Regulations

 View Only
  • 1.  Bank Service Company Act

    This message was posted by a user wishing to remain anonymous
    Posted 01-31-2022 03:11 PM
    This message was posted by a user wishing to remain anonymous

    Compliance with the Bank Company Service Act has recently showed up on our radar as something that we need to be mindful of and haven't completed reporting in the past.  For those of you that have a process in place for compliance wit the Act, how did you identify which vendors are covered by the Act? The definition of technical services covered are vague and I'm trying to define them, so that we may reach out to our vendor owners, so that they may self-identify those that should be included in the reporting.

    Venminder published an article that referenced all critical vendors fall into this category, but I'm guessing that others would as well.  (Rising Enforcement of FDIC Section 7 Assessments in Vendor Management (venminder.com))

    Additionally, how do you identify/maintain the applicable vendor list going forward (perhaps a flag in Venminder)? 

    Any help you can provide is welcomed.
    Thanks!


  • 2.  RE: Bank Service Company Act

    This message was posted by a user wishing to remain anonymous
    Posted 02-01-2022 09:46 AM
    This message was posted by a user wishing to remain anonymous

    BCSA third party reporting.  You do not indicate which agency regulates your institution, but you cite an article on FDIC enforcement.  So, using FDIC FIL-49-99 as a guide: "third parties [that] offer technology-related services, including electronic banking systems such as Internet banking. Some institutions are also entering into covered service relationships with new entities to provide data-processing services." As well as: "check and deposit sorting and posting, computation and posting of interest and other credits and charges, preparation and mailing of checks, statements, notices, and similar items, or any other clerical, bookkeeping, accounting, statistical, or similar functions performed for a depository institution."

    Consider focusing on new hosted "data-processing services" as a justifiable starting place.  

    Again from FIL-49-99: "Section 7(c)(2) of the Bank Service Company Act states that any FDIC-supervised institution that has services performed by a third party "shall notify such agency of the existence of the service relationship within 30 days after the making of such service contract or the performance of the service, whichever occurs first."

    I have not heard about regulators complaining about the "within 30 days" portion of the act.  But I'd be sure to report a material change (like core processing) inside that window.


  • 3.  RE: Bank Service Company Act

    Posted 02-01-2022 09:52 AM
    Good morning,

    I found the following letter from the FDIC regarding the Bank Service Company Act:

    "Section 7(c)(2) of the Bank Service Company Act states that any FDIC-supervised institution that has services performed by a third party "shall notify such agency of the existence of the service relationship within 30 days after the making of such service contract or the performance of the service, whichever occurs first." As defined in Section 3 of the Act, these services include "check and deposit sorting and posting, computation and posting of interest and other credits and charges, preparation and mailing of checks, statements, notices, and similar items, or any other clerical, bookkeeping, accounting, statistical, or similar functions performed for a depository institution."

    These services all have in common the access to Non-Public Information (NPI), giving them a high inherent risk. For tracking within the Venminder platform, consider adding a custom product profile field to indicate those products covered under the BSCA. To ensure proper monitoring and mitigation of risk, those services covered by the BSCA should have annual Inherent & Residual Risk Assessments performed. Completing both risk assessments will collect and organize the information and related documentation for these services. Additionally, to identify documents uploaded to those services, you may create a custom tag for BSCA to be applied to those services' documents uploaded to document storage.

    If you have vendor onboarding in your purchase plan, I recommend you add a question to indicate if the service or product is covered under BSCA to your onboarding form. This will ensure BSCA services are entered into the platform with the appropriate identifiers and oversight items. We would love to help you implement these recommendations and walk through a workflow to complete these items. All suggested items can be included in reports.

    I would love to hear how others are handling these BSCA requirements and tracking them within the Venminder platform!



  • 4.  RE: Bank Service Company Act

    This message was posted by a user wishing to remain anonymous
    Posted 11-06-2023 01:55 PM
    This message was posted by a user wishing to remain anonymous

    Hi all,

    We have a process in place for BSCA. However, I am having a hard time deciding on which vendors to include. Can anybody give some samples as to vendors that need to be reported.

    Also, what if in the past we didn't comply with BSCA.  Can we go back and do it now?

    Thank you




  • 5.  RE: Bank Service Company Act

    This message was posted by a user wishing to remain anonymous
    Posted 11-06-2023 02:58 PM
    This message was posted by a user wishing to remain anonymous

    You should review the entire BCSA reg.  The notification process has more requirements than just what service is provided.  It further defines that the company must be solely owned by financial institution(s).  You may have a provider of these services, however if not solely owned by financial institutions, then it doesn't meet the reporting criteria.  To error on the more conservative side, you can broaden that to "majority owned" by a single or multiple financial institutions.  You can do a clean up notification to regulators if you have missed the initial notification.  You should review with other appropriate groups involved in regulatory relations within your organization so there is awareness to the "catch up" activity and your controls in place to ensure future notifications are done within the regulatory timeframes. 




  • 6.  RE: Bank Service Company Act

    Posted 11-07-2023 09:09 AM

    I believe the prevailing viewpoint is that the examination and reporting authority ( §1867(c) ) overrides the "bank service company" definition with the "notwithstanding" statement (e.g regardless of subsection (a) ...) .

