February 2019

FEBRUARY 2019

Zopa CIO on PSD2 and customer relationships – Page 6 (Feature Story)

Bulgaria passes GDPR amendments despite security concerns – Page 10 (News and Trends)

GDPR and how a U.S. equivalent would look – Page 14 (Deep Dive) table of CONTENTS

03 WHAT’S INSIDE A look at the latest PSD2-related retail payment, data policy and compliance regulation news and developments

06 FEATURE STORY An interview with Didier Baclin, chief innovation officer for P2P loan company Zopa, on PSD2 and how it’s changing customer relationships

10 NEWS AND TRENDS The most recent PSD2 and GDPR trends, including how European businesses and consumers are responding to the regulations

14 DEEP DIVE An in-depth look into how other countries are reacting to PSD2 and GPDR, and how a U.S. equivalent could look

16 ABOUT Information on PYMNTS and Whitepages Pro

ACKNOWLEDGMENT The PSD2 Tracker™ was done in collaboration with Whitepages Pro, and PYMNTS is grateful for the company’s support and insight. PYMNTS.com retains full editorial control over the findings presented, as well as the methodology and data analysis. 3

More European businesses are becoming compliant with the Revised Payment Services Directive (PSD2) and AROUND THE PSD2 AND GPDR WORLD General Data Protection Regulations (GDPR) by the week, but adherence isn’t without its challenges. Becoming Bulgaria is acting quickly to implement GPDR. The compliant with the European Union’s open banking country’s Parliament passed related amendments early ecosystem provides fraudsters with ample opportunities in 2019, but reservations remain about the associated to commit crime. security issues. As GDPR and PSD2 compliance become necessary in the EU, Bulgaria appears to be prioritizing Fifty-two percent of cyberattacks reported in the EU its citizens’ data protection and security. targeted firms that were subject to PSD2, meaning local businesses and payment providers will need to stay The spread of open banking across the EU is prompting on guard. That’s not to say that the directive has hit a businesses, payment providers and retailers to keep plateau, though. An increasing number of companies a closer eye on their compliance, too. Card network are now turning to PSD2-compliant application program Mastercard, in partnership with open banking solutions interfaces (APIs) that support payments. provider Konsentus, has added an identity and regulatory checking product to its suite of open banking services. These regulations aim to restore trust by giving The offering will review third parties looking for account consumers control of their data, but many in Europe access, and confirm that they are both legitimate and are still adjusting. Just 53 percent of those in the U.K. compliant with PSD2 and other European regulations. said they would give their banks their mobile phone numbers, which can put a damper on open banking Countries outside the European Union are also services. Under PSD2, many lenders and other financial experimenting with regulations similar to PSD2 and institutions (FIs) can use customers’ mobile numbers GDPR. South Africa is currently testing out open banking, to send them passcodes and other credentials. FIs will the concept that PSD2 introduced to Europe. Though it need to win their customers’ trust — and ensure them has yet to implement a similar regulation, the country’s that their data is not being misused — before they can willingness to change how it treats and interacts with utilize PSD2’s benefits, however. customer data speaks to PSD2’s global influence.

As businesses and payment providers adhere to the ruling, they also need to be aware of accompanying regulations like EMV 3D Secure Authentication. The ruling takes effect in September, but it is currently With consumers and regulators both unclear whether EU retailers will be ready. Read more watching GDPR’s effects, is it likely that on this story and other global PSD2 developments in the the U.S. will pass a similar regulation? As Tracker’s News and Trends section (p. 10). such, how would that version look?

