 2.1 Sonar Management Committee

The Management Committee is composed of individuals appointed by their respective Consortium Participant institutions. Members of the Management Committee can propose changes to the Consortium Operating Rules, or any other decisions affecting the Consortium. Changes are decided by simple majority voting.

R 2.2 Chairperson of the Management Committee

The Chairperson is selected from the roster of the members of the Management committee through a rotating scheme ordered by membership seniority, with the newest members added to he last position in the rotation list.

The Chairperson should be rotated once a year utilizing this scheme. The members of the Management Committee vote to confirm the transfer of the Chairperson duty to the next one during the Committee meeting prior to the rotation.

R 2.3 Participation Legal Framework Requirements

Consortium membership eligibility is contingent upon Participants being authorized entities capable of legally accessing pertinent data in accordance with prevailing legal statutes. These include, but are not limited to, the following federal laws:

1. The Gramm-Leach-Bliley Act: Requires financial institutions to explain how they share and protect their customers' private information.
2. The Fair Credit Reporting Act: Promotes the accuracy, fairness, and privacy of information in the files of consumer reporting agencies. It is designed to protect the privacy of consumer information and to guarantee that the information supplied by credit reporting agencies is as accurate as possible.
3. Section 314(b) of the USA PATRIOT Act: Encourages financial institutions and associations thereof to share information with each other to identify and report potential money laundering or terrorist activities under a Safe Harbor provision.

R 2.4 Procedure for Approval of Participants

R 2.4.1 Application for participation

Upon receiving a formal application from the candidate Participant, Sonar will initiate an evaluation project to gather the necessary information that will be used in the evaluation and approval process that follows the Application.

R 2.4.2 Evaluation and approval process

The evaluation process for aspiring Participants will follow a methodology established and approved by the Consortium members. In order to ensure the accuracy of the information presented in applications, Sonar will conduct a  comprehensive validation of the information provided by each candidate. The process will verify the accuracy of the submitted details and confirm that the aspirant Participant fulfills the criteria for activation in the Consortium Services.

R 2.4.3 Contractual Agreement execution

An acceptable agreement governing the Participant's role within the Consortium must be executed between Sonar and the candidate Participant.

A candidate Participant will successfully transition into being a Participant upon the completion and execution of relevant contractual agreements with Sonar.

This final step concludes the application process, marking the successful applicant's entrance into their role as stipulated in the application, and allowing the Participant to be activated in the Consortium Services.

R 3 Participant Duties and Responsibilities

R 3.1 Data Ownership

Consortium members own the cumulative data in the Consortium Database, but are not entitled to directly access the Consortium database, except through the API methods specified in the Data Rules section of this document that are part of the Consortium Services.

Consortium Participants establish mutually agreed-upon operating rules and data governance to determine the permissioning of when and how the data can be used.  

R 3.2 Implementation of API Releases

Sonar will ensure to provide an advance written notice of not less than ninety (90) calendar days for all API releases.

It is mandatory for the Fraud Data Sharing Consortium Participant to utilize new releases within ninety (90) calendar days from the announcement date of releases.

In the event that a Participant fails to upgrade to the most recent release within the prescribed notice period of twelve (12) months, the Participant will be liable for ongoing release support fees for any previous releases.

R 3.3 Required Contact Information

Fraud Data Sharing Consortium Participants are required to provide Sonar with up-to-date contact details. These contacts are essential for managing technical and business issues related to the services for data contributed by the Participant. Participants must inform Sonar immediately of any changes in their contact information. Consortium Participants must provide the following contacts to Sardine prior to starting utilizing the Consortium services:

R 3.3.1 Primary Contact

This is the main liaison between Sonar and the Participant, handling technical and business issues related to the services for the Participant's contributed data.

R 3.3.2 Secondary Contact

This is the alternate liaison in case the primary contact is unavailable.

R 3.3.3 Consortium Rules Contact

This is the person to whom Sonar will send updates of this document.

R 3.3.4 FinCEN 314(b) Contact

This applies only to Participants that plan to utilize the sharing of information through the Fincen 314(b) Safe Harbor provisions.  If applicable, Consortium Participants must designate a point of contact who will serve as the main liaison for 314(b) information sharing for the Consortium. This individual should be knowledgeable about the institution's anti-money laundering (AML) program and have the authority to interact with other Consortium Participants.

R 3.4 Authorized Use of Data

Consortium Participants only disclose Personally Identifiable Information (PII) to the Consortium databases via the Consortium API services.  No Participant, other than the inquirer sending the PII data is able to access the PII provided during the Inquiry..