    Your mileage may vary ... 

    CHAPTER 18-BANK SERVICE COMPANIES

    §1861. Short title and definitions

    (a) Short title

    This chapter may be cited as the "Bank Service Company Act".

    (b) Definitions

    For the purpose of this chapter-

    (1) the term "appropriate Federal banking agency" shall have the meaning provided in section 1813(q) of this title;

    (2) the term "bank service company" means-

    (A) any corporation-

    (i) which is organized to perform services authorized by this chapter; and

    (ii) all of the capital stock of which is owned by 1 or more insured depository institutions; and

    (B) any limited liability company-

    (i) which is organized to perform services authorized by this chapter; and

    (ii) all of the members of which are 1 or more insured depository institutions.

    §1867. Regulation and examination of bank service companies

    (a) Principal investor

    A bank service company shall be subject to examination and regulation by the appropriate Federal banking agency of its principal investor to the same extent as its principal investor. The appropriate Federal banking agency of the principal shareholder or principal member of such a bank service company may authorize any other Federal banking agency that supervises any other shareholder or member of the bank service company to make such an examination.

    (b) Applicability of 

    A bank service company shall be subject to the provisions of  as if the bank service company were an insured depository institution. For this purpose, the appropriate Federal banking agency shall be the appropriate Federal banking agency of the principal investor of the bank service company.

    (c) Services performed by contract or otherwise

    Notwithstanding subsection (a) of this section, whenever a depository institution that is regularly examined by an appropriate Federal banking agency, or any subsidiary or affiliate of such a depository institution that is subject to examination by that agency, causes to be performed for itself, by contract or otherwise, any services authorized under this chapter, whether on or off its premises-

    (1) such performance shall be subject to regulation and examination by such agency to the same extent as if such services were being performed by the depository institution itself on its own premises, and

    (2) the depository institution shall notify each such agency of the existence of the service relationship within thirty days after the making of such service contract or the performance of the service, whichever occurs first.



    ------------------------------
    Greg Schmeisser
    Dir. Corp. Contracts & Procurement
    First Merchants bank
    ------------------------------



  • 7.  RE: Bank Service Company Act

    This message was posted by a user wishing to remain anonymous
    Posted 11-30-2023 09:35 AM
    This message was posted by a user wishing to remain anonymous

    I hate to bring this backup, but I have a deeper question.  Everyone appears to be referring to the first test of a Bank Service Company but not the second one.  The Act says, and I copy from below.

    (2) the term "bank service company" means

    (A) any corporation-

    (i) which is organized to perform services authorized by this chapter; and

    (ii) all of the capital stock of which is owned by 1 or more insured depository institutions; and

    (B) any limited liability company-

    (i) which is organized to perform services authorized by this chapter; and

    (ii) all of the members of which are 1 or more insured depository institutions.

    The "and" means two tests have to be positive.  So even if the service matches one of the services called out if the company is not owned or, in the case of an LLC, is a member of an insured depository institution, the Banks Service Company does not qualify.

    I keep seeing all the summaries from everyone about what to report, and now one stresses the fact that the BSC (vendor) has to be owned or managed by an Insured Depository Institution.  I would argue a majority of your third parties do not meet this criteria.

    Does anyone want to comment on why the second test is not discussed in any of the threads or research on the internet?




  • 8.  RE: Bank Service Company Act

    Posted 11-30-2023 12:50 PM

    Anonymous,

     

    How do you parse the meaning of 1867 (c) "notwithstanding"?

     

    From my perspective and as the basis of the prevail view of the regulators:

    1867 (c) "notwithstanding" essentially expands the examination and reporting authority to "any third-party" providing the related services regardless of ownership.

     

    See my reply in the thread for relevant excerpts from the Act.

     

    I suggest you read the Act and make your own decision. 

    You or your bank are the ones that will need to defend it with the regulator.

     

     

    Thanks.

     

     

    Greg Schmeisser

    Corporate Contract & Procurement Director

    LogoDescription automatically generated with medium confidence

     






  • 9.  RE: Bank Service Company Act

    Posted 11-30-2023 02:44 PM

    "Notwithstanding" in that section does not address the definition of the Bank Service Company. It only further clarifies if the service is formally contracted or not.  It does not change the definition of the bank service company.

    I agree it is up to everyone, but people need to be correctly informed and should seek qualified legal advice before blindly reporting third party providers.




  • 10.  RE: Bank Service Company Act

    This message was posted by a user wishing to remain anonymous
    Posted 11-30-2023 03:20 PM
    This message was posted by a user wishing to remain anonymous

    Conduct your analysis and gather your list of the vendors who you feel provide the service of a BCSA, and which ones meet the 'ownership" criteria.  Review that list with other internal stakeholders, such as Legal and Information Security to make a determination for your organization as to the interpretation. (you may have other key stakeholders depending on your organization).  Determine who is the final decision maker. I have worked for several institutions and the accountability for notification has varied across departments. Recently, we had conversations with our regulators to ensure our interpretation of the guidance was inline with expectations due to the use of BCSA vendor in the incident notification guidance as well.