MERCHANTS, CUSTOMERS AND FIs ARE CHANGING THEIR RELATIONSHIPS UNDER PSD2 “Following the [passing of the] GDPR, we expect this theme of ‘more transparency for the user on how their Merchants and companies are reevaluating how they data is being used and by whom’ to gather momentum, not just in the U.S. but [around] the globe. California is interact with each other as they become compliant leading the way in the U.S. with [the California Consumer with Europe’s PSD2 regulation. Data transparency Privacy Act], and Washington state is proposing a similar under the directive represents a unique opportunity law to GDPR, as well. Eventually, we expect a federal law to “level the playing field” between smaller companies will replace most of these state laws. and incumbent financial players, according to Didier The data entities covered will resemble the GDPR law, Baclin, chief innovation officer for person-to-person [including] most [personally identifiable information] (P2P) loan service Zopa. For this month’s Feature Story data with fundamental rights around transparency and choice, being informed and being ‘forgotten’ [as] the (p. 6), PYMNTS spoke with Baclin about increased data underpinnings... transparency, consumers’ changing role in open banking In the U.S., however, the thing to note is [that] industry- and how these relationships will continue to evolve specific regulations — such as HIPPA and [the] Gramm- in the future. Leach-Bliley Act laws — are already in place. These carve- outs for specific industries will happen and continue to have precedent. We also believe that, just like in the EU, DEEP DIVE: GDPR, PSD2 AND fraud prevention and similar exemptions will be carved POTENTIAL REGULATION IN THE U.S. out as well, given [that] the interests around the use of the data are aligned between the actual data subjects, EU-wide compliance with PSD2 and GDPR is growing, information controllers and processor entities. and the United States is taking notice. Support We suspect the U.S. laws will target businesses with for a similar regulation is gaining speed among commercial activity at a certain scale, only so that small government and industry experts in the country, which businesses do not have an onerous burden of complying is now considering implementing a similar regulation. with the law and stifling small business growth.

Businesses that operate in Europe are already required Today, the engineering systems are not in place to fulfill to comply with GDPR and PSD2, but is there a need for these provisions and laws, so there will need to be a the law to be replicated in the U.S. — and, if so, would couple years lead-time so that business can update their it work? This Tracker’s Deep Dive (p. 14) takes a look at processes to handle the data and be in compliance once a new law is passed.” how such a U.S. regulation would look, and how it would affect consumers and businesses. SPENCER MCLAIN, vice president of Europe, the Middle East and Asia at Whitepages Pro

© 2019 PYMNTS.com All Rights Reserved fast five 5 FACTS 75% Share of online EU retailers that are not aware of the payment security standard coming into 52% effect in September Portion of cyberattacks that targeted businesses subject to PSD2 from 2017 to 2018 80% Share of Dutch consumers that are currently 53% unaware of PSD2 Share of U.K. consumers who are willing to give banks their mobile numbers 87% Portion of schools that believe they are compliant with GDPR

HOW PSD2 IS CHANGING Lending In The UK

PSD2 launched in January 2018 and has been active “There’s always that question around data, and [if] people in the EU for a little over a year, meaning banks, are really going to share this type of data with [us],” merchants and customers are becoming used to it and Baclin said of the company’s products, which include a its accompanying GDPR data privacy law. They’re also new pre-loan income verification service developed in seeing their relationships with each other change. partnership with fellow U.K. company TrueLayer. “We saw that when there was a clear gain for customers — in Customers may be comfortable browsing the internet this case, having that frictionless experience — people or making financial transactions on their smartphones, are willing to go through and share their data with you.” but growing data safety concerns mean they don’t necessarily feel the same about sharing their phone SECURITY, VERIFICATION AND THE numbers or bank credentials. Additionally, third-party BENEFIT OF DATA providers and retail merchants are showing greater interest in how open banking- and PSD2-mandated data Bank data that was previously siloed became accessible transparency may give them a larger stake in customer to Zopa under PSD2, representing a beneficial relationships. opportunity for its customers. The company was one of the first to partake in the open banking ecosystem, and Signing up for a new financial product or service needs maintaining top-notch security was high priority as it to remain as convenient and secure as possible if third- worked toward a more seamless user experience, Baclin party providers want to gain the trust and loyalty of explained. A host of tools were used to make Zopa’s loan modern consumers, Didier Baclin, chief innovation officer application process simpler, and the overall experience of U.K.-based P2P loan provider Zopa, told PYMNTS in a ended up much different than it began. recent interview. “Traditionally, people would have had to upload a pay slip or some such information to prove that they indeed have

