September 09, 2021
As the relationships between traditional banks and financial technology companies (“fintechs”) become more complex and interconnected, greater regulatory scrutiny over these relationships is a certainty. The Bank Service Company Act (“BSCA”), an old law that is getting newfound attention, provides one avenue for the U.S. federal banking agencies to learn of the existence of certain relationships between banks and fintechs. This is because the BSCA requires banks to notify their banking regulators of contracts and relationships with technology service providers and other companies that provide services to them. However, it does not require banks to notify their service providers that they have been so identified. As a result, many fintechs and other bank service providers may be completely in the dark as to their status under the BSCA and potential exposure under federal banking law and regulation.
Fintechs that provide services to banks should prioritize the need to better understand the BSCA and, at the very least, they should ask their bank customers whether they have been identified as a service provider under the BSCA in any notice or other communication to a banking regulator.
Section 7(c) of the BSCA requires depository institutions to notify, in writing, their respective federal banking agency of contracts and relationships with technology service providers (“TSPs”), including major payment platforms and cloud service providers, and other companies that provide certain services. Services covered by the BSCA include check and deposit sorting and posting, computation and posting of interest, preparation and mailing of checks or statements, and other clerical, bookkeeping, accounting, statistical, or similar functions such as data processing, online banking, and mobile banking services. Notice may be provided in a number of ways, but the FDIC has an optional form to assist banks in their compliance.
Significantly, Section 7(c) of the BSCA subjects a service provider’s performance of services to “regulation and examination . . . to the same extent as if such services were being performed by the depository institution itself.” Accordingly, the BSCA has provided the statutory basis for regulatory examinations of TSPs. In practice, the banking agencies coordinate their supervision of TSPs through the Federal Financial Institutions Examination Council (“FFIEC”), whose members include the Federal Reserve, the FDIC, the OCC, the NCUA, and the CFPB. The FFIEC has developed practices regarding which service providers actually get examined, the frequency of exams, and the scope of supervision. An exam centers on the services provided and key technological and operational controls and may identify various compliance weaknesses that require corrective action or remediation. An exam culminates in an assigned rating, or grade, which determines the degree of supervisory attention necessary for the particular service provider.
Banking regulators have long been concerned about the risks arising from banks’ outsourcing of certain services to third-party providers and the need for robust risk management practices, at both the bank and the third-party provider and with respect to the way in which they interact. Recently, regulators have undertaken efforts to update existing guidance to promote consistency among the agencies’ guidance on third-party risk management, and have also issued guidance specifically to help community banks’ due diligence on prospective relationships with fintechs.
Business continuity and incident response planning are areas of heightened supervisory concern. According to the FDIC, examiners have observed that some TSP contracts do not require the service provider to maintain a business continuity plan, establish recovery standards, or define contractual remedies, and in some cases, they do not sufficiently address a TSP’s security incident responsibilities. Long-term contracts and contracts that automatically renew may be, as the FDIC puts it, at higher risk for “coverage gaps.”
To address the risk of banks’ data and systems being affected by cyberattacks and related criminal activity, the federal banking agencies have recently proposed a rule that would require a bank to provide its primary federal banking regulator with prompt notification of any computer-security incident that rises to the level of a notification incident (the “Proposed Rule”). Notification would generally be required as soon as possible and no later than 36 hours after the bank believes, in good faith, that the incident occurred. The Proposed Rule would also impose a separate reporting obligation on “bank service providers,” which are defined to include bank service companies and other persons providing services to banks that are subject to the BSCA. A bank service provider would be required to notify at least two individuals at each affected bank customer immediately after it experiences a computer-security incident that it believes in good faith could disrupt, degrade, or impair the provision of services subject to the BSCA for four or more hours.
Fintechs that provide services to banks should care about their status under the BSCA because they may be subject to regulation and examination by the federal banking agencies and may eventually be subject to computer-incident notification obligations, assuming the Proposed Rule discussed above is finalized. Regulators have indicated that they would enforce the bank service provider notification requirement “directly against bank service providers” and would not cite a bank because a service provider fails to comply with the notification requirement. Although the Proposed Rule remains pending, it is an acknowledgement of how banks have become “increasingly reliant on bank service providers to provide essential technology-related products and services” and the potential for adverse impacts on banks when there are computer-security incidents at those providers. It also suggests that regulators may be more inclined to impose other affirmative compliance obligations on bank service providers in the future.
Fintechs that provide services to banks should do three things:
 12 U.S.C. §§ 1861–1867 (enacted Oct. 23, 1962). The BSCA addresses services provided to banks by nonbank parties; it does not cover services provided by banks to nonbank parties, including fintechs.
 FDIC, Notification of Performance of Bank Services (OMB No.: 3064-0029) (expiration Apr. 30, 2023).
 See “Supervision of Technology Service Providers: IT Examination Handbook” (Oct. 2012).
 See, e.g., OCC Bulletin 2020-10, “Third-Party Relationships: Frequently Asked Questions to Supplement OCC Bulletin 2013-29” (May 5, 2020); OCC Bulletin 2013-29, “Third-Party Relationships, Risk Management Guidance” (Oct. 30, 2013); OCC Bulletin 2002-16: “Bank Use of Foreign-Based Third-Party Service Providers: Risk Management Guidance” (May 15, 2002); FRB SR Letter 13-19, “Guidance on Managing Outsourcing Risk” (Dec. 5, 2013, updated Feb. 26, 2021); FRB SR Letter 00-17 (SPE), “Guidance on the Risk Management of Outsourced Technology Services” (Nov. 30, 2000); FDIC FIL-44-2008, “Guidance for Managing Third-Party Risk” (June 6, 2008); FDIC FIL-81-2000, “Risk Management of Technology Outsourcing” (Nov. 29, 2000).
 See “Proposed Interagency Guidance on Third-Party Relationships: Risk Management,” 86 Fed. Reg. 38182 (July 19, 2021).
 See “Conducting Due Diligence on Financial Technology Companies: A Guide for Community Banks” (Aug. 2021).
 See FDIC FIL-19-2019, “Technology Service Provider Contracts” (Apr. 2, 2019).
 See Proposed Rule, “Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers, 86 Fed. Reg. 2299 (Jan. 12, 2021). The Proposed Rule and related preamble commentary contain detailed explanations by what constitutes a “computer security incident” and a “notification incident.” Generally, computer-security incidents may include major computer-system failures, cyber-related interruptions, such as coordinated denial of service and ransomware attacks, or other types of significant operational interruptions. According to the Proposed Rule, the agencies believe it is important that a bank’s primary federal banking regulator be notified as soon as possible of a significant computer-security incident that could jeopardize the viability of the operations of an individual banking organization, result in customers being unable to access their deposit and other accounts, or impact the stability of the financial sector. The Proposed Rule’s 36-hour deadline is half the required time frame to notify the New York State Department of Financial Services under 23 NYCRR Part 500, which sets a 72-hour deadline and which is currently one of the shortest time frames for cybersecurity breach notifications in the United States.
 Inconsistent or inadequate BSCA notifications of new service provider contracts or relationships appears to be a longstanding issue. See FDIC, Office of the Inspector General, “FDIC’s Oversight of Technology Service Providers,” Report No. 06-015 (July 2006) (finding that “inconsistent reporting of TSP relationships could result from varying interpretations of the BSCA notification requirement”).