On November 18, 2021, the Board of Governors of the Federal Reserve System (“Federal Reserve”), Office of the Comptroller of the Currency (“OCC”) and Federal Deposit Insurance Corporation (“FDIC,” collectively with the Federal Reserve and OCC, the “Federal Regulators”) finalized new cyber incident notification requirements for institutions that they regulate and their service providers (the “Notification Rule”).1 The Notification Rule expands and clarifies existing notification obligations of financial institutions, which are primarily focused on consumer protection and suspicious activity reporting. Additionally, the Notification Rule will require service providers to notify their financial institution customers if certain computer security incidents occur. While the Bank Service Company Act (“BSCA”) generally subjects service providers to supervision and examination by the Federal Regulators as if the services were performed by the financial institution, this authority has not been recently used to directly regulate the conduct of a service provider.2

The Notification Rule takes effect April 1, 2022, and compliance is required beginning May 1, 2022. This Legal Update describes the new Notification Rule. Please see our Legal Update on the proposed Notification Rule for background information on bank incident notification requirements generally and the BSCA.

Continue reading.