[ad_1]
To print this article, all you need is to be registered or login on Mondaq.com.
As the relationships between traditional banks and financial
technology companies (“fintechs”) become more complex
and interconnected, greater regulatory scrutiny over these
relationships is a certainty. The Bank Service Company Act
(“BSCA”),1 an old law that is getting
newfound attention, provides one avenue for the U.S. federal
banking agencies to learn of the existence of certain relationships
between banks and fintechs. This is because the BSCA requires banks
to notify their banking regulators of contracts and relationships
with technology service providers and other companies that provide
services to them. However, it does not require banks to notify
their service providers that they have been so identified. As a
result, many fintechs and other bank service providers may be
completely in the dark as to their status under the BSCA and
potential exposure under federal banking law and regulation.
Fintechs that provide services to banks should prioritize the
need to better understand the BSCA and, at the very least, they
should ask their bank customers whether they have been identified
as a service provider under the BSCA in any notice or other
communication to a banking regulator.
What Is the Bank Service Company Act?
Section 7(c) of the BSCA requires depository institutions to
notify, in writing, their respective federal banking agency of
contracts and relationships with technology service providers
(“TSPs”), including major payment platforms and cloud
service providers, and other companies that provide certain
services. Services covered by the BSCA include check and deposit
sorting and posting, computation and posting of interest,
preparation and mailing of checks or statements, and other
clerical, bookkeeping, accounting, statistical, or similar
functions such as data processing, online banking, and mobile
banking services. Notice may be provided in a number of ways, but
the FDIC has an optional form to assist banks in their
compliance.2
Significantly, Section 7(c) of the BSCA subjects a service
provider’s performance of services to “regulation and
examination . . . to the same extent as if such services were being
performed by the depository institution itself.” Accordingly,
the BSCA has provided the statutory basis for regulatory
examinations of TSPs. In practice, the banking agencies coordinate
their supervision of TSPs through the Federal Financial
Institutions Examination Council (“FFIEC”), whose
members include the Federal Reserve, the FDIC, the OCC, the NCUA,
and the CFPB. The FFIEC has developed practices regarding which
service providers actually get examined, the frequency of exams,
and the scope of supervision.3 An exam centers on the
services provided and key technological and operational controls
and may identify various compliance weaknesses that require
corrective action or remediation. An exam culminates in an assigned
rating, or grade, which determines the degree of supervisory
attention necessary for the particular service provider.
Why Is This an Issue Now?
Banking regulators have long been concerned about the risks
arising from banks’ outsourcing of certain services to
third-party providers and the need for robust risk management
practices, at both the bank and the third-party provider and with
respect to the way in which they interact.4 Recently,
regulators have undertaken efforts to update existing guidance to
promote consistency among the agencies’ guidance on
third-party risk management,5 and have also issued
guidance specifically to help community banks’ due diligence
on prospective relationships with fintechs.6
Business continuity and incident response planning are areas of
heightened supervisory concern. According to the FDIC, examiners
have observed that some TSP contracts do not require the service
provider to maintain a business continuity plan, establish recovery
standards, or define contractual remedies, and in some cases, they
do not sufficiently address a TSP’s security incident
responsibilities. Long-term contracts and contracts that
automatically renew may be, as the FDIC puts it, at higher risk for
“coverage gaps.”7
To address the risk of banks’ data and systems being
affected by cyberattacks and related criminal activity, the federal
banking agencies have recently proposed a rule that would require a
bank to provide its primary federal banking regulator with prompt
notification of any computer-security incident that rises to the
level of a notification incident (the “Proposed
Rule”).8 Notification would generally be required
as soon as possible and no later than 36 hours after the bank
believes, in good faith, that the incident occurred. The Proposed
Rule would also impose a separate reporting obligation on
“bank service providers,” which are defined to include
bank service companies and other persons providing services to
banks that are subject to the BSCA. A bank service provider would
be required to notify at least two individuals at each affected
bank customer immediately after it experiences a computer-security
incident that it believes in good faith could disrupt, degrade, or
impair the provision of services subject to the BSCA for four or
more hours.
Why Should Fintechs Care?
Fintechs that provide services to banks should care about their
status under the BSCA because they may be subject to regulation and
examination by the federal banking agencies and may eventually be
subject to computer-incident notification obligations, assuming the
Proposed Rule discussed above is finalized. Regulators have
indicated that they would enforce the bank service provider
notification requirement “directly against bank service
providers” and would not cite a bank because a service
provider fails to comply with the notification requirement.
Although the Proposed Rule remains pending, it is an
acknowledgement of how banks have become “increasingly
reliant on bank service providers to provide essential
technology-related products and services” and the potential
for adverse impacts on banks when there are computer-security
incidents at those providers. It also suggests that regulators may
be more inclined to impose other affirmative compliance obligations
on bank service providers in the future.
What Should Fintechs Be Doing?
