CitiDirect Online BankingClient LinkageMay 2010

Proprietary and ConfidentialThese materials are proprietary and confidential to Citibank, N.A., and are intended for the exclusiveuse of CitiDirect Online Banking customers. The foregoing statement shall appear on all copies of thesematerials made by you in whatever form and by whatever means, electronic or mechanical, includingphotocopying or in any information storage system. In addition, no copy of these materials shall bedisclosed to third parties without express written authorization of Citibank, N.A.

Table of ContentsModule 1: Overview of the Client Linkage Functionality. 2Responsibilities of Citibank Support of Client Linkage. 2Client Configuration Option for Client Linkage Functionality. 3Module 2: Aspects of Client Linkage. 5Overview. 5Client Linkage Inquiry. 6Compare Access Profiles.10Compare User Profiles.11Compare User Entitlements.12User Entitlements.13Executing Client Linkage.16Module 3: Examples of Client Linkage. 19Large Multinational Company (LMNC) Use Case.19Transaction Initiation Use Case.211

Overview of the Client Linkage FunctionalityModule 1: Overview of the Client Linkage FunctionalityClient Linkage in CitiDirect Online Banking provides users with the ability to perform functions acrossclients with different client configurations and definitions. Thus, the key advantages of Client Linkageare twofold: More flexible security management Cross-client interaction between related entitiesAs a gateway between related clients, Client Linkage can be one directional or multidirectionaldepending on the client interrelationship. Client Linkage facilitates the movement of users acrossrelated CitiDirect client entities without the need for multiple sign-ons or multiple sets of securitycredentials. Since Security Managers may have different privileges, Client Linkage expands the securityadministration functionality in order to support a customer’s need for centralized or decentralizedsecurity management.After the appropriate review has taken place between Citibank and your organization, the Client Linkagesolution can be implemented by Citibank for your use with CitiDirect. Additional client documentationand access approvals may be required prior to activation of the Client Linkage configuration onCitiDirect.For Security Managers, the only visible change is in the process for assigning Access Profiles. For clientsthat have client linkage capability, each Access Profile assigned to the user has the added dimension ofClient.Note: I nstead of being part of the User Profile Service Class, there is a separate Service Class —User Entitlements. This change is implemented for all security management functions, notjust those with Client Linkage.Examples are provided at the end of this document.Responsibilities of Citibank Support of Client LinkageThe responsibilities of Citibank concerning Client Linkage are to configure the Client as specified by thecustomer organization through contractual agreements, as well as provide training materials.Citibank needs to complete the following before enabling Client Linkage:1. ctivate the customer. A customer requests Client Linkage as part of the services and functionsAthat Citibank activates for its CitiDirect customers.2. I dentify customer Security Managers. Citibank creates User Profiles for the customer’s initialSecurity Managers, enabling them to access CitiDirect Online Banking with the proper securitycredentials.3. istribute security credentials to customer Security Managers. Each Security Manager receivesDa separate package of security credentials including a SafeWordTM Platinum card and a securitycredential envelope that contains a SafeWord ID and a Personal Identification Number (PIN).2

Client Configuration Option for Client Linkage FunctionalityThis presents a high-level concept of one directional and multidirectional for Client Configuration. A ClientConfiguration setting enables users of a client to link to one or more client (specified in this setting).There are several new terms associated with Client Linkage: Link Initiator: client where the configuration option is set. Users of this Link Initiator client can beenabled to act on Link Participant clients Link Participant: client related to the Link Initiator granting access to its users Home Client: client where an individual’s User Profile residesWhether the relationship is one directional or multidirectional, each client in the relationship must beconfigured by Citibank. If the relationship requires users to have cross-client access, this, too, mustbe configured by Citibank. After being granted cross-client access, users are entitled through thesecurity management processes and procedures governing the linked clients.Example 1Client A is configured with Client B as participant. Only users of Client A can have cross-client access.Example 1: One-Directional ConfigurationClient ALinkInitiatorClient BLinkParticipant3

Example 2Client A is configured with Client B as a participant. Client B is configured with Client A in its participantlist. Both users of Client A and users of Client B have cross-client access when linked to one another.Example 2: Multidirectional ConfigurationClient ALinkInitiatorClient ALinkParticipantClient BLinkParticipantClient BLinkInitiator4

