Voglio sapere a riguardo di…

khammond on DSKJM1Z7X2PROD with PROPOSALS

2306

Federal Register / Vol. 86, No. 7 / Tuesday, January 12, 2021 / Proposed Rules
FMUs? For designated FMUs for which the Board is the Supervisory Agency under Title VIII of the Dodd-Frank Act, would notification requirements best be conveyed through this proposed rule or through amendments to the Boards Regulation HH?
7. What other types of entities regulated by the agencies should be added to the rule as banking organizations that would be subject to the rule? Why?
8. Which entities proposed in the rule as banking organizations should be removed from the rule? Why?
9. Do existing contracts between banking organizations and bank service providers already have provisions that would allow banking organizations to meet the proposed notification incident requirements?
10. Does the definition of bank service provider in the proposed rule appropriately capture the services about which banking organizations should be informed in the event of disruptions?
Should all the services included in the Bank Service Company Act be included for purposes of banking organizations receiving notice of disruptions from their bank service providers? If not, which services should require a bank service provider to notify its affected banking organization customers when those services are disrupted, and why?
Should the requirement only attach to a subset of services provided to banking organizations under the BSCA or should it only attach to certain bank service providers, such as those that are examined by the federal banking agencies?
11. Should the proposed rule for bank service providers require bank service providers to notify all banking organization customers or only those affected by a computer-security incident under the proposed rule?
12. Within what timeframe should bank service providers provide notification to banking organizations? Is immediate notification after experiencing a disruption in services provided to affected banking organization customers and to report to those organizations reasonable? If not, what is the appropriate amount of time for a bank service provider to determine it has experienced a material disruption in service that impacts its banking organization customers, and why?
13. The agencies understand that many existing contracts between banking organizations and bank service providers contain notification provisions regarding material incidents and that, generally, bank service providers use automated systems to notify banking organizations of service
VerDate Sep<11>2014

16:31 Jan 11, 2021

Jkt 253001

disruptions. The agencies are seeking information on how bank service providers currently notify banking organizations of service disruptions under existing contracts between bank service providers and banking organizations. Do those contracts contemplate the provision of notice to at least two individuals at an affected banking organization? Is the method of notice specified in existing contracts for example, email, telephone, etc.
sufficient to allow bank service providers to provide notice of computersecurity incidents to at least two individuals at affected banking organizations? If not, how best could the requirement for bank service providers to notify at least two individuals at affected banking organizations be achieved most efficiently and cost effectively for both parties?
14. Describe circumstances in which a bank service provider would become aware of a material disruption that could be a notification incident for banking organization customers but the banking organization customers would not be aware of the incident. Would it be overly burdensome to certain bank service providers, such as smaller bank service providers, to provide notice of material disruptions, degradations, or impairments to their affected banking organization customers and, if so, why?
15. The agencies invite comments on specific examples of computer-security incidents that should, or should not, constitute notification incidents.
16. The agencies invite comments on the methodology used to estimate the number of notification incidents per year that would need to be reported under the proposed rule.
Written comments must be received by the agencies no later than April 12, 2021.
VII. Regulatory Analysis and Procedure Paperwork Reduction Act Certain provisions of the proposed rule contain collection of information requirements within the meaning of the Paperwork Reduction Act PRA of 1995
44 U.S.C. 35013521. In accordance with the requirements of the PRA, the agencies may not conduct or sponsor, and the respondent is not required to respond to, an information collection unless it displays a currently valid Office of Management and Budget OMB control number. The agencies will request new control numbers for this information collection. The information collection requirements contained in this joint notice of proposed rulemaking have been submitted to OMB for review and
PO 00000

Frm 00008

Fmt 4702

Sfmt 4702

approval by the OCC and FDIC under section 3507d of the PRA 44 U.S.C.
3507d and section 1320.11 of OMBs implementing regulations 5 CFR part 1320. The Board reviewed the proposed rule under the authority delegated to the Board by OMB.
The proposed rule contains a reporting requirement that is subject to the PRA. The reporting requirement is found in 53.3 OCC, 225.302 Board, and 304.23 FDIC of the proposed rule, which require a banking organization to notify its primary federal bank regulatory agency of the occurrence of a notification incident at the banking organization.
The proposed rule also contains a disclosure requirement that is subject to the PRA. The disclosure requirement is found in 53.4 OCC, 225.303 Board, and 304.24 FDIC of the proposed rule, which require a bank service provider to notify at least two individuals at affected banking organization customers immediately after it experiences a computer-security incident that it believes in good faith could disrupt, degrade, or impair services provided subject to the BSCA for four or more hours.
Comments are invited on:
a Whether the collections of information are necessary for the proper performance of the agencies functions, including whether the information has practical utility;
b the accuracy of the estimates of the burden of the information collections, including the validity of the methodology and assumptions used;
c ways to enhance the quality, utility, and clarity of the information to be collected;
d ways to minimize the burden of the information collections on respondents, including through the use of automated collection techniques or other forms of information technology;
and e estimates of capital or start-up costs and costs of operation, maintenance, and purchase of services to provide information. All comments will become a matter of public record.
Comments on aspects of this document that may affect reporting requirements and burden estimates should be sent to the addresses listed in the ADDRESSES section of this Supplementary Information. A copy of the comments may also be submitted to the OMB desk officer for the Agencies:
By mail to U.S. Office of Management and Budget, 725 17th Street NW, 10235, Washington, DC 20503 or by facsimile to 202 3955806, Attention, Federal Banking Agency Desk Officer.

E:FRFM12JAP1.SGM

12JAP1