The PII information is used to match entities within the Consortium database in order for the Consortium services to compile the available risk related to that entity, and then send a response back via the API as specified in the Data Rules section of this document.

R 3.5 Prohibition of use of data for use-cases under FCRA

At the present time, the Consortium strictly prohibits the use of any collected or shared data for purposes that fall under the scope of the Fair Credit Reporting Act (FCRA). The FCRA is a United States federal law designed to promote the accuracy, fairness, and privacy of consumer information collected by consumer reporting agencies. It covers use-cases including, but not limited to, the determination of creditworthiness, employment eligibility, insurance underwriting, and tenant screening. Any data usage practices that involve determining a consumer's eligibility for personal credit or insurance, assessing risks associated with existing credit obligations, or evaluating an individual for employment, promotion, reassignment, or retention are explicitly barred under this clause. Members of the Consortium are expected to ensure their data usage practices strictly adhere to this prohibition.

R 3.6 Participant 314b Requirement for FinCEN Registration

R 3.6.1 FinCEN Registration

Participants that wish to utilize the Consortium services for use-cases covered under the FinCEN 314(b) provisions must register with FinCEN to participate in the 314(b) program. Eligible institutions typically include banks, credit unions, broker-dealers in securities, futures commission merchants, mutual funds, and other entities defined by the regulations.

The registration process involves completing and submitting a registration form to FinCEN. The form collects information about the institution, its contact information, and designated point of contact for 314(b) purposes.

Consortium Participants must establish and maintain appropriate policies, procedures, and internal controls to facilitate the sharing of information and ensure compliance with the requirements of Section 314(b). These controls should address the FinCEN 314(b) renewal process, confidentiality, data security, recordkeeping, and other relevant aspects.

R 3.6.2 FinCEN 314(b) Registration attestation

Consortium Participants must provide Sonar with an annual attestation to ensure their registration with Fincen 314(b) is current and they have renewed their registration prior to the annual expiration.

Consortium Participants must attest to Sonar 60 days prior to the FinCEN registration expiration that they have initiated a renewal of their registration with FinCEN for sharing information under the 314b Safe Harbor provisions.

R 3.6.3 Mutual Agreement to share information under 314(b)

Consortium Participants must join into a written central agreement governed by the Consortium. This agreement is  commonly known as a 314(b) Information Sharing Agreement. The agreement outlines the terms and conditions for sharing information amongst the Consortium Participants, including the purpose, limitations, data protection measures, and permissible uses of the shared information.

R 3.7 Participant Liability

A Consortium Participant shall not be held responsible to Sonar or any other Participant for the following cases:

1. If there is any inconsistency in the data sent by the Participant to the Consortium databases.
2. If there is any failure or delay in transmitting data in a punctual manner.
3. If any act or omission by any other Participant occurs based on the reliance on any data exchanged via the Consortium Services.

Despite any contradicting statements in the Consortium operating rules (this document), a Consortium Participant shall not be held responsible under the  Consortium operating rules (this document),  for any special, indirect, consequential or exemplary damages. This includes, but is not limited to, lost profits.

R 3.8 Record Retention

Consortium Participants and Sonar must follow the regulatory statute of limitations specified for all regulatory frameworks for data retention applicable to how the Consortium Services are used by the Consortium Participant.

R 4 Transmission of Inquiries and use of Responses

R 4.1 Authorized Use of Data by the Participant

A Consortium Participant must use Response Data strictly for the reasons outlined in their contractual agreement with Sonar and all relevant sections of the Consortium Operating Rules (this document).

It's important to recognize that Response Data is tied to a specific moment in time and should only be used in relation to the specific inquiry it was provided for. In order to protect this integrity, the response data should not be stored or incorporated for the purpose of informing future uses of the data.

Unless compelled by law or to meet obligations under the agreement, storing, compiling, or aggregating Response Data is not permitted. Furthermore, altering or modifying the data in any manner is strictly prohibited.

Selling or disclosing Response Data to any other Consortium Participant, person, or entity is forbidden except when mandated by the  Consortium Operating Rules (this document), necessary for auditing purposes, or as required by law.

For internal purposes, Response Data can be used in aggregate by the Consortium Participant to perform ongoing analyses and generate reports. However, these analyses and reports must remain internal to the Consortium Participant.

