In recent months, there has been a noted increase in the number of questions and conversations about the Bank Service Company Act (or "BSCA"). In this article, responses will be offered for several frequently asked questions, such as:
- What is the Bank Service Company Act?
- What is a "bank service company?"
- Why is this coming up now?
- What are financial institutions required to do for BSCA?
- Are there any BSCA tools which could help?
What is the Bank Service Company Act?
The BSCA is a regulation published in 1999, shortly before the more well-known Gramm-Leach-Bliley Act (or "GLBA"). The BSCA establishes a set of rules regarding financial institution relationships with certain third-party service providers, AKA "bank service companies."
What is a "bank service company?"
According to the act, a "bank service company" is a service provider who provides one or more of the following services:
- check and deposit sorting and posting;
- computation and posting of interest and other credits and charges;
- preparation and mailing of checks, statements, notices, and similar items; or
- any other clerical, bookkeeping, accounting, statistical, or similar functions, including "data processing, internet banking, or mobile banking services," per FDIC FIL-19-2019.
In addition, the company must be solely owned by financial institutions or all the company's customers must be financial institutions.
Why is this coming up now?
Increased emphasis is being placed on the BSCA now for three primary reasons:
- Financial institutions continue to rely on bank service companies for products and services which are critical to their operations.
- Financial institutions have not been consistent in notifying federal regulators of new bank service company relationships in accordance with the act.
- Incidents affecting bank service companies could cause significant damage to the greater financial sector.
Additionally, the FDIC, FRB, and OCC have published a new rule titled Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers. The rule requires bank service providers, subject to BSCA, to provide notification to "at least one bank-designated point of contact at each affected banking organization customer." To learn more about this new rule and how it applies to bank service companies, see our blog: The New Incident Notification Rule: What Banks Need to Know.
What are financial institutions required to do for BSCA?
The original BSCA requires financial institutions to notify their federal regulator, in writing, within 30 days of signing a contract or beginning service with a bank service company. The FDIC has developed a Notification of Performance of Bank Services form to assist with this notification.
To determine if you are complying:
- Review your vendor management processes to ensure there is a mechanism in place to identify bank service companies.
- Confirm notice was provided to your federal regulator of all relationships with bank service companies. If you find any gaps, use the form above to provide notice.
If the proposed rule becomes finalized, financial institutions should work with their legal teams, compliance departments, and any other individuals involved with contract reviews to ensure incident notification requirements are included in future contracts with bank service companies.
Are there any BSCA tools which could help?
Yes, Tandem Vendor Management is designed to help financial institutions oversee their third-party service provider arrangements, in accordance with applicable guidance and regulations. Tandem offers several useful features for addressing the BSCA requirements, including:
- Compliance Categories to identify and label vendors as bank service companies.
- Required Documents to track which bank service companies were reported to federal regulators.
- Contract Review Templates to ensure agreements with third parties address incident notification requirements.
To see how Tandem Vendor Management can help you, learn more at Tandem.App/Vendor-Management-Software.
- 11/24/2021 - This article was updated to include reference to the new Computer-Security Incident Notification rule.