the salary that they declared, but using open banking … “The amount of data has increased, but it’s increased you can opt into the old way or the new way,” he said. one-to-one with the customer’s consent,” he stated. “We can’t just ask an incumbent bank … to please give [us] all Zopa saw an “overwhelming response” from customers of the customer data about anyone. That doesn’t happen who were willing to share their data. They can share their today, and I don’t see it happening ever.” bank credentials and gain immediate access to the loan they’ve requested, “because [the company has] been As money movement and data transparency become able to verify [their] information automatically.” Baclin more established under PSD2 and open banking, Baclin was quick to add that data security was made visible believes there will be a demonstrative effect on the to foster consumer trust, enabling users to understand relationships between merchants and consumers. exactly how their data is protected. PSD2 AND THE MERCHANT More importantly PSD2’s data transparency mandate has RELATIONSHIP created a leveler playing field for challengers like Zopa. Merchants and customers can explore new ways of “A few years ago, you can imagine the case of the big transacting with PSD2, specifically when it comes to incumbent bank,” he added. “They have, say, 10 million payment initiation and strong customer authentication customers and a lot of rich data, but for those customers (SCA), which will become effective this September. to opt into a different financial provider, it might not have According to Baclin, push payments are bound to be an always felt that easy. Having access to the data that they area of particular interest. have with their banking partner allows us to accelerate that opt-in. … It may have been different in the past when “Acquiring costs for merchants are quite large today,” that data operability just didn’t exist.” he said. “[With push payments,] you could be on a merchant’s website and you could have the option to Availability is also changing how companies approach say, ‘Hey, pay me through your bank directly and, if you customer data when creating new products. Zopa do that, maybe I’ll give you a percent off, because that’s is utilizing data transparency to create a money actually the money I save.’ That’s something that I would management app that will provide customers with expect merchants to try.” spending, debt management and other financial task insights, for example. The company plans to beta test Though some companies were quick to implement PSD2, the offering sometime this year. merchants may take longer to incorporate SCA because the increased security that comes with it could decrease A key factor to note is the changing role of the customer, conversions for transactions over 50 euros, Baclin Baclin said, as potential use cases and collected insights explained. The silver lining, however, is that there will be are only possible with customers’ expressed consent. fewer fraud costs for merchants and banks alike.

PSD2 AND THE FUTURE OF OPEN BANKING

Merchants, banks, consumers and third-party providers will all need to keep a careful eye on PSD2 and any other regulations that take effect around the world. The technologies companies use to keep customer experiences frictionless will become even more integral to success with the playing field leveled, Baclin stated. It’s there that third parties and startups may have a leg up over incumbents.

“As we build new technology, we are thinking, ‘What is the new regulation that’s coming down the pipe?’ even if it’s not there today,” he said. “We have [the ability] to make those changes in a way [that] the incumbents just cannot match.”

How relationships between merchants, banks and customers will change remains to be seen as PSD2 further establishes itself in the EU’s banking ecosystem. It is clear that data will continue to be essential in the future, however.

PSD2 AND PAYMENTS digital payment experience. It will also improve security on both sides of the transaction by utilizing newer MOST EUROPEAN RETAILERS authentication methods such as biometrics. UNAWARE OF NEW PAYMENT REGULATION TRUELAYER PAYMENT API ENABLES OPEN BANKING PAYMENTS A recent survey found that 75 percent of retailers in the EU are unaware of the EMV 3D Secure Authentication London startup TrueLayer has built out a payment standard that will come into effect in September. initiation solution helping businesses to accept open Implementing the standard is going to take time, banking payments. The company’s Payment API allows however, and 51 percent of these merchants noted they firms to make secure faster payments in the open intend to implement it after the September deadline. banking ecosystem, enables immediate settlement and requires active bank authentication before money leaves The regulation will improve security when customers an account. In addition, the receiving bank or business make digital payments, and its goal is to make strong cannot view customers’ bank details throughout the customer authentication (SCA) an integral part of the payment process.

SECURITY CONCERNS to GDPR. The company’s clients include the U.S. Department of Defense, the Scottish government and the AND DATA BREACHES U.K.’s National Health Service.