R 4.2 Authorized Use of data by Sonar

Sonar can use the data acquired from the Consortium Participants in all of the following situations to deliver the Consortium services:

1. For tasks such as data analysis and modeling to improve existing services or develop new ones.  The data used for these tasks will not show a specific Consortium Participant as the data source without their permission.
2. To promote the services to current and potential Consortium Participants and the public. This can include developing marketing strategies and proving marketing claims about the services. The data used in these activities will not show a specific Consortium Participant as the data source without their permission.
3. To provide Consortium Participants with reports and recommendations about the services. Participants can use these to evaluate the services and plan their own marketing and business strategies.
4. To assess the value of its services to current or potential Consortium Participants. Note: If sharing of PII data is required to perform the assessments prior to establishing a final Participation contractual agreement, a temporary assessment agreement must be established between Sonar and the candidate participant to ensure compliance with applicable Government Regulations.
5. To  help protect against security risks, fraud, and illegal activities related to the services.
6. To identify activities that could be linked to terrorist activity or money laundering as defined in the USA PATRIOT Act.

R 5 Duties and Responsibilities of Sonar and Consortium

R 5.1 Maintenance of Computational Systems

Sonar will have possession of, manage, and upkeep the Data Center and Systems or designate a contract for the management and maintenance of these assets.

Sonar commits to develop and sustain, or ensure the operator of the Data Center does, proven industry-standard disaster recovery and business continuity plans. These plans are intended to ensure the Data Center and Systems keep running reliably.

Upon a reasonable prior written notice, Sonar will allow Consortium Participants to review these plans during standard business hours at Sardine's place of business.

R 5.2 Operational Responsibilities

Sonar will take reasonable measures to ensure the Data Center processes all data accurately and doesn't alter data outside the confines of the Consortium operational rules.

If Sonar discovers any processing error that leads to inaccurate data in the Consortium databases or Consortium Services, Sonar will notify all affected Consortium Participants within a reasonable timeframe.

Sonar will regularly update Documentation as needed, within a reasonable time frame, after changes to the Consortium Services are made. All available Documentation and its updates, pertinent to the Consortium Services used by Consortium Participants, will be distributed to them.

At Sardine’s sole discretion, Sonar will maintain procedures to comply with all applicable Federal Regulations.

Sonar will offer customer support, technical assistance, and issue resolution for the Consortium Services described in the documentation provided to Participants.

The appropriate customer support contact information for Sonar representatives will be made available to Participants.

Sonar will cooperate with law enforcement through 314a provisions. Upon receiving a Section 314(a) information request from FinCEN, Sonar will expeditiously search its records to determine whether it maintains any record  on any entity, or organization named in FinCEN’s request.

R 6 Fees and Payments for Consortium Participants

R 6.1 Fee Obligations

Participating in the Consortium is subject to certain fees that are governed by this  Consortium Operating Rules (this document), or the respective agreement held with each Participant. The following offers a clarified overview of the payment structure.

Consortium Participants start their fee obligations upon activation into a production environment. This environment represents the operational phase where Participants contribute to and gain benefits from the Consortium Services.

In case a Consortium Participant has been certified under the Consortium Operating Rules (this document), but has not yet started operating within a production environment after six months from the agreement's effective date, an interim fee arrangement is applied. This interim payment will be the minimum fee levied monthly until the Participant enters the production environment.

R 6.2 Methods of payment

The method of fee payment is stipulated in the Consortium Participant contractual agreement. If the agreement does not detail the timing and method of payment, the Consortium Participant is required to settle the invoice within thirty days from its date. The payment method should be agreeable to both the Consortium Participant and Sonar.

R 6.3 Taxes

Consortium Participants are responsible for any applicable transaction taxes arising from the services provided by Sonar. These may include, but are not limited to, sales tax, use tax, excise tax, privilege tax, gross receipts tax, transaction tax, levy, duty, charge, or other forms of governmental impositions depending on your jurisdiction. The calculation of these taxes will depend on the laws applicable to the Participant's "Ship to" address as well as Sonar sales and use tax filing obligations.

Any changes to the "Ship to" address must be communicated to Sonar in writing, and the changes will be accounted for on a prospective basis.

Please note that the transaction taxes do not include taxes based on Sonar net income, gross revenue, or employment obligations.

Should Sonar be obligated to remit any transaction taxes to a governmental authority, the Consortium Participant will be required to reimburse Sonar. The amount of these transaction taxes will be included in the Participant's invoice as a separate line item. If Sonar does not initially add this amount to the invoice, it doesn't waive Sonar's right to collect the remitted transaction taxes at a later stage.

Moreover, if there's an audit or any governmental action leading to the assessment of transaction taxes, Sonar retains the right to collect and remit these taxes from the Consortium Participant. The same applies if the taxes are assessed due to Sonar actions, such as amended sales tax returns or voluntary disclosure agreements with a governmental authority.

