I believe the prevailing viewpoint is that the examination and reporting authority ( §1867(c) ) overrides the "bank service company" definition with the "notwithstanding" statement (e.g regardless of subsection (a) ...) .
Your mileage may vary ...
CHAPTER 18-BANK SERVICE COMPANIES
§1861. Short title and definitions
(a) Short title
This chapter may be cited as the "Bank Service Company Act".
(b) Definitions
For the purpose of this chapter-
(1) the term "appropriate Federal banking agency" shall have the meaning provided in section 1813(q) of this title;
(2) the term "bank service company" means-
(A) any corporation-
(i) which is organized to perform services authorized by this chapter; and
(ii) all of the capital stock of which is owned by 1 or more insured depository institutions; and
(B) any limited liability company-
(i) which is organized to perform services authorized by this chapter; and
(ii) all of the members of which are 1 or more insured depository institutions.
§1867. Regulation and examination of bank service companies
(a) Principal investor
A bank service company shall be subject to examination and regulation by the appropriate Federal banking agency of its principal investor to the same extent as its principal investor. The appropriate Federal banking agency of the principal shareholder or principal member of such a bank service company may authorize any other Federal banking agency that supervises any other shareholder or member of the bank service company to make such an examination.
(b) Applicability of <uscode edition="prelim" section="1818" title="12">section 1818 of this title</uscode>
A bank service company shall be subject to the provisions of <uscode edition="prelim" section="1818" title="12">section 1818 of this title</uscode> as if the bank service company were an insured depository institution. For this purpose, the appropriate Federal banking agency shall be the appropriate Federal banking agency of the principal investor of the bank service company.
(c) Services performed by contract or otherwise
Notwithstanding subsection (a) of this section, whenever a depository institution that is regularly examined by an appropriate Federal banking agency, or any subsidiary or affiliate of such a depository institution that is subject to examination by that agency, causes to be performed for itself, by contract or otherwise, any services authorized under this chapter, whether on or off its premises-
(1) such performance shall be subject to regulation and examination by such agency to the same extent as if such services were being performed by the depository institution itself on its own premises, and
(2) the depository institution shall notify each such agency of the existence of the service relationship within thirty days after the making of such service contract or the performance of the service, whichever occurs first.
------------------------------
Greg Schmeisser
Dir. Corp. Contracts & Procurement
First Merchants bank
------------------------------
Original Message:
Sent: 11-06-2023 02:43 PM
From: Anonymous Member
Subject: Bank Service Company Act
This message was posted by a user wishing to remain anonymous
You should review the entire BCSA reg. The notification process has more requirements than just what service is provided. It further defines that the company must be solely owned by financial institution(s). You may have a provider of these services, however if not solely owned by financial institutions, then it doesn't meet the reporting criteria. To error on the more conservative side, you can broaden that to "majority owned" by a single or multiple financial institutions. You can do a clean up notification to regulators if you have missed the initial notification. You should review with other appropriate groups involved in regulatory relations within your organization so there is awareness to the "catch up" activity and your controls in place to ensure future notifications are done within the regulatory timeframes.
Original Message:
Sent: 11-06-2023 01:34 PM
From: Anonymous Member
Subject: Bank Service Company Act
This message was posted by a user wishing to remain anonymous
Hi all,
We have a process in place for BSCA. However, I am having a hard time deciding on which vendors to include. Can anybody give some samples as to vendors that need to be reported.
Also, what if in the past we didn't comply with BSCA. Can we go back and do it now?
Thank you
Original Message:
Sent: 02-01-2022 09:46 AM
From: Ashley Stang
Subject: Bank Service Company Act
Good morning,
I found the following letter from the FDIC regarding the Bank Service Company Act:
"Section 7(c)(2) of the Bank Service Company Act states that any FDIC-supervised institution that has services performed by a third party "shall notify such agency of the existence of the service relationship within 30 days after the making of such service contract or the performance of the service, whichever occurs first." As defined in Section 3 of the Act, these services include "check and deposit sorting and posting, computation and posting of interest and other credits and charges, preparation and mailing of checks, statements, notices, and similar items, or any other clerical, bookkeeping, accounting, statistical, or similar functions performed for a depository institution."
These services all have in common the access to Non-Public Information (NPI), giving them a high inherent risk. For tracking within the Venminder platform, consider adding a custom product profile field to indicate those products covered under the BSCA. To ensure proper monitoring and mitigation of risk, those services covered by the BSCA should have annual Inherent & Residual Risk Assessments performed. Completing both risk assessments will collect and organize the information and related documentation for these services. Additionally, to identify documents uploaded to those services, you may create a custom tag for BSCA to be applied to those services' documents uploaded to document storage.
If you have vendor onboarding in your purchase plan, I recommend you add a question to indicate if the service or product is covered under BSCA to your onboarding form. This will ensure BSCA services are entered into the platform with the appropriate identifiers and oversight items. We would love to help you implement these recommendations and walk through a workflow to complete these items. All suggested items can be included in reports.
I would love to hear how others are handling these BSCA requirements and tracking them within the Venminder platform!
Original Message:
Sent: 01-31-2022 01:39 PM
From: Anonymous Member
Subject: Bank Service Company Act
This message was posted by a user wishing to remain anonymous
Compliance with the Bank Company Service Act has recently showed up on our radar as something that we need to be mindful of and haven't completed reporting in the past. For those of you that have a process in place for compliance wit the Act, how did you identify which vendors are covered by the Act? The definition of technical services covered are vague and I'm trying to define them, so that we may reach out to our vendor owners, so that they may self-identify those that should be included in the reporting.
Venminder published an article that referenced all critical vendors fall into this category, but I'm guessing that others would as well. (Rising Enforcement of FDIC Section 7 Assessments in Vendor Management (venminder.com))
Additionally, how do you identify/maintain the applicable vendor list going forward (perhaps a flag in Venminder)?
Any help you can provide is welcomed.
Thanks!