GOOGLE FINED $56M FOR GDPR DELIVEROO FACES DATA SECURITY NONCOMPLIANCE QUESTIONS A French data regulatory body, the Commission nationale U.K. food delivery app Deliveroo is investigating fraud de l’informatique et des libertés (CNIL), has fined Google on some of its customers’ accounts. Impacted users approximately $56 million USD for a GDPR breach. Its were charged for orders they never made, which could decision is the result of complaints that two French be a result of a breach on another platform. One case in privacy rights groups filed against the tech giant in May particular cost a customer nearly £1,000 ($1,292 USD). 2018. Google volated GDPR when using customer data for ad personalization, according to the filing, as it did “The activity reported arises from customers using not obtain “clear consent” from users to do this. Google the same usernames and passwords on multiple responded, stating that it was “studying the decision” to online accounts, and those details [were found] in a inform further action. data breach on another platform, not on Deliveroo,” a Deliveroo spokesperson said, implying that the fraud RUBRIK MAY FACE GDPR FINE FOR was caused by credential stuffing attempts. “As soon DATA BREACH as any customer makes us aware of fraudulent activity, we immediately suspend [his or her] account to prevent Cloud management and IT security company Rubrik further fraud. Deliveroo takes this issue extremely could face fines after suffering a data leak due to an seriously and is constantly working to combat fraud on exposed server. The leak potentially shared corporate behalf of our users.” clients’ emails, job titles, phone numbers and European businesses’ details — the latter making Rubrik subject

While the level of fraud on the platform is limited, REGULATORY noncompliance with GDPR could result in an increase in such cases. Just 29 percent of EU firms are currently NEEDS AND PSD2 compliant, leading to security weaknesses and PARTNERSHIPS customer concerns. BANCO BNI EUROPA PARTNERS WITH NDGIT FOR PSD2, OPEN BANKING TWITTER DATA BREACH CALLS ITS GDPR COMPLIANCE INTO QUESTION Portuguese FI Banco BNI Europa partnered with software-as-a-service (SaaS) provider NDGIT early in The Irish Data Protection Commissioner (DPC) is 2019 to boost its open banking capabilities, enabling it looking into Twitter for a second time following the to become PSD2-compliant. NDGIT, which uses APIs for social media site’s most recent data breach, raising its solutions, is working with approximately 20 European questions regarding its GDPR compliance. Companies banks. Its “PSD2-ready” solution provides “ready-made that are not adhering to the regulation can face severe APIs” that can be configured for individual banks’ needs financial consequences, and Twitter could be fined up while still complying with PSD2. to 4 percent of its global revenue if found guilty. The DPC has been investigating Twitter since November for MASTERCARD PARTNERS WITH similar breaches. KONSENTUS FOR PSD2 ID, “We actively notify the Office of the Irish Data Protection REGULATORY CHECKS Commissioner and the public of these issues as Mastercard is partnering with SaaS provider Konsentus appropriate,” Twitter said late last month. “We are to provide a PSD2 identity and regulatory checking fully committed to working with the Data Protection service as part of its suite of open banking tools. The Commissioner’s Office to improve the already-strong solution will ensure that third parties seeking access to data and privacy protections we offer to the people who customer accounts are legitmate, and that FIs will only use our services.” be able to provide data to “approved third-parties.” PSD2

opens previously siloed bank data to those providers. personal data. One of the main differences is that APPI This will help alleviate customers’ security concerns, as applies to all personal data in Japan, while PSD2 does many fear open banking may reveal new opportunities to not have that far of a reach. fraudsters. AXIOM SUPPORTS APPLE CEO’S CALL AMAZON, SPOTIFY ACCUSED OF GDPR FOR GDPR-LIKE REGULATION IN US NONCOMPLIANCE A week after Apple CEO Tim Cook penned an op-ed in Austrian privacy activist Max Schrems, who leads the Time magazine in favor of a GDPR-like regulation in the privacy group noyb, is challenging eight streaming U.S., data broker Axiom also voiced its support. Such a companies on their adherence to GDPR and other EU regulation would create a new way for customers and privacy laws. The complaint — which accuses Amazon, businesses to interact through data sharing. Cook called Apple, Netflix, Spotify and Youtube, among others — on the Federal Trade Commission (FTC) to build a “data states that these firms failed to provide the background broker clearinghouse,” requiring data brokers to register information necessary to help consumers understand with it and allow customers to track the whereabouts of how their data is being used. It was filed with the their data. That information is often bundled and sold as Austrian Data Protection Authority, but a decision has not it changes hands. yet been made regarding its validity. Axiom, one of the world’s largest data brokers, acts as a “Many services set up automated systems to respond middleman for data transfers, supervising them as they to access requests, but they often don’t even remotely move from party to party. Its role may soon be different, provide the data that every user has a right to,” Schrems should the U.S. pass a regulation similar to GDPR and said. “In most cases, users only got the raw data, but … depending on how closely it follows the EU’s example. no information about who this data was shared with.” BULGARIA PASSES GDPR OPEN BANKING AND AMENDMENTS AMONGST DATA GLOBAL CHANGES PROTECTION CONCERNS The Bulgarian Parliament approved GDPR amendments EUROPEAN COMMISSION RECOGNIZES in January, but some members are still concerned about JAPAN’S DATA PROTECTION SYSTEM the country’s data security. In addition, several expressed apprehension about whether GDPR will affect media The European Commission has come to an “adequacy freedom. How and when data can be used is one of the decision” regarding Japan’s data protection legislation, regulation’s primordial questions, and Bulgaria will need the Japanese Act on the Protection of Personal to carefully consider data protection and security to Information (APPI). The decision means the two regions ensure that distributed data is still protected as it puts can now send data and money between their networks these laws into place. while remaining compliant. APPI mirrors PSD2 by putting new rules into play regarding Japanese consumers’