R 7 Disputes Resolution

In cases of disagreement among Consortium Participants about the Consortium Operating Rules (this document), or the Consortium API services that can't be resolved informally, Sonar offers mediation support. Participants may engage Sonar to mediate in their dispute, and the Chairperson of the Management Committee will delegate an employee for this task. The chosen delegate will confer with the disputing parties and may arrange individual or joint meetings, evaluate the arguments, and suggest a possible resolution. However, the Participants are not obligated to accept Sonar’s proposed solution, and their involvement in the mediation process does not imply any stance on their dispute's merit. The mediation will be discontinued if any Participant expresses a written desire to do so.

As an alternative, a Participant can submit a written dispute to an Arbitration Committee. Participants can also choose to resolve their disagreement through legal means, including arbitration, provided that all parties involved agree to this method.

If a conflict arises between Sonar and any Consortium Participant and informal resolution proves unattainable, the involved parties will follow the ensuing procedure:

1. The party initiating the dispute must notify the other in writing, detailing the dispute's nature. After receiving the notice, all parties should engage in good faith discussions aiming to resolve the conflict.
2. If the parties fail to settle the dispute within ninety days following the notice receipt, any party can resort to legal means, including arbitration, provided all involved parties agree to it. Alternatively, a Consortium Participant can forward a written dispute to the Arbitration Committee.

R 7.1 Settlement of disputes through an arbitration committee

The Chairperson of the Management Committee can appoint members to the Arbitration Committee to handle disputes.

Once the Arbitration Committee receives a dispute, they will distribute copies to the affected Participants and may choose appoint entities to to further investigate the dispute.

All Consortium Participants are obliged to cooperate fully with any investigations conducted by the entities appointed by the Arbitration Committee. The entities investigating the dispute will report its findings to the Arbitration Committee within sixty days of receiving the dispute.

The Arbitration Committee will then review the report, analyze the facts, and decide on the dispute resolution. The Arbitration committee's powers do not extend to modifying any provisions of the Consortium Operating Rules (this document) or making awards for damages expressly excluded or limited by these rules.

If the dispute involves less than $30,000 and/or does not result in a Participant's suspension or termination, the Arbitration committee's decision is final and binding. However, if the dispute involves more than $30,000 or results in a Participant's suspension or termination, the affected Participant may appeal the decision to the Management Committee within five business days of receiving the ruling.

The Management Committee will then review all relevant records and may also instruct the Arbitration committee to conduct further investigation. The Arbitration Committee will complete the investigation and communicate the results to the Management Committee within thirty days of receiving the appeal notice.

R 7.2 Right to Seek Legal Remedies

Nothing in these procedures prevents any party from instituting legal proceedings to seek equitable relief, such as a temporary restraining order or other temporary or preliminary injunctive relief, to prevent immediate and irreparable harm to that party, for which monetary damages would be inadequate, pending the final resolution of a dispute.

R 7.3 Record Keeping and Retention related to disputes

Sonar is responsible for maintaining records of all disputes and their resolutions according to its record retention policy. Affected Participants can inspect these records during regular business hours.

R 8 Suspension and Termination

R 8.1 Suspension or Termination Due to a Committee Ruling

A Consortium Participant might find themselves suspended or terminated from the services as a consequence of an Arbitration Committee or Management Committee ruling. This ruling would typically result from a dispute resolution process in line with the Consortium Operating Rules.

R 8.2 Emergency Suspension

Should Sonar identify an immediate risk to the safety of the Consortium, including but not limited to a Participant's failure to comply with the established  Consortium Operating Rules (this document), the Chairperson of the  Management Committee can decide to suspend services for any or all Participants. This suspension can last until the earliest of either: A) A Management Committee meeting or B)A period of one calendar month. Before effecting such action, the The Chairperson of the Management Committee is obligated to inform all impacted Participants.

R 8.3 Post-Suspension Actions

As quickly as reasonably feasible after exercising suspension powers, the Chairperson of Management Committee should convene a Management Committee meeting. The agenda for this gathering would be to discuss and obtain a simple majority vote on the continuity, adjustment, limitations, or revocation of the Chairperson decisions regarding the suspension.

The Chairperson to the Management Committee, and the Management Committee members remain exempt from any liabilities for actions taken under this clause.

R 8.4 Effects of Suspension and Termination

Participants suspended under these guidelines lose their eligibility to partake in the Consortium Services. However, they are still obliged to fulfill their ongoing duties and responsibilities according to the Consortium Operating Rules.

