Long Story Short: Starting on May 1, 2022, a new rule will require banks to notify their Federal regulator within 36 hours after determining their electronic systems have experienced a material disruption (regardless of whether it was caused by a cybersecurity intrusion or non-malicious technical failure leading to an outage).
Bank service providers will have a separate regulatory obligation to notify their bank partners as soon as possible any time they experience a material system disruption for four or more hours.
Long Story: Three banking regulators (the OCC, FDIC and Federal Reserve) jointly issued a new rule on November 18, 2021 that will impose new notification obligations on both banks and bank service providers regarding system outages that materially disrupt a bank’s services. The rule will take effect on April 1, 2022, with a mandatory compliance date of May 1, 2022.
Two quick, but important, things to note:
- The rule imposes separate obligations on banks and bank service providers. So, if you’re a bank service provider (e.g., you’re a FinTech that provides services to banks like processing, customer service, dispute management, AML, technology, etc.), you will soon have independent regulatory requirements to report system outages to your bank customers (and may fall outside your contract with the bank).
- The rule covers a “computer-security incident,” which makes it seem that only cybersecurity events (such as a system hack) are covered. That’s a big misnomer, though. Rather, the “computer-security incident” is defined quite expansively, and includes incidents caused by technical failures that trigger an outage.
With all that said, let’s take separate looks at obligations of banks and bank service providers….
Banks will be required to notify their primary federal regulator within 36 hours of determining they’ve experienced a “notification incident,” which is computer-security incident that has materially disrupted (or likely to materially disrupt):
- a bank’s ability to carry to deliver banking services to a material portion of its customer base; or
- a bank’s business line(s) that results in a material loss of revenue or profit; or
- a bank’s operations, the failure of which poses a threat to the financial stability of the United States.
A “computer-security incident” is basically an occurrence that results in actual harm to the confidentiality, integrity or availability of an information system. As noted above, this definition includes outages that are caused by non-malicious technical issues that have nothing to do with computer security (so the defined term may not be the most apt of defined terms). So, if a bank experiences a technical glitch that resulted in a system outage, the bank would need to evaluate whether the outage triggered a notification obligation to its federal regulator (even though no cyber security issue was involved).
A couple of things to call out here:
- the system disruption will need to be material to be considered a “notification incident” (so a minor disruption affecting just a handful of customers may not rise to a notification requirement).
- actual harm must result for the rule to apply – if there was an issue that could have resulted in harm, but ultimately did not cause any damage, no notification would be required under the rule.
- the 36-hour clock starts ticking when the bank determines that a notification incident has occurred, NOT when the underlying issue started.
Some examples that the rules provide as notification incidents include:
- large-scale denial of service attacks that disrupt customer access to accounts for an extended period of time (e.g., more than four hours);
- ransom malware attacks that encrypt core banking system data;
- failed system changes that result in widespread outages for customers; and
- a core banking platform experiencing widespread outages.
Bank Service Providers
If a bank service provider experiences a computer-security incident (remember, it can be a non-malicious outage unrelated to a security issue) that has materially disrupted the services it provides to a bank for four or more hours, the bank service provider must notify at least one bank-designated contact as soon as possible after the service provider determines it has experienced a computer-security incident.
A bank-designated contact can be an email address or phone number, or any other contact previously provided by the bank. However, if the bank has not provided a contact, the rule defaults to notifying both the bank’s CEO and CIO.
The provider is not required to inform the bank’s federal regulator – rather, the requirement is limited to just notifying its bank customer. The bank would then need to make a determination if the incident qualifies as a notification incident.
The service provider notification requirement exempts scheduled maintenance, testing or software updates previously communicated to the bank customer.
Interestingly (at least to me), the rule’s commentary indicates that the banking regulators “generally will not cite” a bank for its service provider’s failure to comply with the notification requirement. Presumably, this seems to indicate that if the regulators have an issue with the service provider’s compliance with the rule, they will pursue action directly against the service provider under the Bank Service Company Act (and for you law aficionados, the specific statute is 12 USC 1867(c)), rather than through the bank.
In my experience, most bank service contracts contain provisions requiring the service provider to notify the bank regarding cyber security problems or outage issues. The rules will override less restrictive contractual requirements, thus compliance with the contract’s notice requirements may not meet a service provider’s legal obligation under the rule.
In other words, banks and their service providers may want to check (and maybe even amend) their agreements to include the rule’s notice provisions. Additionally, bank service providers that outsource some obligations to sub-contractors may also want to dust off their agreements with such sub-contractors (I’m guessing the bank service provider will want to control a sub-contractor’s notice to the bank if the sub-contractor experiences a disruption that triggers required notice to the bank).
And it’s also a good time to check that contract template and get it updated…..
Note that the National Credit Union Administration (“NCUA”) didn’t take part in the rulemaking with the other banking regulators, so credit unions do not appear subject to the rule.
As always, feel free to reach out (email@example.com) if you have any questions.