GDPR AND HOW A US EQUIVALENT WOULD LOOK

GDPR was signed into law in 2016, and it has since been consider such a new privacy legislation. Marc Rotenberg, a point of debate for regulators, businesses, banks and president of the Electronic Privacy Information Center, is industry professionals in the EU and around the globe. also in favor, especially considering that U.S. firms must Data privacy, online advertisements and digital payments comply with GDPR if they operate in European markets. are causing some countries to consider GDPR-like regulations, while others like South Africa are creating While the U.S. is debating the necessity of a regulation open banking ecosystems despite having yet to pass any matching the size and scope of GDPR, increasing similar regulations. online payments and services, the rising number of data breaches and social media’s data usage in 2017 There is mounting support for a U.S. regulation like and 2018 have all contributed to a call for enhanced GDPR. Technology companies Google and Apple, consumer protections. Most in the data privacy industry among others, have recently urged federal lawmakers to and government agree that there is a need to do more.

SOCIAL MEDIA BREACHES LEAD TO GDPR, TECHNOLOGY AND THE FUTURE DATA PRIVACY CHANGES OF DATA

How social media platforms use consumers’ information Regulators will not only have to determine the need, has become more of a concern over the last few years, scope and potential applications of a new data privacy particularly in the wake of Facebook’s Cambridge law, but also consider the infrastructure necessary to roll Analytica scandal. The event revealed the extent to it out. The EU had already implemented faster payments which Facebook and other social platforms were sharing and other important facets for open banking, but the U.S. data with third parties, resulting in these companies payments ecosystem is still catching up. tightening the noose around data sharing. In fact, many that rely on social data are now utilizing providers that That ecosystem currently supports open banking and authenticate users with machine learning. data transparency, both of which would presumably be required under a GDPR-like law, but U.S. banks and This Facebook scandal burst into public consciousness other businesses would also need to consider new when GDPR had just taken effect for businesses and technologies given how far behind they are on faster retailers in the EU. American consumers, who were payments. APIs are becoming a larger part of the discovering that the social media giant had allowed third- payments landscape in the EU, and American banks will party providers like banks and Netflix to access their private need to make use of them if a similar regulation passes messages, were left watching as EU residents were given in the U.S. the right to request their data or have it deleted. Of course, this all depends on where lawmakers and As a result, some U.S. lawmakers moved forward with consumers land when it comes to the future of data and their GDPR-like plans. Legislators in California passed a online connectivity. It remains unclear whether the U.S. regulation, set to become effective in 2020, allowing the will implement something with the same scope of GDPR, state’s residents to request and/or delete their personal but new data infrastructure will be necessary if it wants data from third-party providers — a ruling that may be one to support consumers’ and businesses’ overwhelming of the reasons a federal regulation is now up for debate. calls for data privacy. If each U.S. state enacted its own regulations, technology companies would have to comply with 50 separate data policies. A federal law, by comparison, would cover the entire country.

about

PYMNTS.com is where the best minds and the best content meet on the web to learn about “What’s Next” in payments and commerce. Our interactive platform is reinventing the way in which companies in payments share relevant information about the initiatives that shape the future of this dynamic sector and make news. Our data and analytics team includes economists, data scientists and industry analysts who work with companies to measure and quantify the innovation that is at the cutting edge of this new world.

Whitepages Pro is an international identity data company that provides businesses with global identity verification solutions via enterprise-scale APIs and web tools to help companies identify legitimate customers, prevent fraudulent transactions, and smooth new customer creation.

We are interested in your feedback on this report. If you have questions or comments, or if you would like to subscribe to this report, please email us at [email protected]

disclaimer

The PSD2 TrackerTM may be updated periodically. While reasonable efforts are made to keep the content accurate and up-to-date, PYMNTS.COM: MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, REGARDING THE CORRECTNESS, ACCURACY, COMPLETENESS, ADEQUACY, OR RELIABILITY OF OR THE USE OF OR RESULTS THAT MAY BE GENERATED FROM THE USE OF THE INFORMATION OR THAT THE CONTENT WILL SATISFY YOUR REQUIREMENTS OR EXPECTATIONS. THE CONTENT IS PROVIDED “AS IS” AND ON AN “AS AVAILABLE” BASIS. YOU EXPRESSLY AGREE THAT YOUR USE OF THE CONTENT IS AT YOUR SOLE RISK. PYMNTS.COM SHALL HAVE NO LIABILITY FOR ANY INTERRUPTIONS IN THE CONTENT THAT IS PROVIDED AND DISCLAIMS ALL WARRANTIES WITH REGARD TO THE CONTENT, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT AND TITLE. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF CERTAIN WARRANTIES, AND, IN SUCH CASES, THE STATED EXCLUSIONS DO NOT APPLY. PYMNTS.COM RESERVES THE RIGHT AND SHOULD NOT BE LIABLE SHOULD IT EXERCISE ITS RIGHT TO MODIFY, INTERRUPT, OR DISCONTINUE THE AVAILABILITY OF THE CONTENT OR ANY COMPONENT OF IT WITH OR WITHOUT NOTICE.

PYMNTS.COM SHALL NOT BE LIABLE FOR ANY DAMAGES WHATSOEVER, AND, IN PARTICULAR, SHALL NOT BE LIABLE FOR ANY SPECIAL, INDIRECT, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, OR DAMAGES FOR LOST PROFITS, LOSS OF REVENUE, OR LOSS OF USE, ARISING OUT OF OR RELATED TO THE CONTENT, WHETHER SUCH DAMAGES ARISE IN CONTRACT, NEGLIGENCE, TORT, UNDER STATUTE, IN EQUITY, AT LAW, OR OTHERWISE, EVEN IF PYMNTS.COM HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

SOME JURISDICTIONS DO NOT ALLOW FOR THE LIMITATION OR EXCLUSION OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES, AND IN SUCH CASES SOME OF THE ABOVE LIMITATIONS DO NOT APPLY. THE ABOVE DISCLAIMERS AND LIMITATIONS ARE PROVIDED BY PYMNTS.COM AND ITS PARENTS, AFFILIATED AND RELATED COMPANIES, CONTRACTORS, AND SPONSORS, AND EACH OF ITS RESPECTIVE DIRECTORS, OFFICERS, MEMBERS, EMPLOYEES, AGENTS, CONTENT COMPONENT PROVIDERS, LICENSORS, AND ADVISERS.

Components of the content original to and the compilation produced by PYMNTS.COM is the property of PYMNTS.COM and cannot be reproduced without its prior written permission.

You agree to indemnify and hold harmless, PYMNTS.COM, its parents, affiliated and related companies, contractors and sponsors, and each of its respective directors, officers, members, employees, agents, content component providers, licensors, and advisers, from and against any and all claims, actions, demands, liabilities, costs, and expenses, including, without limitation, reasonable attorneys’ fees, resulting from your breach of any provision of this Agreement, your access to or use of the content provided to you, the PYMNTS.COM services, or any third party’s rights, including, but not limited to, copyright, patent, other proprietary rights, and defamation law. You agree to cooperate fully with PYMNTS.COM in developing and asserting any available defenses in connection with a claim subject to indemnification by you under this Agreement.