In December 2020, the Board of Governors of the Federal Reserve System (“Federal Reserve”), Office of the Comptroller of the Currency (“OCC”), and Federal Deposit Insurance Corporation (“FDIC,” collectively with the Federal Reserve and OCC, the “Federal Regulators”) proposed new cyber incident notification requirements for institutions that they regulate and their service providers (the “Proposal”).1 If adopted, the Proposal would expand and clarify existing notification requirements for financial institutions, which are primarily focused on consumer protection and suspicious activity reporting. Additionally, the Proposal would require service providers to notify their financial institution if certain computer security incidents occur. While the Bank Service Company Act (“BSCA”) generally subjects service providers to supervision and examination by the Federal Regulators as if the services were performed by the financial institution, this authority has not been recently used to directly regulate the conduct of a service provider.2

Comments on the Proposal are due within 90 days of publication in the Federal Register, which is expected to occur later this month or early in 2021. This Legal Update provides some background information related to incident notification requirements and the BSCA and describes the new notification requirements set forth in the Proposal.

Continue reading.