Fintechs that provide services to banks should do three
things:
- Confirm Status Under the BSCA –
Fintechs should ask their bank customers whether they have been
identified as a bank service provider in any notice or other
communication to a banking regulator. While the BSCA requires banks
to notify their banking regulators of contracts and relationships
with service providers, it does not require banks to inform their
service providers that notice has been given. Indeed, some fintechs
may be surprised to learn that they have been designated as a bank
service provider under the BSCA. Depending on the circumstances,
fintechs should consider requesting a copy of any notice from their
bank customers or obtain a written certification from them that no
notice was made. Practices among banks with respect to BSCA notices
are not consistent (indeed some banks may not even know about the
notification requirement),9 and the regulators have
acknowledged in commentary accompanying the Proposed Rule that they
“do not have data on the number of bank service
providers” that would be affected by the computer-incident
notification requirement. - Review Commercial Agreements and Vendor Processes
for BSCA Notifications – Fintechs should review
existing commercial agreements and related processes to ensure
there is a mechanism for obtaining information from their bank
customers on BSCA matters. This may require the incorporation of
provisions that require the bank to notify the fintech of a BSCA
notification given to its banking regulator. In addition, fintechs
may wish to require the bank to notify its regulator when the
contract or relationship has been terminated. - Review Commercial Agreements for Adaptability with
New Regulatory Requirements – Assuming the
Proposed Rule discussed above is adopted, fintechs should assess
whether their existing commercial agreements with banks contain
adequate information- and reporting-related covenants. For example,
the Proposed Rule requires that at least two individuals at each
affected bank customer be notified by a bank service provider
immediately after the occurrence of certain events. To avoid
confusion or ambiguity, a fintech may require precise contractual
language specifying the relevant individuals and contact
information as well as the timing for certain communications. In
addition, commercial agreements may need to be reviewed to ensure
that the fintech receives timely information from a bank customer
on a variety of other matters that may be critical to the
fintech’s regulatory compliance.
Footnotes
1. 12 U.S.C. §§ 1861–1867 (enacted Oct.
23, 1962). The BSCA addresses services provided to banks by nonbank
parties; it does not cover services provided by banks to nonbank
parties, including fintechs.
2. FDIC, Notification of Performance of Bank Services
(OMB No.: 3064-0029) (expiration Apr. 30, 2023).
3. See “Supervision of Technology Service
Providers: IT Examination Handbook” (Oct. 2012).
4. See, e.g., OCC Bulletin 2020-10,
“Third-Party Relationships: Frequently Asked Questions to
Supplement OCC Bulletin 2013-29” (May 5, 2020); OCC Bulletin
2013-29, “Third-Party Relationships, Risk Management
Guidance” (Oct. 30, 2013); OCC Bulletin 2002-16: “Bank
Use of Foreign-Based Third-Party Service Providers: Risk Management
Guidance” (May 15, 2002); FRB SR Letter 13-19,
“Guidance on Managing Outsourcing Risk” (Dec. 5, 2013,
updated Feb. 26, 2021); FRB SR Letter 00-17 (SPE), “Guidance
on the Risk Management of Outsourced Technology Services”
(Nov. 30, 2000); FDIC FIL-44-2008, “Guidance for Managing
Third-Party Risk” (June 6, 2008); FDIC FIL-81-2000,
“Risk Management of Technology Outsourcing” (Nov. 29,
2000).
5. See “Proposed Interagency Guidance on
Third-Party Relationships: Risk Management,” 86 Fed. Reg.
38182 (July 19, 2021).
6. See “Conducting Due Diligence on
Financial Technology Companies: A Guide for Community Banks”
(Aug. 2021).
7. See FDIC FIL-19-2019, “Technology
Service Provider Contracts” (Apr. 2, 2019).
8. See Proposed Rule, “Computer-Security
Incident Notification Requirements for Banking Organizations and
Their Bank Service Providers, 86 Fed. Reg. 2299 (Jan. 12, 2021).
The Proposed Rule and related preamble commentary contain detailed
explanations by what constitutes a “computer security
incident” and a “notification incident.”
Generally, computer-security incidents may include major
computer-system failures, cyber-related interruptions, such as
coordinated denial of service and ransomware attacks, or other
types of significant operational interruptions. According to the
Proposed Rule, the agencies believe it is important that a
bank’s primary federal banking regulator be notified as soon
as possible of a significant computer-security incident that could
jeopardize the viability of the operations of an individual banking
organization, result in customers being unable to access their
deposit and other accounts, or impact the stability of the
financial sector. The Proposed Rule’s 36-hour deadline is
half the required time frame to notify the New York State
Department of Financial Services under 23 NYCRR Part 500, which
sets a 72-hour deadline and which is currently one of the shortest
time frames for cybersecurity breach notifications in the United
States.
9. Inconsistent or inadequate BSCA notifications of new
service provider contracts or relationships appears to be a
longstanding issue. See FDIC, Office of the Inspector
General, “FDIC’s Oversight of Technology Service
Providers,” Report No. 06-015 (July 2006) (finding that
“inconsistent reporting of TSP relationships could result
from varying interpretations of the BSCA notification
requirement”).
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
[ad_2]
Source link