Voglio sapere a riguardo di…

Federal Register / Vol. 86, No. 223 / Tuesday, November 23, 2021 / Rules and Regulations banking organizations and bank service providers.
The final rule establishes two primary requirements, which promote the safety and soundness of banking organizations and are consistent with the agencies authorities to supervise these entities, and with their authorities pursuant to the BSCA.18 First, the final rule requires a banking organization to notify its primary Federal regulator of a notification incident. In particular, a banking organization must notify its primary Federal regulator of any computer-security incident that rises to the level of a notification incident as soon as possible and no later than 36
hours after the banking organization determines that a notification incident has occurred.19 Second, the final rule requires a bank service provider 20 to notify at least one bank-designated point of contact at each affected banking organization customer as soon as possible when the bank service provider determines it has experienced a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, covered services provided to such banking organization customer for four or more hours. Each of these requirements is discussed in more detail below.
B. Definitions i. Definition of Banking Organization The final rule applies to the following banking organizations:
For the OCC, banking organizations includes national banks, Federal savings associations, and Federal branches and agencies of foreign banks.
For the Board, banking organizations includes all U.S. bank holding companies and savings and loan holding companies; state member banks; the U.S. operations of foreign banking organizations; and Edge and agreement corporations.

lotter on DSK11XQN23PROD with RULES1

18 See
12 U.S.C. 1, 93a, 161, 481, 1463, 1464, 18611867, and 3102 OCC; 12 U.S.C. 321338a, 1467ag, 1818b, 1844b, 18611867, and 3101 et seq. Board; 12 U.S.C. 1463, 1811, 1813, 1817, 1819, and 18611867 FDIC.
19 As also noted below, however, the agencies would encourage those banking organizations providing sector-critical services that currently notify their primary Federal regulator of these types of incidents on a same-day basis to continue to do so.
20 As a general matter, bank service provider refers to a company or person that performs services for a banking organization that are subject to the Bank Service Company Act 12 U.S.C. 18611867.
However, for the purpose of this final rule, the term bank service provider does not include any person or company that is a designated FMU, as that term is defined at 12 U.S.C. 54624.

VerDate Sep<11>2014

16:32 Nov 22, 2021

Jkt 256001

For the FDIC, banking organizations includes all insured state nonmember banks, insured statelicensed branches of foreign banks, and insured State savings associations.
For all three agencies, banking organizations does not include designated FMUs, for the reasons discussed below.21
With respect to the proposed definition of banking organization, commenters suggested that this term should include additional entities, such as financial technology firms and nonbank OCC-chartered financial services entities, to the extent the agencies have jurisdiction over those firms. Further, commenters contended that the agencies should consider other regulatory frameworks to which banking organizations and bank service providers may already be subject and exclude entities subject to other, similar, regulatory reporting requirements.22
The agencies have defined the term banking organization in a manner that is consistent with the agencies supervisory authorities.
The NPR solicited comment on the scope of entities that should be included as banking organizations for purposes of the rule, and specifically noted that the proposed rules definition of banking organizations and bank service providers would include FMUs that are chartered as a State member bank or Edge corporation, or perform services subject to regulation and examination under the Bank Service Company Act.23 24 In that regard, the agencies asked whether there were unique factors that the agencies should consider in determining how notification requirements should apply to these FMUs. In addition, the agencies asked whether notification requirements would be best conveyed through the proposed rule or through amendments to the Boards Regulation HH for designated FMUs for which the Board is 21 Under the final rule, designated financial market utility has the same meaning as set forth at 12 U.S.C. 54624.
22 For example, FMUs for which the SEC is the Primary Agency under Title VIII of the Dodd-Frank Act are subject to the SECs Regulation SCI
Systems Compliance and Integrity for certain financial intermediaries.
23 An FMU is any person that manages or operates a multilateral system for the purpose of transferring, clearing, or settling payments, securities, or other financial transactions among financial institutions or between financial institutions and the person. 12 U.S.C. 54626.
24 Title VIII of the Dodd-Frank Act authorizes the Financial Stability Oversight Council to designate certain FMUs as systemically important. Depending on the functions that it serves in the financial markets, a designated FMU is subject to riskmanagement regulations promulgated by the Board i.e., Regulation HH, the SEC, or the CFTC.

PO 00000

Frm 00025

Fmt 4700

Sfmt 4700

66427

the Supervisory Agency under Title VIII
of the Dodd-Frank Act.
In response to these requests for comment, two commenters opposed the application of the proposed rule to SECsupervised FMUs that are designated as systemically important under Title VIII
of the Dodd-Frank Act, arguing that the proposed rule would subject these designated FMUs to unintended regulatory overlap and duplicative compliance burdens. One of these commenters argued that SEC-supervised designated FMUs should be deemed to comply with the rule to the extent they comply with incident notification requirements under existing SEC
regulations. Another commenter argued that applying the proposed rule to Board-supervised designated FMUs would be preferable to amending Regulation HH to include a designated FMU-specific incident notification requirement, but this commenter did not provide a detailed rationale for that position. Finally, several commenters suggested that the final rule should exempt all FMUs that qualify as a banking organization or a bank service provider, including FMUs that have not been designated as systemically important under Title VIII of the DoddFrank Act, from these incident notification requirements, arguing that the existing practice among FMUs is to alert supervisors directly in the case of computer-security incidents.
As noted above, the final rule excludes designated FMUs from the definitions of banking organization and bank service provider. 25 In the case of SECand CFTC-supervised designated FMUs, the agencies determined that excluding these designated FMUs from the final rule is appropriate because these designated FMUs are already subject to incident notification requirements in other Federal regulations.26
Board-supervised designated FMUs are subject to the Boards Regulation 25 The rule defines designated financial market utility as having the same meaning as set forth at 12 U.S.C. 54624.
26 Specifically, SEC-supervised designated FMUs are subject to the SECs Regulation SCI, which generally requires covered entities to notify the SEC
and their members or participants in the event of an SCI event. See 17 CFR 242.1000 defining SCI
Event and 242.1002 imposing notification requirements related to SCI Events. Similarly, a CFTC-supervised designated FMU must notify the CFTC in the event of an exceptional event or the activation of the designated FMUs business continuity and disaster recovery plan. See 17 CFR
39.18g. An exceptional event includes any hardware or software malfunction, security incident, or targeted threat that materially impairs, or creates a significant likelihood of material impairment, of automated system operation, reliability, security, or capacity. Id.

E:FRFM23NOR1.SGM

23NOR1