We have a process in place for BSCA. However, I am having a hard time deciding on which vendors to include. Can anybody give some samples as to vendors that need to be reported.
Also, what if in the past we didn't comply with BSCA. Can we go back and do it now?
You should review the entire BCSA reg. The notification process has more requirements than just what service is provided. It further defines that the company must be solely owned by financial institution(s). You may have a provider of these services, however if not solely owned by financial institutions, then it doesn't meet the reporting criteria. To error on the more conservative side, you can broaden that to "majority owned" by a single or multiple financial institutions. You can do a clean up notification to regulators if you have missed the initial notification. You should review with other appropriate groups involved in regulatory relations within your organization so there is awareness to the "catch up" activity and your controls in place to ensure future notifications are done within the regulatory timeframes.
I believe the prevailing viewpoint is that the examination and reporting authority ( §1867(c) ) overrides the "bank service company" definition with the "notwithstanding" statement (e.g regardless of subsection (a) ...) .
Your mileage may vary ...
§1861. Short title and definitions
(a) Short title
This chapter may be cited as the "Bank Service Company Act".
For the purpose of this chapter-
(1) the term "appropriate Federal banking agency" shall have the meaning provided in section 1813(q) of this title;
(2) the term "bank service company" means-
(A) any corporation-
(i) which is organized to perform services authorized by this chapter; and
(ii) all of the capital stock of which is owned by 1 or more insured depository institutions; and
(B) any limited liability company-
(ii) all of the members of which are 1 or more insured depository institutions.
A bank service company shall be subject to examination and regulation by the appropriate Federal banking agency of its principal investor to the same extent as its principal investor. The appropriate Federal banking agency of the principal shareholder or principal member of such a bank service company may authorize any other Federal banking agency that supervises any other shareholder or member of the bank service company to make such an examination.
A bank service company shall be subject to the provisions of as if the bank service company were an insured depository institution. For this purpose, the appropriate Federal banking agency shall be the appropriate Federal banking agency of the principal investor of the bank service company.
Notwithstanding subsection (a) of this section, whenever a depository institution that is regularly examined by an appropriate Federal banking agency, or any subsidiary or affiliate of such a depository institution that is subject to examination by that agency, causes to be performed for itself, by contract or otherwise, any services authorized under this chapter, whether on or off its premises-
(1) such performance shall be subject to regulation and examination by such agency to the same extent as if such services were being performed by the depository institution itself on its own premises, and
(2) the depository institution shall notify each such agency of the existence of the service relationship within thirty days after the making of such service contract or the performance of the service, whichever occurs first.
I hate to bring this backup, but I have a deeper question. Everyone appears to be referring to the first test of a Bank Service Company but not the second one. The Act says, and I copy from below.
(2) the term "bank service company" means
The "and" means two tests have to be positive. So even if the service matches one of the services called out if the company is not owned or, in the case of an LLC, is a member of an insured depository institution, the Banks Service Company does not qualify.
I keep seeing all the summaries from everyone about what to report, and now one stresses the fact that the BSC (vendor) has to be owned or managed by an Insured Depository Institution. I would argue a majority of your third parties do not meet this criteria.
Does anyone want to comment on why the second test is not discussed in any of the threads or research on the internet?
How do you parse the meaning of 1867 (c) "notwithstanding"?
From my perspective and as the basis of the prevail view of the regulators:
1867 (c) "notwithstanding" essentially expands the examination and reporting authority to "any third-party" providing the related services regardless of ownership.
See my reply in the thread for relevant excerpts from the Act.
I suggest you read the Act and make your own decision.
You or your bank are the ones that will need to defend it with the regulator.
Corporate Contract & Procurement Director
Original Message:Sent: 01-31-2022 01:39 PMFrom: Anonymous MemberSubject: Bank Service Company ActThis message was posted by a user wishing to remain anonymousCompliance with the Bank Company Service Act has recently showed up on our radar as something that we need to be mindful of and haven't completed reporting in the past. For those of you that have a process in place for compliance wit the Act, how did you identify which vendors are covered by the Act? The definition of technical services covered are vague and I'm trying to define them, so that we may reach out to our vendor owners, so that they may self-identify those that should be included in the reporting.Venminder published an article that referenced all critical vendors fall into this category, but I'm guessing that others would as well. (Rising Enforcement of FDIC Section 7 Assessments in Vendor Management (venminder.com))Additionally, how do you identify/maintain the applicable vendor list going forward (perhaps a flag in Venminder)? Any help you can provide is welcomed.Thanks!
"Notwithstanding" in that section does not address the definition of the Bank Service Company. It only further clarifies if the service is formally contracted or not. It does not change the definition of the bank service company.
I agree it is up to everyone, but people need to be correctly informed and should seek qualified legal advice before blindly reporting third party providers.
Original Message:Sent: 11/30/2023 8:34:00 AMFrom: Anonymous MemberSubject: RE: Bank Service Company ActThis message was posted by a user wishing to remain anonymous
Conduct your analysis and gather your list of the vendors who you feel provide the service of a BCSA, and which ones meet the 'ownership" criteria. Review that list with other internal stakeholders, such as Legal and Information Security to make a determination for your organization as to the interpretation. (you may have other key stakeholders depending on your organization). Determine who is the final decision maker. I have worked for several institutions and the accountability for notification has varied across departments. Recently, we had conversations with our regulators to ensure our interpretation of the guidance was inline with expectations due to the use of BCSA vendor in the incident notification guidance as well.