This is a summary of the final rule Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers (12 CFR Part 304) (the Regulations) announced by the Federal Reserve, FDIC, and OCC effective May 1, 2022. You can find the full text for the Regulations here: www.occhttps://www.fdic.gov/news/board-matters/2021/2021-11-17-notational-fr.pdf.gov.

This summary is for informational purposes only. Before taking any action on this issue, please consult your compliance experts or attorneys.

Regulators are focused on the relationships between Financial Institutions and Third Party Service Providers and the Regulations have resulted in strict rules around incident reporting and significancy more regulatory scrutiny of compliance with the new rules by bank and third party service providers.

Here’s the substance of the Regulations:

All banks are required to give notice to their functional regulator of a “computer-security incident” (CSI) that rises to the level of a “notification incident” within 36 hours. The notice is required regardless of whether the CSI occurred within its own systems or those of a third party. CSIs include non-cybersecurity service disruptions.

“Computer-security incident” (CSI) means “an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.”

The definition “notification incident” is complex and is discussed below.

What new or expanded obligations do the Regulations impose on third party service providers?

The Regulations require that “bank service providers” (BSPs) (i.e., third party service providers) notify affected banks “as soon as possible” of an incident that the BSP believes in good faith “that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, covered services provided to such banking organization for four or more hours.”

What is the legal authority for the Regulations?

The regulators claim the authority to enforce the incident notifications obligations against the regulated institutions AND third party service providers under the Bank Service Company Act (BSCA) (12 USC Ch 18). The BSCA defines services (and the associated third party service providers) subject to regulation as follows:

…check and deposit sorting and posting, computation and posting of interest and other credits and charges, preparation and mailing of checks, statements, notices, and similar items, or any other clerical, bookkeeping, accounting, statistical, or similar functions performed for a depository institution,” as well as components that underlie these activities. Other services that are subject to the BSCA include data processing, back office services, and activities related to credit extensions, as well as components that underlie these activities. 

The BSCA was originally adopted in 1962 and the scope of bank service company “services” are, accordingly, antiquated. They are also reasonably broad and one can imagine that even without legislative intervention, phrases like “back office services” and “activities related to credit extensions” allow enough leeway for regulators to claim authority to regulate virtually all critical third party-provided products, services, and systems (both customer facing and operational).

What are the consequences to third party service providers for failure to abide by the Regulations?

The regulators intend to use their authority under the BSCA to impose and enforce, as necessary, the incident notification requirements directly on third party service providers (with sanctions they deem necessary): “Regulators would enforce the bank service provider notification requirement directly against bank service providers and would not cite a banking organization because a service provider fails to comply with the service provider notification requirement.”

What are classified as Notification Incidents under the Regulations?

In the Regulations’ commentary, a notification incident is described as a CSI that a banking organization believes in good faith could materially disrupt, degrade, or impair—

the ability of the banking organization to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;

any business line of a banking organization, including associated operations, services, functions and support, and would result in a material loss of revenue, profit, or franchise value; or

those operations of a banking organization, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States. 

The definition of ‘notification incident’ includes language that is consistent with the ‘core business line’ and ‘critical operation’ definitions included in the resolution-planning rule issued by the Board and FDIC under section 165(d) of the Dodd-Frank Act…Banking organizations subject to the Resolution Planning Rule can use the core business lines and critical operations identified in their resolution plans to identify incidents that should be reported under the second and third prongs of the rule.

Examples include: