FinTechs may be subject to the Banking Services Company Act without even knowing it



As the relationships between traditional banks and financial technology (“fintech”) companies become more complex and interconnected, tighter regulatory oversight of these relationships is a certainty. The Bank Service Company Act (“BSCA”), an older law that is receiving new attention, provides a way for US federal banking agencies to learn about certain relationships between banks and fintechs. Indeed, the BSCA requires banks to notify their banking regulators of contracts and relationships with technology service providers and other companies that provide services to them. However, it does not oblige banks to notify their service providers that they have been identified in this way. As a result, many fintechs and other banking service providers may be completely in the dark about their status under the BSCA and their potential exposure under federal banking law and regulations.

Fintechs that provide services to banks should prioritize the need to better understand the BSCA and, at the very least, they should ask their bank customers if they have been identified as a service provider under the BSCA in any advice or other communication to a banking regulator.

What is the Banking Service Companies Act?

Section 7 (c) of the BSCA requires deposit-taking institutions to notify their respective federal banking agencies in writing of contracts and relationships with technology service providers (“TSPs”), including major banking platforms. payment and cloud service providers, and other companies that provide certain services. The services covered by the BSCA include sorting and accounting of checks and deposits, calculating and posting interest, preparing and sending checks or statements, and other office, accounting, accounting, statistics or the like such as data processing, online banking and mobile services. banking services. Notice can be provided in several ways, but the FDIC has an optional form to help banks comply.

It is important to note that Section 7 (c) of the BSCA subjects the service provision of a service provider to “regulation and review.” . . to the same extent as if these services were provided by the depository institution itself. As a result, the BSCA provided the legal basis for regulatory reviews of TSPs. In practice, bank branches coordinate their supervision of TSPs through the Federal Financial Institutions Examination Council (“FFIEC”), whose members include the Federal Reserve, FDIC, OCC, NCUA and CFPB. FFIEC has developed practices regarding the service providers actually screened, the frequency of reviews and the extent of supervision. A review focuses on the services provided and key technological and operational controls and can identify various compliance weaknesses that require corrective or corrective action. A review ends with an assigned grade, or grade, which determines the degree of supervisory attention required for the particular service provider.

Why is this a problem now?

Banking regulators have long been concerned about the risks associated with banks outsourcing certain services to third-party providers and the need for sound risk management practices, both at the bank, third-party and corporate level. way they interact. Recently, regulators have been working to update existing guidelines to promote consistency between agency guidelines on third-party risk management, and have also issued guidelines specifically to help community banks perform due diligence. on potential relationships with fintechs.

Business continuity and incident response planning are areas of increased supervisory concern. According to the FDIC, examiners observed that some TSP contracts do not require the service provider to maintain a business continuity plan, establish recovery standards or define contractual remedies, and in some cases, they do not. do not sufficiently address the responsibilities of a TSP in relation to a security incident. Long-term contracts and contracts that renew automatically can, as the FDIC says, present a higher risk of “coverage gaps.”

To address the risk that banks’ data and systems could be affected by cyber attacks and related criminal activity, federal banking agencies recently proposed a rule that would require a bank to provide its main federal banking regulator with prompt notification of any IT security incident that reaches the level of a Notification Incident (the “Proposed Rule”). Notification would generally be required as soon as possible and no later than 36 hours after the bank believes, in good faith, that the incident has occurred. The proposed Rule would also impose a separate reporting obligation on “banking service providers”, which are defined to include banking service companies and other persons providing services to banks subject to the BSCA. A banking service provider would be required to notify at least two people in each affected bank customer immediately after experiencing a computer security incident that it believes could disrupt, degrade or interfere with the provision of services submitted to the BSCA for four or more years. many hours.

Why should fintechs care?

Fintechs that provide services to banks should be concerned about their status under the BSCA, as they may be subject to regulation and review by federal bank agencies and may potentially be subject to IT incident reporting obligations. , assuming the rule proposal discussed above is finalized. Regulators have indicated that they will apply the notification requirement for banking service providers “directly to banking service providers” and not cite a bank because a service provider does not comply with the notification requirement. While the proposed rule remains in abeyance, it recognizes how banks have become “increasingly dependent on banking service providers to provide essential technology-related products and services” and the potential for negative impacts on banks. banks when there are computer security incidents at these locations. suppliers. It also suggests that regulators may be more inclined to impose other positive compliance obligations on banking service providers in the future.

What should FinTechs do?

Fintechs that provide services to banks need to do three things:

  • Confirm status under the BSCA – FinTechs should ask their banking customers if they have been identified as a banking service provider in any notice or other communication to a banking regulator. While the BSCA requires banks to notify their banking regulators about contracts and relationships with service providers, it does not require banks to notify their service providers that a notice has been given. Indeed, some fintechs may be surprised to learn that they have been designated as a provider of banking services under the BSCA. Depending on the circumstances, fintechs should consider seeking certification or other confirmation from their bank customers as to whether or not a notice has been given. Banks’ practices with regard to BSCA notices are not consistent (indeed, some banks may not even be aware of the notification obligation),[9] and regulators acknowledged in the commentary accompanying the draft rule that they “do not have data on the number of banking service providers” that would be affected by the computer incident notification requirement.
  • Review trade agreements and supplier processes for BSCA notifications – Fintechs should review existing trade agreements and associated processes to ensure that there is a mechanism to obtain information from their bank customers on BSCA matters. This may require the incorporation of provisions requiring the bank to notify the fintech of a BSCA notification given to its banking regulator. In addition, fintechs can ask the bank to notify its regulator when the contract or relationship has been terminated.
  • Review trade agreements for adaptability with new regulatory requirements – Assuming the proposed rule discussed above is adopted, fintechs should assess whether their existing trade agreements with banks contain adequate disclosure and reporting clauses. For example, the proposed rule requires that at least two people from each affected bank customer be notified by a bank service provider immediately after certain events occur. To avoid any confusion or ambiguity, a fintech may require precise contractual language specifying the persons concerned and the contact details as well as the timetable for certain communications. In addition, it may be necessary to review trade agreements to ensure that fintech receives timely information from a bank customer on a variety of other matters that may be critical to fintech regulatory compliance.



About Author

Leave A Reply