Aspects of Client LinkageModule 2: Aspects of Client LinkageOverviewFor Security Managers, Client Linkage is an operational enhancement of the processes with which youare already familiar. Many of the components of client security management are unchanged.1. Access Profiles, User Profiles, Flow Controls, Libraries and client settings remain specific to each client.2. The processes of building these profiles for each client are still the same.What is critical to Security Managers who are entitling users with Client Linkage is a clear understandingof their orientation with respect to the clients with whom the entitled users are linking. SecurityManagers must always be aware of:1. The home client to which the user belongs (i.e., where the user is located);2. What they want the Client Linkage user to be able to do in the linked client environment and wherethat action takes place. Since the rules governing each client in the link relationship may differ, it isimportant to understand the context of the entitlement being granted (flow of the participant client,etc.). In short, the Security Manager must be able to grant entitlements to the Client Linkage userthat properly function in the linked client environment.In order to facilitate this entitlement process for Client Linkage, CitiDirect Online Banking provides somenew tools to the Security Manager — such as Client Linkage Inquiry.5

Client Linkage InquiryYou can view all the clients to which the selected client can link and be linked by performing the stepslisted. This also allows you to view the Access Profiles for each client and the users assigned to aselected profile.12341Select the Inquiry Category on the navigation bar.2Select the Access Management Inquiry Service Class on the navigation bar.3Select the Client Linkage Inquiry Service Class on the navigation bar.4Click Submit. The Summary tab displays.6

The Summary tab appears.55 The Summary tab displays the clients to which a client can link (Link Participants to the selectedclient) and be linked (Link Initiators).7

The Access Profile List tab appears.66Select the Access Profile List tab.The Access Profile List tab displays the associated Access Profiles for any selected client from theSummary list.8

The Client User List tab appears.77Select the Client User List tab.The Client User List tab displays the users associated to a particular Access Profile within theselected Access Profile List.9

Compare Access ProfilesNote: Even though these clients are linked, they have their own specific Access Profiles for theirrespective client. Access Profiles are derived from services available to each specific client.10

Compare User ProfilesNote: E ven though these clients are linked, they have their own specific User Profiles for theirrespective client. Individuals should have a single User Profile (within their home client) andbe granted entitlements to access profiles available in linked clients as required.11

Compare User EntitlementsNote: Even though these clients are linked, they have their own specific User Entitlements for theirrespective client. User Entitlements within a client are specific to the User Profiles of thatclient only. User Entitlements (the Access Profiles assigned to users) can be cross-client innature under Client Linkage.12

User EntitlementsFor clients that can link to another client (Link Initiator clients), user entitlement can be granted to userswith respect to: A user’s home client (the one in which they are being built) Any clients to which their home client can link (Link Participant clients)Note: A user must have entitlement to at least one Service Class in their home client.The User Entitlements Summary screen appears.13241Select the Access Management Category on the navigation bar.2Select the User Entitlements Service Class.3Either select a row from the Summary screen to modify entitlements of a user–OR–4 Click New to assign entitlements to a new user. Use the Search dialog box to locate the new user.Click Apply to assign the entitlements.Note: Depending upon whether the user’s client is allowed to link to other clients, a different formwill be presented.13

The User Entitlements Detail screen appears.55Click Add on the Access Profile sub-form to assign new entitlements.The Library Look Up Dialog screen appears from which to choose Access Profiles.5a5a A cross-client list of Access Profiles appears. This Access Profile function allows you to choose fromthe list of the displayed Access Profiles. Click OK to return to the User Entitlements Detail screen.14

Note: Security Managers may assign new entitlements to users in this manner if the client is a LinkInitiator and the Security Manager has cross-client entitlement.The User Entitlements Detail screen reappears, allowing you to complete assigning user entitlements.66Click Submit in order to process your selections.Note: If you are acting as Security Manager for a Link Participant, you will need to Execute ClientLinkage to link to the appropriate client before doing your Security Manager-type tasks(Access Profile, User Profile, User Entitlements, etc.).15

Executing Client LinkageThe sequence of steps presented in the next few screens demonstrates how easy it is to link to clients.The Client Linkage screen displays once the Client Linkage function is selected from the Preferencesmenu. Only users that have cross-client entitlements will see the Client Linkage option on theirPreferences menu.1231This is the current client, CITIDIRECT CUSTOMER.2Click Preferences on the bottom left of the screen (below the navigation bar).3Select the Client Linkage option on the Preferences menu.16