Upon termination, a Participant would not only lose their rights as a Participant, but they would also remain accountable for any incurred fees or charges associated with the services until the termination date. Furthermore, obligations to other Participants, arising before the termination, must also be addressed.

Upon termination, the Participant's shared data will not be shared with other Participants and will be retained only to the extent required by applicable law. Also, all access to Consortium Services, software and documentation received from Sonar must be stopped and physical items provided returned or destroyed within five business days of termination.

Despite termination, certain clauses of the Consortium Operating Rules (this document) continue to apply.

R 8.5 Rights and Remedies

The procedures outlined above should not be interpreted as limiting the rights or remedies of Sonar or any Participant under these  Consortium Operating Rules (this document) or any related agreements.

R 9 Intellectual Property

R 9.1 Licensing

Sonar grants the Consortium Participant a limited, non-exclusive license. This license, restricted to the duration of the agreement with Sonar, permits the use of provided Consortium Services as stipulated in the Consortium Operating Rules (this document) and the contractual agreement with Sonar.

R 9.2 Ownership Rights

Sonar retains all ownership rights including, but not limited to, the systems, software and all design of the Consortium Services. The retention also encompasses any enhancements, modifications, or adaptations developed in relation to the services. Participants are forbidden from reverse engineering, recreating, or copying any components of these assets.

The Consortium Operating Rules (this document) or other agreement with Sonar do not confer any right of ownership to the Participant. No licenses, rights, or interest of any sort are granted to either party regarding each other's intellectual property rights unless expressly provided in the  Consortium Operating Rules (this document) or other agreements.

R 9.3 Confidentiality

Confidential information consists of proprietary documents, data, or any information shared between the Disclosing Party (Sonar or Participant) and the Receiving Party (Sonar or Participant) for the purpose of providing and using services. This includes trade secrets, business plans, strategies, customer and supplier information, systems, software, business practices, procedures, and operations. However, it excludes any information that was publicly available, lawfully obtained from a third party, independently developed, or in the possession of the Receiving Party prior to the disclosure.

The Receiving Party is obligated to maintain confidentiality by exercising utmost care in protecting the Disclosing Party's confidential Information. Any copying, selling, or disclosure of this information without the Disclosing Party's written consent is prohibited. The confidential Information must be used exclusively in relation to the rights or obligations under the Consortium Operating Rules (this document) or other contractual agreements.

R 9.4 Disclosure

In situations where Confidential Information is requested or required by a court order or similar process, the Receiving Party must promptly inform the Disclosing Party, permitting them to seek a protective order. If legally required to disclose, the Receiving Party may do so without liability, given that only the minimum required information is disclosed.

R 9.5 Return or Destruction of Confidential Information

Upon termination of Participation, the terminated Party must return all Confidential Information to the Disclosing Party or destroy it with their written consent. However, copies of the Confidential Information may be retained as per legal obligations or security procedures, and remain subject to the agreement's terms.

R 9.6 Remedies

In case of a breach, the Disclosing Party has a right to seek injunctive relief. This right exists in addition to any other remedies, acknowledging that legal remedies may not be adequate for such a breach.

R 9.7 Ownership of Confidential Information

Except as expressly granted in the Consortium Operating Rules (this document) or a contractual agreement, the Participant does not acquire any right, title, or interest in the Sonar’s owned confidential information or related intellectual property rights.

R 9.8 Privacy Laws Compliance

Sonar and the Participant acknowledge that data may include private, Personally Identifiable Information (PII), confidential, customer, or consumer information. Both parties commit to adhere to applicable laws and implement procedures for the transmission, collection, processing, use, disclosure, storage, protection, and disposal of such information.

R 10 Information Security

Participation in the Consortium mandates that: Sonar, Sonar agents and subcontractors, Consortium Participants, Consortium Participant agents and subcontractors, any Data Center operator with access to the Consortium shared data, to develop, maintain and uphold a structured information security program that meets or exceeds the standards described the Interagency Guidelines Establishing Information Security Standards (12 CFR part 30, et al.) and its future amendments.  created by federal banking agencies.

This includes administrative, technical, and physical safeguards designed to:

1. Implement a comprehensive information security program to protect the confidentiality, integrity, and availability of customer information.
2. Assess the risks to customer information in their possession and implement safeguards to mitigate those risks.
3. Provide employee training and awareness to ensure the security of customer information.
4. Conduct regular risk assessments, monitor their systems, and respond to any security incidents promptly.
5. Ensure secure system configurations, access controls, and encryption to protect sensitive customer information.
6. Have policies and procedures in place to detect, prevent, and respond to unauthorized access or use of customer information.
7. Oversee and monitor the security practices of their third-party service providers.