Site icon Beckage

OCC/FDIC Board Final Rule for Bank Organizations Notification Requirements

OCCFDIC Final Rule for Banking Organizations Notification Requirements

On November 18, 2021, the three primary banking regulatory agencies — the Office of the Comptroller of the Currency (OCC), Treasury; the Board of Governors of the Federal Reserve System (Board); and the Federal Deposit Insurance Corporation (FDIC) – jointly approved a final rule with two distinct notification requirements:

The rule goes into effect in April 2022, and requires compliance by May 1, 2022.


Who is subject to the rule?

As explained above, the rule imposed distinct requirements “banking organizations” and “bank service providers.”

Banking organizations” generally include any organization that is regulated by the OCC, the Board, or the FDIC. Specifically:

The rule expressly excludes designated financial market utilities (“FMUs”) from its definition of “banking organization” and “bank service provider.” See 12 U.S.C. § 5462(4). To the extent an FMU is supervised by the Securities and Exchange Commission (“SEC”) or the Commodity Futures Trading Commission (“CFTC”), the FMUs are subject to any notification requirements imposed by those agencies. See e.g., SEC Reg. SCI, 17 CFR 242.1000 (SEC); 17 CFR 39.18(g) (CFTC).

When making the rule, the agencies also considered a rule being on “additional entities, such as financial technology firms and non-bank OCC-chartered financial services entities, to the extent the agencies have jurisdiction over those firms.” In the end, the agencies simply concluded that the definition of banking organization under the rule was “consistent with the agencies’ supervisory authorities.”  To the extent that a banking organization is required to make a notification under the rule, that notification must go to the agency with primary regulatory oversight over the organization.

A “Bank Service Provider” includes persons and companies performing “covered services” subject to the Bank Service Company Act, 12 U.S.C. 1861-1867 (“BCCA”). The definition is vague, but the Agencies’ rulemaking explains that the purpose of the definition was to encompass any company that provides services to a banking organization that could be involved in a service disruption.


When is notification required?

The respective notification requirements applicable to Banking Organizations and Bank Service Providers are based on the occurrence of a “Computer Security Incident.” For consistency, the Agencies adopted the same definition of “Computer Security Incident” as provided by the National Institute of Standards and Technology (“NIST”). Thus, a “computer-security incident” is “an occurrence that results in actual or potential harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.


Banking Organizations

Bank Organizations must provide notification to their regulating agency when a “computer-security incident” rises to the level of a “notification incident.” A notification incident is a “computer-security incident” that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organization’s:

The definition of “notification incident” is broad enough to encompass any computer-security incident that impacts the banking organization’s general operations. As a practical matter, a banking organization will want to provide notification for any computer security incident that is likely to materially disrupt its operations or services to ensure compliance.

The banking organization must provide notice to the appropriate agency “as soon as possible and no later than 36 hours after the banking organization determines that a notification incident has occurred.”


Bank Service Providers

Bank Service Providers’ notification requirement is triggered by the occurrence of the computer-security incident that has or is reasonably likely to “materially disrupt or degrade” the services it provides the bank for four or more hours. The rule makes clear that scheduled maintenance, testing, or software updates that have been previously communicated to the banking organization are not subject to the rule’s notification requirement.

The bank service providers must provide notification to the designated point of contact at each banking organization at which any customer will be impacted by the bank services provider’s degradation or disruption of service. The bank service providers must provide notification “as soon as possible.”



The joint new rule from OCC, Board, and FDIC is consistent with a recent trend of varying state and federal regulatory bodies imposing independent notification obligations related to a data incident.

The imposition of new notification requirements may lead to the imposition of inconsistent notification requirements (e.g., the Agencies’ rule conflicts with the state incident notification laws). The rule could place the banking organizations between a rock and a hard place. For example, the banking organization could determine that notification is required under the new rule but may need additional time to determine if notification to state agencies and customers is necessary. The perceived delay may serve as a justification for the imposition of fines or to support a theory of liability in litigation related to the incident.

The proper timing for notification will always be a case-by-case decision. Banking organizations and bank service providers should work closely and proactively with experienced incident response counsel to ensure compliance with notification laws and to mitigate against creating any bases for the imposition of penalties or civil liability.

Beckage closely monitors developments in laws and regulations governing cybersecurity. Beckage’s team of highly skilled attorneys and technologists are uniquely situated to assist clients as they navigate these changes.

*Attorney advertising: prior results do not guarantee similar outcomes.

Subscribe to our newsletter.

Sources: 12 C.F.R. Part 53; 12 C.F.R. Part 255; 12 C.F.R. Part 304

Copy of the final rule:

Exit mobile version