The Situation: As we advised in our recent Commentary, federal banking regulators have proposed rules requiring a banking organization to provide its primary federal regulator with prompt notification of any "computer-security incident" that materially disrupts, degrades, or impairs certain important business operations. This proposal adds another reporting requirement for banking organizations. But it might also impact fintechs.
The Result: Under the Bank Service Company Act ("BSCA"), a banking organization is required to disclose to their regulators all of its core service companies, but there is no requirement under the BSCA to inform the service company of the designation. Some fintechs, therefore, may be currently designated as bank service companies without knowing it. Under the proposed rules, these fintechs could unknowingly have affirmative disclosure obligations and be subject to enforcement actions by federal banking regulators.
Looking Ahead: Fintechs should proactively review their commercial contracts with their banking organization clients to ensure that (i) the client is required to notify the fintech of designation as a bank service company, so that the fintech can implement any requisite data breach reporting controls, and (ii) the commercial contracts provide a mechanism for such data breach reporting to the client in accordance with the proposed rules.
We have already reported on the proposed rules generally. Briefly, in light of increased frequency and severity of cyberattacks, on December 18, 2020, the federal banking regulators proposed a new rule that would require a banking organization to notify its primary federal regulator when the organization determines that it was the victim of "any 'computer-security incident' that rises to the level of a 'notification incident.'"
The proposal would not be limited to banking organizations, however. As proposed, the rule would require a bank service provider to notify at least two individuals at affected banking organization clients immediately after experiencing a computer-security incident that it believes in good faith could disrupt, degrade, or impair services provided subject to the BSCA for four or more hours.
The problem, however, is that while a banking organization is required under the BSCA to disclose to the federal banking regulators the identity of each bank service company it uses, there is no statutory requirement to inform the bank service companies that they have been so identified. While traditional bank service companies typically are well aware of the BSCA, we have come across too many fintechs with no idea whether they have been designated under the BSCA by their banking organization clients ("But we're just a software company!"). Designation has always had important consequences: the BSCA subjects service providers to regulation and examination by the federal banking agencies to the same extent as if such services were being performed by the banks themselves. And now, under the proposed rules, fintechs designated as bank service companies would be subject to additional notification requirements regarding computer-security incidents and may not even be aware of the obligation. Moreover, the federal banking regulators have signaled that they would enforce the notification requirement "directly against bank service providers and would not cite a banking organization because a service provider fails to comply with the service provider notification requirement."
According to the federal banking regulators, their experiences with conducting bank service provider contract reviews during examinations indicate that most of these contracts already include incident-reporting provisions. As a result, the regulators do not expect that the proposal will add significant burden on a "material number of bank service providers." Disconcertingly, though, the regulators concede that they do not have data on the number of bank service providers that would be affected by this requirement. We suspect that too many fintechs are similarly in the dark.