Hi,
It is not the Bank Secrecy Act, it is the Bank Service Company Act they are referring to. You can find the
FIL here:
https://www.fdic.gov/news/financial-institution-letters/1999/fil9949.html Basically what we do, is that at the end of our DD for Technical Service Providers (TSP) that deals with any significant amount of NPI, or interfaces with our Core, we send them a letter notifying them of our use of that service. If you are unsure, ask them and they will advise you whether they need notifying or not.
------------------------------
Douglas Frey
SVP, Security & Risk Management
Information Security Officer
------------------------------
Original Message:
Sent: 07-06-2022 09:00 AM
From: Anonymous Member
Subject: Notification to regulators on critical third parties
This message was posted by a user wishing to remain anonymous
For FDIC guidance on the notification requirement in the Bank Secrecy Act see FIL-49-99
Original Message:
Sent: 07-05-2022 08:24 PM
From: Premika Mishra
Subject: Notification to regulators on critical third parties
We are currently undergoing an exam with the regulators and one of the questions that has come up is notification to regulators on new critical service providers.
What guidance are all of you following and what new "critical providers" are you notifying to the regulators. Which group within the organization is doing the notification to your respective regulatory body; is that InfoSec, Vendor Management, Compliance?
Our TPRM program is a blend of guidance from OCC-2013-29 as well as third party guidance provided by FDIC and FFIEC. So far the only guidance i see out there is Section 7 of the BSA program that FDIC directs to that highlights the type of services that requires depository institutions to notify, in writing, their respective federal banking agency of contracts or relationships with technology service providers that provide certain services.
Curious to learn what you all are doing out there?
Thanks