top of page
  • Writer's pictureAmeis Regulatory Services
    • Feb 25, 2021

The Office of the Comptroller of the Currency, the Federal Reserve System and the Federal Deposit Insurance Corporation provided notice of proposed rulemaking concerning notification requirements for computer-security incidents for banking

organizations and their bank service providers.


The proposed rulemaking was submitted for comments in January 2021 and, if finalized, would require banking organizations and bank service providers to notify regulators upon the occurrence of an incident, such as a data breach, as soon as possible and no later than 36 hours, with the expectation that only general information about what is known at the time of incident be communicated.


A banking organization would be required to notify its primary federal regulator in the event of a “notification incident,” defined as 'a computer-security incident that a banking organization believes in good faith could materially disrupt, degrade, or impair

  • (i) The ability of the banking organization to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;

  • (ii) Any business line of a banking organization, including associated operations, services, functions and support, and would result in a material loss of revenue, profit, or franchise value; or

  • (iii) Those operations of a banking organization, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.'

A banking organization and a bank service provider would be allowed to use any communication means, including technological, to send the information to its primary federal regulator, information that would be subject to the confidentiality rules.


In addition, a bank service provider would be required to notify at least two individuals at affected banking organization customers immediately after the occurrence of a computer security incident that it believes could disrupt, degrade, or impair services provided for four or more hours.


Interested stakeholders must provide their comments by April 12, 2021.

Recent Posts

See All

The Secured Overnight Financing Rate (SOFR) is a broad measure of the cost of borrowing cash overnight collateralized by Treasury securities. SOFR is the overnight interest rate for US dollar-denomina

13/06/2023 - Canadian Securities Administrators (CSA) SEDAR+ go-live date. All issuer filings, cease trade orders and disciplined list entries will be filed in SEDAR+ 16/06/2023 - OSFI consultation pe

On May 11, the Bank for International Settlements (BIS) published a Handbook on how central bank digital currencies (CBDCs) could work for offline payments, defined as a “transfer of value between dev

bottom of page