The Client Linkage screen appears.457684The Current Effective Client name field. This displays the current client.5The Current Effective Client Address field. This displays the current client address.6Click the Link to (Client) Library Look Up icon. This displays the chosen linkage client.7The Link to (Client) Address field. This displays the chosen linkage client address.8 Click Apply to link to the chosen client.Note: In this example, the current client can link to only one client; thus, this information fills inautomatically. Otherwise, a Library Look Up dialog box displays where you: Choose the Client Name to which linkage is required Click OK to link to the client chosen in the Library Look Up dialog box17

The Confirmation message appears.99Click OK to acknowledge the successful linkage confirmation message.This is the view of information that is changed according to the Linked Client.1011131210 CITIDIRECT CUSTOMER has changed to CITIDIRECT CUSTOMER ONE, the Linked Client.11 These fields have changed. Instead of the information for CITIDIRECT CUSTOMER, they now reflectthe information for CITIDIRECT CUSTOMER ONE, the Linked Client.12 The navigation bar has refreshed to reflect your entitlements in the current effective client,CITIDIRECT CUSTOMER ONE.13 These fields have cleared out.18

Examples of Client LinkageModule 3: Examples of Client LinkageIn this section, you will read examples of how using Client Linkage can simplify global operations whilemaintaining the security of those transactions.Large Multinational Company (LMNC) Use CaseLMNC has the need to create a centralized security management organization. As the Link Initiator,the North American office of LMNC creates a one-directional linkage to accommodate its centralizedsecurity structure. With Client Linkage, the North American office can manage security and entitlementsfor all the Link Participants in their various locations, such as LMNC Argentina, Columbia, Panama, Braziland Guatemala.One-Directional ConfigurationEach location will be responsible for execution and reconciliation of its transactions. However, becausethis is a one directional linkage, the various LMNC locations will not be able to use Client Linkage toaccess the North American location or any other LMNC location.19

In another scenario, a large corporation sought to reduce the heavy workload of central office SecurityManagers. Its solution was to decentralize some security management functions due to increasedworkload on the central office Security Managers. Using Client Linkage’s multidirectional option,the central office has control over all locations but can delegate the management of security andentitlements to other offices for some of the Link Participants at their various locations.Multidirectional ConfigurationClient Linkage has the flexibility to address both centralized and decentralized security management,allowing greater control and responsiveness to all locations in an organization.20

Transaction Initiation Use CaseThe Senior Treasurer of a food importer with offices in London, Strasbourg, Oslo, Beirut, Mumbai andHong Kong needs to authorize all payments involving currencies other than the local currency of thatoffice. If the transaction is in excess of a negotiated amount, many of the importer’s suppliers requirepayment in either euros or U.S. dollars, depending upon the relative strength of each.Using Client Linkage greatly simplifies and expedites this process. As the Link Initiator, the SeniorTreasurer is linked to the Link Participant offices in London, Strasbourg, Oslo, Beirut, Mumbai andHong Kong. As such, the Treasurer is entitled to authorize those transactions involving an exchange ofcurrencies efficiently and conveniently. Client Linkage eliminates the Senior Treasurer’s multiple signons as a user in the London office, a user in the Strasbourg office, a user in the Oslo office, etc. Thus,Client Linkage allows this food import company to leverage the foreign exchange expertise of its SeniorTreasurer across all locations.21

The authoritative and official text of this CitiDirect documentation shall be in the English language as used in the United States of America.Any translation of any CitiDirect documentation from English to another language is done solely for the convenience of the reader, and anyinconsistencies or inaccuracies between the English text and that translation shall be resolved in favor of the English text.These materials are proprietary and confidential to Citibank, N.A., and are intended for the exclusive use of CitiDirect Online Bankingcustomers. The foregoing statement shall appear on all copies of these materials made by you in whatever form and by whatever means,electronic or mechanical, including photocopying or in any information storage system. In addition, no copy of these materials shall bedisclosed to third parties without express written authorization of Citibank, N.A.Customer shall be solely responsible for the use of any User identifications, passwords and authentication codes that may be provided toit, from time to time, in connection with CitiDirect Online Banking (collectively, “User IDs”). Customer agrees to keep all User IDs strictlyconfidential at all times. Customer shall immediately cease use of CitiDirect Online Banking if it receives notification from Citibank, orotherwise becomes aware of, or suspects, a technical failure or security breach of the Platform. Customer shall immediately notify Citibankif it becomes aware of, or suspects, a technical failure or security breach.May 201022

Global Transaction 2010 Citibank, N.A. All rights reserved. Citi and Arc Design and CitiDirect are trademarks and service marks ofCitigroup Inc. or its affiliates, used and registered throughout the world. All other trademarks are the propertyof their respective owners.650366GTS254845/10